GSM firewall
 

Could a Neo900 do something like this?

http://www.wired.com/2014/09/cryptop...e-cell-towers/

Re: GSM firewall
 

Quick message...
There was a bit of discussion on IRC about CryptoPhone and possibility of sending encrypted audio over GSM:
http://infobot.rikers.org/%23neo900/20140902.html.gz
Thank you.
~~~~~~~~~~~~~~~~~
Per aspera ad astra...

Re: GSM firewall
 

As usual the article contained just a pinch of facts and a load of BllSHT to go :D
- yes, it is possible to hijack UE<->RAN connections
- no, it still isn't possible to actuate phone camera or sound pickup without initiating a call
- no, the "firewall" proposed on cryptophone is not feasible

Re: GSM firewall
 

. Yes it is possible to hijack a phone connection
- Yes, that includes the GPRS data
- Not so sure about this one, but I feel confident,that once you have hijacked the phones GSM/GPRS you can gain enough control to activate the camera and microphone etc by several types of attack. Possibly you can do this by a specially crafted SMS, but definately I have no doubt you can do this if you hijack the phone GPRS connection.
. Why not ? The celltowers connecting the phone can be maches at the simplest by a comparison to know cell tower ID ranges or specific IDs? I think thi could be quite easily implemented.

Re: GSM firewall
 

Yes.
Though I haven't read the whole article

[2014-09-04 Thu 00:26:28] <DocScrutinizer05> http://www.kuketz-blog.de/imsi-catch...droid-aimsicd/ (4.1) We'll offer similar functions ;-)
/j

Re: GSM firewall
 

Yes, our modem monitoring should cover most of cases described in this article. There should be enough support in hardware to make writing such "firewall" app possible.

See http://neo900.org/stuff/piwo/piwo.pdf (slides 39-50)

[edit] hehe, got ninja'd :)

Re: GSM firewall
 

Very interesting....
like the idea of a firewall type app too....

dos1 ....'bout piwo ....smooth presentation...love it. :D

I don't know too many who can integrate borg picard and spongebob onto the same page. LOVE IT. :D

Re: GSM firewall
 

Well, in an infinite universe anything is possible, and I do not doubt that the UMTS signaling stack is perfect: far from it. There might well be bugs that allow some undocumented functionality to emerge.
However, there is no possible legal state transition that could lead to this kind of action.

The only way I can see for this to happen would be if the attacker could inject malicious code into the target UE and get it running; imagine for example an instance of Prey on the device controlled by remote malicious party.
Such attack would be device-dependent however, there might be some manufacturer/model that is vulnerable to a hand-crafted attack vector specifically targeted to it but no possibility to create a generic attack.


The attack device can easily masquarade using existing cell area&BTS signatures that it anyway can observe. There is pretty much no way that the target UE can shield against this type of attack.

Re: GSM firewall
 

However please note that Neo900 has NO way the GSM/UMTS stack can inject ANY commands into the main system. Our modem is sandboxed and we even do more than this, we have surveillance for the sandbox, detecting every little move the modem does, then decide if it's concerning or expected. Worst case we shoot complete modem down when it misbehaves. In that regard we're even better than cryptophone used for the IMSI-catcher "firewall" liked to in above post.

Regarding masquerading an IMSI-catcher as regular BTS (incl Cell_ID and all): _can_ be done, but begs for trouble, so usually they don't do it aiui.

/j

Re: GSM firewall
 

Yes. I'd expect Neo900 is of the few devices that are not vulnerable to this kind of attack at all.
The worst bunch is anything with integrated SOC running baseband having shared memory access with main CPU.

However, I personally feel that it is significantly higher risk to get your device infected with "standard" malicious SW having nothing to do with BB or 3G stack. There exist loads of crap especially for Androids aiming for that.


True, there currently being no device that does detect it :D
(as I believe cryptophone is still vaporware...)

Re: GSM firewall
 

IMSI Catcher Detector for Android, as far as I understand it, uses geolocation databases to check if the BTS with with CID/LAC like the one you're connected with could be around the place you're at, and if not, then it marks it as IMSI catcher.

Re: GSM firewall
 

I think some of You will find this patent interresting
http://appft.uspto.gov/netacgi/nph-P...DN/20120108227

Re: GSM firewall
 

Yes, this would reliably identify rogue BTS aka IMSI-catchers, but it's a network-based method that's not implemented at least on GSM (2G) level in any network / by any carrier I know of.

/j

Re: GSM firewall
 

Hello,

Me and my friend bought cryptophones at the start of this year because we're stupid with money like that and we didn't have the patience to wait for the Neo900 (he's gonna get one too though, I would too but my finances aren't in a state to support it...).
I can answer any questions you might have about them to the best of my ability.
We got GSMK CryptoPhone 500's, they have actually 2 firewalls, an IP and a baseband one. The baseband firewall seems to be related to what you're ideating for Neo900, it keeps watch of the modem and inconsistencies between its and the OS's activity. The IP firewall at least kept preventing me from establishing a connection to a meterpreter shell I installed on the phone. When I was traveling in Norway at one point the baseband firewall started warning about IMSI-catchers or something of the sort, I assume this was related to the NATO military bases there :)
The phones have a variety of other features but my short summary of them would be a overly expensive gadget marketed for governments.