Friday, August 12, 2011

Sprint 4G appears to be hacked at DEFCON

Hello All,

It appears there could have been a successful man in the middle attack (MiTM) on Sprint 4G at DEFCON. Numerous Android devices were attacked during this period. I hope Android users didn’t "upgrade" or re-enter "their passwords" during the multiple day event. Dangerous, but there is a solution that the carriers and handheld manufacturers could implement to protect against this (see solution below).

News from:

A friend and I were discussing this and this what his response was:

I'm betting that they did it one of two ways on 802.16/ClearWire/Sprint4G.

They gained physical access to the local tower, and did MiTM from the tower.  WiMax is Mobile IP from the tower to the provider edge.  It would be a lot easier to do MiTM on at a Mobile IP tower, rather than a LTE network.

The other way is, someone in the group worked for / had access to enough of the parts to make a fake WiMax base station.  Based on the signal strength reports, and slow speeds, this is what I bet they did.  WiMax uses either EAP-TLS or EAP-TTLS.  I'm guessing either they had access to the certs to appear valid, or the end devices did not properly implement EAP-TLS and EAP-TTLS, and just accepted any certificate

A pretty cool hack if they did.  Hopefully it can be shown, and the 4G devices can implement proper security.

Update to above.....

After further research, it definitely looks like the latter method (fake WiMax Base station).  They talk about signal strength and upload speeds.  Those wouldn't be affected by the first method (getting into a valid tower).

Unfortunately the supplicate (client) is probably just configured to accept any client.  
For example in the Cradlepoint, you just specify the carrier / realm, but that's it.  No username, etc.   No certs.  No other options.

Another example, the Sprint SmartView client, it doesn't have the ability to specify anywhere anything related to authentication and certificates.

One would need a fake WiMax base station (that can do 2.6ghz) in order to test to see if the supplicate takes any certificate.

Side note: certain applications offer the ability to register against a specific TLS certificate serial number such as Apple Mail.  I hope other devices/applications allow this in the future.

The MiTM Attack Solution
If phones only accepted carrier based certs and had a proper implementation of EAP-TLS or EAP-TTLS this would protect against this sort of attack. 

Sadly, the solution is going to take a bit of work and time. So, don't automatically "trust" voice over data. Protect your data and it can be more secure than your data.