Science + Technology
3:04 am
Mon July 15, 2013

How Hackers Tapped Into My Cellphone For Less Than $300

Originally published on Mon July 15, 2013 8:57 am

In the wake of the National Security Agency cyber-spying revelations, you may be worrying about the government keeping track of your digital life. But, for less than $300, a group of ordinary hackers found a way to tap right into Verizon cellphones.

This is a group of good-guy, or "white hat", hackers. They hacked the phones to warn wireless carriers that the phones have a security flaw.

I got to experience having my phone broken into. I met the hackers at a hotel room in downtown San Francisco. A moment after I stepped in, Tom Ritter pulled me over to look at a computer screen. Ritter is a security consultant for iSEC Partners, which specializes in helping companies locate technology security flaws.

As I looked down at Ritter's laptop screen, he pointed to a number.

"Is this your phone number?" he asked.

It was. The minute I'd walked into the room Ritter had gotten into my phone.

Then, he showed me how he could listen to my conversations. I called up Nico Sell, who works with Ritter. We had a brief conversation. After I hung up, Ritter played a recording of the entire call for me.

Ritter said he was able to tap into my call with something called a femtocell, also known as a wireless network extender. The one he used was made by Samsung for Verizon and cost about $250. The femtocell is about the size of a wireless router. You can buy one at Best Buy.

And, Ritter said, "Everything we did can be done with free software you can download online — nothing terribly special."

He says companies like Verizon support these devices for customers who live in rural areas or high-rise buildings and have poor cellphone reception.

"You can get these from carriers to give yourself a better signal," he said.

Ritter explained that the femtocell is basically cell phone tower; that's why it's able to pick up all the phone signals around it. In case you were wondering, it also intercepts your text messages, including photos and if you use the browser to sign into your bank's website, the device will be able to get your login and password. Yikes!

Ritter says someone has to be within around 40 feet of the femtocell for it to tap into their phone. But, given that it can fit in a purse Ritter imagines a lot of situations where getting close enough would be easy.

Ritter painted a scenario in which "a lady goes out to ... a bar in downtown DC ... At this place a whole bunch of congressman are hanging out." In her purse, this "lady" had a femtocell.

"She happens to pick up a whole bunch of picture messages," Ritter said. "It doesn't take a whole lot of stretch of the imagination to see that there's a lot of potential here for targeting high-profile individuals or just ordinary people."

In case you're wondering, the lady with the purse could be in a different room. The femtocell will pick up a signal through most walls.

This particular femtocell taps into Verizon phones. However, Ritter believes it might be possible to find a similar problem with femtocells that work with other providers.

Ritter is trying to help these companies. So, he told Verizon about the hack. David Samberg, a Verizon spokesman, says the company patched the flaw in the femtocells without customers realizing it.

"It was an over-the-air software push," he said. "All of the devices received the software upgrade."

Samberg claims it's no longer possible to do what Ritter and iSEC did. Samberg said that anyone who tried to block the fix on their femtocell would be disconnected from the network. However, he could not explain how Ritter and iSEC were still able to tap into my phone.

Ritter and other security analysts don't agree that the problem has really been fixed. Ritter will be part of a presentation at Def Con, one of the world's largest gatherings of hackers. iSEC and Ritter were chosen to present because Def Con organizers have always believed that these femtocells, which have been on the market for a few years, were vulnerable because they mimic cellphone towers.

Chris Wysopal, the chief technology officer of the security firm Veracode, says that "with the way that these devices work, you know, mimicking a cell tower, looking like a trusted connection to your phone, it is a point of vulnerability."

The femtocell may electronically look like a cell tower to your phone, but to a hacker Wysopal said, it's a lot easier to get into than a real cell tower. "It's a physical device that an attacker can get their hands on they can open it up," he said. "That's not something you can do with a cell tower, obviously, because it's a locked building with fences around it."

For its part, Verizon says it has its own team of security experts who are regularly looking for vulnerabilities in its hardware and software. But the company says it's a constant battle. Like building a better safe at a bank, it will deter more people but nothing is perfect, Verizon says.

Ritter of iSEC says there are much better fixes than what Verizon has done, but they cost a lot more money.

"I make sure that I don't send anything over the phone that I wouldn't be comfortable with someone else seeing," Ritter said.

Copyright 2013 NPR. To see more, visit http://www.npr.org/.

Transcript

DAVID GREENE, HOST:

And we're not done with tech news yet. Let's consider some of the issues raised in the wake of the recent NSA surveillance leaks. If you're worried about your digital life, some hackers say they can help. For less than $300, they can tap right into your cell phone. They call themselves quote, "good hackers," and they say they're trying to warn cell phone carriers that more needs to be done about security.

RENEE MONTAGNE, HOST:

NPR's Laura Sydell decided to see what the group is all about.

LAURA SYDELL, BYLINE: I went to a hotel room in downtown San Francisco to meet these hackers. A moment after I walked in, Tom Ritter takes me over to look at a laptop screen.

TOM RITTER: Is this your phone number right here?

SYDELL: What am I looking at? Yes, that is my phone number. How did you know that was my phone number?

RITTER: You've associated to the device and we are picking up your phone.

SYDELL: Already? You mean, like, the minute I walked in the room?

RITTER: Pretty much. Yeah.

SYDELL: Oh my god.

Phew. Thank goodness, Ritter is a good guy - he's security consultant for iSEC Partners, a firm that specializes in finding security flaws to help business. Not only has Ritter got my number, he can listen in on my calls.

Hey, Nico. How are you?

I give a call to Nico Sell, who works with Ritter.

Do you usually come to San Francisco? Is it typical or atypical?

We chat for a couple of minutes.

Bye.

NICO SELL: Bye.

SYDELL: Then, we I walk back over to Ritter's laptop. No one in the room here could hear Sell's side of the conversation. But, Ritter could. He plays it back to me.

Hey, Nico. How are you?

SELL: Great. How you doing, Laura?

SYDELL: Ritter says he was able to tap into my call with something called a femtocell. It cost him about $250.

RITTER: It's a small device about the size of a wireless router you'd pick up at Best Buy, and if you have poor cell phone reception in your home, you live in a rural area or a high rise building, you can get these from carriers to give yourself a better signal.

SYDELL: Ritter says the femtocell is basically a cell phone tower - that's why it's able to pick up all the phone signals around it. In case you were wondering, it also intercepts your text messages, including photos and if you use the browser to sign in to a site - say your bank.

RITTER: And you can see it pop up right there.

SYDELL: So I can see what your password was and I can see what your sign in was.

Ritter says someone has to be within around 40 feet of the femtocell for it to tap into their phone. But, given that it can fit in a purse, Ritter imagines a lot of situations where getting close enough would be easy.

RITTER: A lady goes out to, you know, bar in downtown D.C. You know, at this place a whole bunch of congressmen are hanging out.

SYDELL: This is beginning to sound like the beginning of a joke, but go ahead.

(LAUGHTER)

RITTER: She happens to pick up a whole bunch of picture messages. It doesn't take a whole lot of stretch of the imagination to see that there's a lot of potential here for targeting high profile individuals or just ordinary people.

SYDELL: In case you're wondering, the lady with the purse could be in a different room - the femtocell will pick up a signal through most walls.

This particular femtocell taps into Verizon phones - though he says that he could probably find a similar problem with femtocells that work with other providers. Since Ritter, is trying to help these companies, he told Verizon about the hack.

David Samberg, a spokesperson for Verizon, says they patched the flaw in the femtocells without customers realizing it.

DAVID SAMBERG: It was an over-the-air software push in that all of the devices received the software upgrade. So what they did when you walked into that room can't be done any longer.

SYDELL: But, Ritter and other security analysts don't agree that the problem has really been fixed - notably they were able to tap into my phone. Ritter is going to be part of a presentation at Defcon - a conference for hackers. iSEC and Ritter were chosen to present because Defcon organizers have always believed that these femtocells, which have been on the market for a few years, were vulnerable because they mimic cell phone towers.

Chris Wysopal, the CTO of the security firm Veracode, sits on the committee that picked Ritter to present at Defcon.

CHRIS WYSOPAL: With the way that these devices work, it is a point of vulnerability because, you know, it's a physical device that an attacker can get their hands on, they can open it up. That's not something you can do with a cell tower, obviously, because it's a locked building with, you know, fences around it.

SYDELL: Verizon says it has its own team of security experts who are regularly looking for vulnerabilities in their hardware and software, but that it's a constant battle. Like building a better safe at a bank, it will deter more people but nothing is perfect.

RITTER: Ritter of iSEC says there are much better fixes than what Verizon has done, but they cost a lot more money. In the meantime, Ritter says...

I make sure that I don't send anything over the phone that I wouldn't be comfortable with someone else seeing.

SYDELL: As for me, I left that interview feeling a lot more paranoid.

Laura Sydell, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.

Related Program