cellular MITM

This topic contains 5 replies, has 3 voices, and was last updated by  bazinga 1 week, 6 days ago.

  • Author
    Posts
  • #3549
     munkeyfreenix.batcat 
    Participant

    Can anyone point me in the right direction for cellular phone protocols? Is there an equivalent to ARP poisoning techniques for cellular? The protocols all are pretty complicated, so I figure there is no point in reinventing the wheel.

  • #23133
     Ketchup 
    Participant

    I believe that actual voice conversations are encrypted (non-analog calls).  You can build devices to capture cellular traffic, but you would still have to decrypt the voice.  I am sure there are backdoors to the encryption, per the feds. 

    See the following links for call interception devices:
    http://www.cellularintercept.com/
    http://www.global-security-solutions.com/PGFDigitalCellularIntercepter.htm

    I am sure if you dig, you will find someone outside of your country who is willing to sell you such a device.  I pretty sure it will cost you.

  • #23134
     munkeyfreenix.batcat 
    Participant

    Damn, I don’t think I’ve ever been so terrified by a website, nor intrigued.

    Nothing supercedes the need to stop criminals before they strike, and bring outlaws to justice

    Err, especially the bill of rights? hmm. Its not like

    Honestly, I’m more interested in making really advanced prank calls by manipulating the ATM cells, that and using MitM concept to funnel traffic through my phone.

    Encrypted yes, but not very advanced. I was just reading that the G3 network is still using symmetric encryption for backwards compatability, and that the SIM card holds the ticket. I’m sure the social engineers out there can convince people to let them ‘borrow your SIM card for a moment’, but im sure there is a way in.

    anywhere I should look into how phones are identified on the network?

  • #23135
     Ketchup 
    Participant

    Yeah, I thought that was a bit funny in a self-righteous kind of way.

    I don’t know much about ATM cells.  I think an easier way for you to make prank calls would be to just clone a cell phone or two.  You would have to duplicate the ESN number and the phone number in the phone.  I believe that this is how a carrier identifies a headset.

    http://www.collusion.org/Article.cfm?ID=383

  • #23136
     munkeyfreenix.batcat 
    Participant

    thanks. i’ll look into that.

    ATM cells are really small (about 48 bytes) but have a Virtual Channel and Virtual Path indicator in the header. But maybe going that low isn’t all that necessary up front.

    and prank calls are just the ‘public face’ of this idea. you can pass out a program with instructions on how to spoof a phone number, but those that know will be able to use it for alot more (for example, tunneling sensitive information through the audio signal of a phone conversation that is inserted and extracted using phase vocoding synthesis techniques, which then can be routed through various phones to avoid tracing). and of course, there will be little instruction (ie none) shipped with the app.

  • #174258
     bazinga 
    Participant

    I believe that in order to intercept the voice, you will need to build some kind of decryptor or decorder to decrypt the A5/1 encryption.
    Certainly you can build devices to monitor cellular traffic.
    See the following links for call interception devices:

    https://usdgs.com/cellular-monitoring/
    https://www.blackhat.com/presentations/bh-dc-08/Steve-DHulton/Whitepaper/bh-dc-08-steve-dhulton-WP.pdf

    And there are some suppliers on the internet who are specialized in this kind of system.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?