Forgot your password?
typodupeerror
Hardware Hacking Network Privacy Verizon Wireless Networking Build

How To Compete With NSA By Hacking a Verizon Network Extender 56

Posted by timothy
from the awesome-goldman-sachs-advertising-too dept.
New submitter Anita Hunt (lissnup) writes "This snooping hack-in-a-backpack could become a hot Summer accessory, since Reuters reported that 'researchers at iSec hacked into a Verizon network extender, which anyone can buy online, and turned it into a cell phone tower (video interview) small enough to fit inside a backpack capable of capturing and intercepting all calls, text messages and data sent by mobile devices within range.'"
This discussion has been archived. No new comments can be posted.

How To Compete With NSA By Hacking a Verizon Network Extender

Comments Filter:
  • They dont work all that great in reality i get maybe a -10 difference on my signal strength vs without it running. This could be a fun little hack to try out, for educational reasons, of course.
  • by vikingpower (768921) <exercitussolus@[ ]il.com ['gma' in gap]> on Tuesday July 16, 2013 @10:14AM (#44296461) Homepage Journal
    "This is ordinary people intercepting... ordinary people". A nice,, bitter subversion of the "power to the people" concept ?
    • by dgatwood (11270) on Tuesday July 16, 2013 @10:58AM (#44297017) Journal

      "This is ordinary people intercepting... ordinary people". A nice,, bitter subversion of the "power to the people" concept ?

      Not a subversion at all. Perhaps you're forgetting that congresspeople are ordinary people, as are judges.

      "You wouldn't want us to leak to the press that affair you've been having, would you, Senator? Then I trust you'll do better at ensuring the NSA is not spying on your own citizens."

      "You wouldn't want us to leak to the press that you took a bribe from the Monsanto corporation, would you? Then I trust you'll rule that we have standing to sue the federal government over the PRISM program."

      And so on. Not saying that two wrongs make a right, but enough rights do make a left.

    • by gmuslera (3436)
      In a country where laws applies in the same way for everyone, that could pass. In US, in the other hand, that now see hacking as mass destruction weapons as they are used and plan to use them in big scale [schneier.com] in that way, it will be labeled as terrorist and put you in jail for decades or more [vice.com]... unless you are a big contributor [rollingstone.com] or work for them, in that case it will have no consequences.
    • by Lumpy (12016)

      Actually yes.

      if you know of a NSA or Govt operation going on, get an operative to place a unit near them and start intercepting their cellphone traffic so you can spy on the guys spying.

      Now imagine making hundreds of these things all placed at specific locations but with a backend system that lets you enable or disable at will. Now you have a cellular snoopnet covering a very wide area.

  • Why would you need to sync your phone to the station to get it to work, let's just send unencrypted communication all over the place.

    • by jc42 (318812) on Tuesday July 16, 2013 @10:35AM (#44296725) Homepage Journal

      Why would you need to sync your phone to the station to get it to work, let's just send unencrypted communication all over the place.

      We should be careful in just encouraging encrypted communication, because the usual interpretations of this provide no security at all, and were rejected back in the ARPAnet days of the 1960s by the security advisers.

      The usual interpretation of "encrypted communication", of course, is the frequent suggestion that "the Internet" itself should do encryption. This is especially suggested by people who've figured out that the average user doesn't stand much of a chance of doing it right, with modern comm software.

      But having "the Internet" do the encryption actually means that the encryption is done by your comm supplier, i.e. your ISP or phone company. What this means is that your comm supplier is the one who also does the decryption, so they have complete access to everything. The recent stories about the close ties between government security agencies and the comm companies show that this would be no security at all.

      What was decided back in the 1960s, and what anyone with a basic understanding of security will agree with, is that the low-level comm stuff shouldn't be burdened with any security measures. They are simply a waste of cpu time, since they make your messages accessible to the people who run the low-level comm stuff. The low-level stuff should therefore be tasked simply with getting the bits across as fast as possible. To qualify as secure, any encryption must be handled by the two end-points in a conversation.

      Note that this doesn't mean that the (human) end users need to be the ones doing the encryption. What it means is that the encryption software must be running on the piece of hardware that they're using, not by anything further away in the connection.

      Of course, then you have the next problem, of preventing spy software from being installed on the hardware at either end. But that's a different issue.

      The primary understanding is that we should insist that "encrypted communication" be done only end-to-end. Anything else inherently makes your info available to whoever owns the hardware that's running the encryption software. (And it makes the whole comm system run slower, since encryption software does use cpu time, and if it's not in the end systems, it's 100% a waste of that cpu time.)

      The major use-level issue is whether we can create encryption software that runs in the users' gadgets, and which the users can actually use correctly, and which won't be compromised by builtin backdoors such as keyloggers that were installed by the comm companies.

      • by mi (197448) <slashdot-2012@virtual-estates.net> on Tuesday July 16, 2013 @10:54AM (#44296961) Homepage

        What this means is that your comm supplier is the one who also does the decryption, so they have complete access to everything. The recent stories about the close ties between government security agencies and the comm companies show that this would be no security at all.

        Actually, there would be quite a bit of security against non-governmental attackers and those working for foreign governments.

        And while it is the governmental ones that scare us for having a potential for abuse, it is those others that have done actual damage to millions of computers and hurt millions of people already — through spamming, identity theft, and spying.

        I, for one, would've been glad to be rid of those, even if Uncle Sam's fishing expeditions remain a threat.

        • It would be no security because noone vampire taps a fiber line. If youre going to intercept info, you do it at the ISP level, no matter who you are.

          • by mi (197448)
            That would depend on the implementation, and on what exactly is routinely encryption-protected — and how. For example, if the DNS was secure from the beginning, a large number of actual high-profile attacks would not have been possible.
          • > no one vampire taps a fiber line

            sure about that?

        • by pilot1 (610480) *

          And while it is the governmental ones that scare us for having a potential for abuse, it is those others that have done actual damage to millions of computers and hurt millions of people already — through spamming, identity theft, and spying.

          How the hell is encryption going to help with spamming or identity theft?

          • by mi (197448)
            By making it harder to take over laypeople's Internet-connected computers — to use them as spam-relayes and to steal electronic documents from them.
            • The internet-connected computers don't use encryption in this scenario though. The ISP decrypts traffic before it reaches them. This makes absolutely no difference as far as attacking those computers is concerned. It only makes it harder for certain parties to spy by intercepting traffic.

              What this means is that your comm supplier is the one who also does the decryption, so they have complete access to everything.

              • by mi (197448)

                The internet-connected computers don't use encryption in this scenario though.

                I'm not sure, the "scenario" is sufficiently well-defined in this conversation to make too many conclusions. I was simply responding to an assertion, that, due to an ISP-government collusion, there is no point in ISP-based security. My response was, that there are many other dangers on the Internet — besides government's snooping. And that while government's is a potential threat, certain other threats have already caused m

                • by pilot1 (610480) *

                  I'm not sure, the "scenario" is sufficiently well-defined in this conversation to make too many conclusions. I was simply responding to an assertion, that, due to an ISP-government collusion, there is no point in ISP-based security.

                  That is enough of a scenario to make certain statements about the security provided though. By definition ISP-based encryption only protects traffic on the wire; it cannot protect the computers at the end points.

                  • by mi (197448)
                    How about reliable DNS? That, if it were in place from the beginning, would've prevented an entire family of attacks...

                    We can argue about could-should-woulda, but my main point remains — snooping by the American government is hardly the only danger to today's Internet-users and reducing the other threats would've been good, even if this one remained...

                    • by pilot1 (610480) *

                      How about reliable DNS? That, if it were in place from the beginning, would've prevented an entire family of attacks...

                      DNS spoofing requires low latency, which effectively requires that the attacker be on the same local network as his target. ISP-level encryption can't protect against that.

                      We can argue about could-should-woulda, but my main point remains — snooping by the American government is hardly the only danger to today's Internet-users and reducing the other threats would've been good, even if this one remained...

                      And my point remains that very few threats can be reduced by ISP-level encryption. I'm sure the govt would be campaigning hard for it if it were such a panacea.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        But having "the Internet" do the encryption actually means that the encryption is done by your comm supplier, i.e. your ISP or phone company.

        Not necessarily. You could just have the initial key exchange built into the initial handshake, e.g. like this:

        The SYN packet contains the public key certificate of the client.
        The SYN/ACK packet contains the public key certificate of the server, and a hash of the client's certificate signed with the server's private key.
        The final ACK packet contains a hash of the certi

  • Buttinsky (Score:5, Funny)

    by flyingfsck (986395) on Tuesday July 16, 2013 @10:19AM (#44296525)
    In the good old bad old days, all you needed to butt into a phone conversation was a Buttinsky phone (linesman test set). Nowadays, you need a whole backpack full of equipment a laptop computer and heavy batteries and we call this progress?
  • I'm waiting for some phone company to offer end-to-end encryption for a fee (maybe they already have?). Of course I'm sure, since they have full access to your phone, that private key will end up "backed-up" for your convenience to their servers.
    • by cjb658 (1235986)

      Redphone (https://whispersystems.org/) does this for free, but unfortunately, it uses data, and only works on Android.

  • And piss off a multi billion dollar telco while you're at it. What could possibly go [slashdot.org] wrong? [wikipedia.org]

No amount of careful planning will ever replace dumb luck.

Working...