Every year at around this time, it's a good idea to update everything. Servers, desktops, IDEs, phones, databases... Everything. Why now? Well, because it is security conference season. DEF CON took place this past weekend, which was preceded by Black Hat. This week, it's the Chaos Computer Camp in Europe. All of these events combine to make for the most dangerous time of year of online systems. But this year's DEF CON really took the cake. You see, some enterprising developers and hackers there weaponized an exploit for CDMA and GSM networks.

In layman's terms, that means thay cracked the cell phone networks wide open. The full details were sent out to the Full Disclosure security mailing list, and the information provided is fairly chilling. Take a gander at the email below, which I have left unedited (the sender didn't like capital letters, it seems):

while most were enjoying libations or talks a very interesting event
was taking place at the conference.

we're all familiar with the hostility of WiFi and GSM networks at DEF
CON, however, this year the most hostile network on earth was not
802.11; it was CDMA and 4G!

on Friday some parts of Anon and Lulz made appearance. by early
Saturday morning a weapon was deployed.


some characteristics:

- full active MitM against CDMA and 4G connections from Rio to carriers.

- MitM positioning for remote exploitation to ring0 on Android and PC.

- fall back to userspace only or non-persistent methods when
persistent rootkit unattainable.

- many attack trees and weaponized exploits. escalation from easy pwns
up to specialized techniques and tactics until success is achieved.

- simultaneous attack across CDMA and 4G connections using full power
in these LICENSED bands.

- operated continuously (except for outages :) from early Saturday
until 8am Monday.

- designed with intent: mass exploitation, reconnaissance,
exfiltration, eavesdropping.


how to tell if you met the beast at Rio:

- did you accept an upgrade for Android, Java, or other applications? (oops)

- did you notice 3G/4G signal anomalies, including full signal yet
poor bandwidth or no link?

- did you notice your Android at full charged plugged in, but dropping
to <50% charge once unplugged?

- did you notice 4G download speeds at quarter of usual, yet uploads
over twice as fast?

- did you notice Android services that immediately respawn when
killed? (Voice Search?)

- does your Android no longer connect to USB debugging yet adbd is alive?

- does your PC have an sshd that cannot be kill -9'd?

- did your Android crash - a hard freeze, and then take a long time to reboot?

...many other indicators, but for now that's sufficient to express the point.


if you met the beast, it seemed to have a nearly perfect success rate;
your odds not good.  in fact you probably didn't even notice as it
pilfered bytes off your devices and monitored your conversations.

What does this mean for you and your developers? Well, for a start, the days of just assuming that the end-user's smart phone is secure are over. Additionally, the days of assuming the actual cell phone network is secure are also over. For folks who've always been worried about security on mobile devices, this doesn't change much: encrypting traffic and ensuring access to sensitive data is restricted to only those who need it are essential practices that many companies already follow.

But the real danger here is the network itself being vulnerable. Imagine the havoc that could be wrecked by parking a sniffing device outside of your office. Or at a major conference. It could result in catastrophic data loss and horrible systems penetration. If you've got any applications in the Apple or Android stores, now would be a great time to start going through those code bases to make sure you're not storing passwords in plaintext, or transmitting information without at least some form of encryption.

Oh, and the next time you go to a security conference, don't install any OS updates that come over the wire for your mobile device.