[guardian-dev] Lavabit and End-point Security

Tom Ritter tom at ritter.vg
Mon Aug 12 19:58:09 EDT 2013


On 12 August 2013 18:31, coderman <coderman at gmail.com> wrote:
> On Mon, Aug 12, 2013 at 6:33 AM, Nathan of Guardian
> <nathan at guardianproject.info> wrote:
>> ...
>> On your last point (SDR-as-debug/detect-tool), would Tom Riiter's recent
>> work with using picocell's be helpful in that context?
>
>
> the picocell won't provide the level of access you need to view what's
> happening. what you want is the equivalent of monitor mode for cell
> bands... #include <std_legal_disclaimer.h>
>
> hardware i've used which works well: Noctar (formely Phi) from
> Pervices, USRP2, and others have indicated good success with BladeRF
> units. there are plenty of other SDRs out there but i don't know
> enough to comment.  i have tried multiple rtl-sdr USB in parallel but
> was not able to make it useable for most any of cdma, edge, ehrpd,
> evdo, evdoa, evdob, hsdpa, hspa, hspap, hsupa, iden, or lte encodings
> in the limited amount of time spent on the effort.
>
>
> that said, hacking the picocell in a way that makes it resistant to
> such attacks, and forcing devices to it instead could provide a
> deterrent and visibility. this seems like a stop gap at best, but
> perhaps still useful in a pinch!
>
>
> "Noctar Kit"
> http://www.pervices.com/shop/index.php?route=product/product&product_id=49
>
> "BladeRF"
> http://nuand.com/
>
> you know where to find USRP2s :)


I don't know.  The femtocells we hacked show us everything the phone
sends to the carrier, including voice calls, the CAVE cell phone auth,
etc.  They're basically a USRP/OpenBTS tower that has the benefit of
looking exactly like a carrier tower, and is wired into the _actual_
carrier network, so all the normal and legit traffic from the phone
passes and gets all the correct responses from the carrier it expects.

Now if the phone's baseband is sending stuff on a separate radio band
(e.g. transmitting via FM?) or sending data to a macrocell tower
instead of us, we don't see it; and it's encrypted to a public key or
with a key we don't have we can't decrypt it... but from the phone's
perspective, the femtocell is a legit tower.  It does 1x, EVDO, and
3G.  (Not LTE, but the phone can't send LTE if it doesn't have an LTE
radio, which is a large portion of phones out there.)  So if the
phone's mic was turned on, I don't know why the data wouldn't wind up
passing through the femtocell. Especially because the most
straightforward to eavesdrop people via a phone would be to turn on
the mic and basically (from the baseband/carrier's perspective) send
it as if it were a phone call.

Is there something I'm missing that would lead us to miss the data?

That all said, our POC was not designed around using it as a forensics
platform.  We don't understand every packet from the phone that we
see.  So we'd see if it was a normal voice call, but it was a more
insidious backdoor we might not notice right now.  If you handed me a
suspected compromised phone I wouldn't be confident in detecting a
backdoor.

-tom


More information about the Guardian-dev mailing list