Why won’t my call go through? Denial of service in the cell phone network.

Recently, some of the major cellular carriers have released “Network Extenders”, also known as femtocell. The network extender is a device that a subscriber purchases to extend the reach of the cell phone network. (In effect, the subscriber is paying for the privilege of increasing the cellular network coverage. What a deal!)

The network extender is conceptually similar to a Wi-Fi access point. Both connect to the Internet via wire, and both provide wireless services. While the Wi-Fi device provides Internet services, the femtocell provides cellular services.

The femtocell basically appears as a new cell tower to cell phones that are within its range. And, the femtocell will process calls for any and all cell phones that successfully register with the cell phone while is it connected to the Internet. Effectively, the femtocell is just a new gateway to the cellular network.

It is not possible for the cell phone owner to choose to connect to the femtocell or to a regular cell tower. The decision on how the cell phone connects to the cell network is made by the cell phone and the “cell tower”. And, this did not used to be a problem, when only the cellular carriers were putting up cell towers. However, the release of the network extender has allowed individuals to deploy cell towers.

Recently, I encountered a denial of service issue with a cell phone that I tracked back to an issue with a femtocell. A cell phone has registered with the femtocell to connect to the wireless network. However, the femtocell lost connectivity to the Internet. (Remember, the femtocell is a gateway that uses the Internet to connect to the cellular network.)

Since the femtocell still had power, the wireless side was still active. This meant that any cell phone that had registered with the femtocell thought that it was still connected to the cellular network. However, the femtocell had no ability to connect to the cellular network, since the Internet was done. It appears that the current cell phones do not have the ability to determine if they are connected to a cell tower that is active.

Thus, the cell phone could not make or receive calls or text messages. And the user had no ability to tell the cell phone to switch to a working cell tower. The only was to get the cell phone working again was to move to a different area, outside of the range of the femtocell. And, the cell phone reported 3 or 4 bars during the entire outage.

Until the carriers improve the algorithm that a cell phone uses to ensure it has an active cell tower, about the only thing the subscriber can do is use a Voice over IP (VoIP) application as a backup to the standard phone. And, this will only work if the VoIP application can use the Wi-Fi network for calls. And, if that is not possible, use email, which should still work via Wi-Fi if the cell tower is not functioning.



Revenge Hacking

Revenge is a powerful motivator for hacking. Take, for example, the case of Barry Ardolf of Minnesota. Trouble started when Mr. Ardolf was accused by a neighbor of kissing their 4-year boy on the lips. When the parents confronted Mr. Ardolf, he confessed that the accusation was true. Naturally, the parents of the 4-year old contacted the police. This made Mr. Ardolf angry and he decided to seek revenge.

As part of his revenge, court documents indicate that Mr. Ardolf used aircrack, a freely available wireless security tool, to discover the Wired Enhanced Privacy (WEP ) password for his neighbor’s network.  With the neighbor’s WEP password, Mr. Ardolf could use his own computer to connect to the neighbor’s wireless network. Once connected to the wireless network, Mr. Ardolf would be able to access the Internet using the  neighbor’s IP address. Thus, any activity performed by Mr. Ardolf on the Internet would be tracked back to his neighbor’s residence. This provided the opportunity for Mr. Ardolf to take revenge by taking actions that would appear to be done by his neighbor.

Meanwhile, the “hacked” neighbor had been getting reports that coworkers were receiving bizarre email messages that could not be explained. The neighbor had taken the step of bringing in a security consultant to monitor activity on his network. During the time that the monitor was active, the Secret Service investigated an email threat that was found to have been sent from Mr. Ardolf through the neighbor’s wireless network. Since it was sent from “hacked” network, the IP address of the email message came back to the neighbor, not Mr. Ardolf. This lead the Secret Service to visit the neighbor, who turnover over the information from the monitor. In the monitor logs was Mr. Ardolf’s POP3 username and password, presumably known only to Mr. Ardolf. This piece of incriminating information cause the government to turn its attention toward Mr. Ardolf.

The username and password found in the monitor log gave the government probable cause to obtain a search warrant for Mr. Ardolf’s residence. Examination of his computers revealed that he had sent the threatening email, as well as created false email addresses and MySpace accounts designed to appear to be the neighbor.

Further, evidence was uncovered  that Mr. Ardolf had in his possession underage illicit images. He appears to have sent these images from the fake accounts that he created, apparently to “frame” his neighbor.

There are a few lessons that show up from this case. One is that revenge is a powerful and dangerous motivation, one that I covered in my book from a few years ago, High Tech Crimes Revealed.  Revenges is a dangerous motivation since the goal is to damage or hurt another.

Another lesson is that security weaknesses can be used to attack home networks as well as business networks. While WEP encryption is better that no encryption, it suffers from security flaws that can be easily exploited using freely available tools.

In this case, the use of improved WiFi Protect Access (WPA) encryption would have made it more difficult for Mr. Ardolf to break into the neighbor’s wireless network.


Ten insecure web applications for your online identity.

Recently, the NY Times published the article New Hacking Tools Pose Bigger Threats to Wi-Fi Users . This article discussed the dangers of a relatively new tool called Firesheep, which allows a third-party to “hijack” active connections to password protected websites. The software, created by Eric Butler, can be downloaded for free. The software is easy to use, as it is an add-on for Mozilla Firefox.

Normally, when we log into a website, we are first directed to a login page protected with SSL. (This appears to the user as “https”, and it encrypts data sent over the network.) When a user successfully logs in, their web browser will get a session cookie, which acts like a digital pass. This session cookie allows a user to access protected webpages without having to continually enter their password. A typical session cookie is composed of a sequence of characters and may look like this:


Keep in mind that anyone presenting a valid session cookie can access protected webpages until the session cookie becomes invalid through a logout. If the session cookie is sent without encryption, it could be read by a third-party using an application such as Firesheep. That stolen session cookie could be used to access protected webpages. Note that while the session cookie might be stolen, the user’s password has not been compromised, since the session id provides no information about the user’s password.

When we log into a website that is secure, we expect that the entire session will be encrypted to protect our information as it is traveling the network. However, in many cases, only the login page is protected, not the accesses to the website after login. For example, when logging into Google, the password entered during the login is protected with encryption, preventing a third-party from stealing the password. Once the user is logged in, a session cookie is set. When the user then accesses an unencrypted Google page, the cookie is still sent, but now in the clear.

The Firesheep application is preconfigured to capture active session information for 26 websites. Below are the ten most interesting of them.

  1. Amazon.com,
  2. Basecamp,
  3. Dropbox,
  4. Facebook,
  5. Google,
  6. Windows Live,
  7. NY Times,
  8. Twitter,
  9. WordPress,
  10. Yahoo

Each one of the above websites transmits the session cookie unencrypted, meaning that a third-party could steal the cookie using Firesheep. If someone can copy your session cookie, they could access your protected webpages. For example, in the case of Facebook, they could access your messages and even post status updates.

The risk of having your session cookie stolen is high on an open (unencrypted) Wi-Fi networks, such as those found at airports, coffee shops and hotels as the communications on these networks can be monitored by a third-party. These Wi-Fi networks often require a user to log in, but this log in does not prevent a third-party from watching all of the network traffic going. And, generally, Wi-Fi networks that require a user to login in via a webpage are generally open wireless networks. The risk of session cookie compromise is lower, but still exists with WEP protected Wi-Fi networks. Wired networks and WPA protected Wi-Fi networks offer the best protection against this type of attack as these networks make it difficult for a third-party to intercept your traffic.

What can a user do? There are only a couple of tips:

#1 – Always be sure to log out from a website when you are done. For example, when you are doing on Facebook, by sure to log out. The logout cancels the session cookie.

#2 – Be aware when using an open Wi-Fi network that your session cookie could be stolen by a third-party. So, be more diligent about logging out when using an open Wi-Fi connection.

Unfortunately, there is not much more that users can do at this time. Application developers will need to upgrade their applications to only transmit session cookies when using “https” and never when using “http”.

Tracking and recovering a stolen iphone

A few months ago, a friend of mine lost his iPhone in a movie theater.  He noticed it was missing when he got home. At least he thought it was lost, until he noticed that someone was reading and deleting his emails.  It seemed that the iPhone was found by someone, and that someone was using the iPhone.

He contacted AT&T for assistance. It should have been a pretty easy recovery. The iPhone, when turned on, must register on to the AT&T cellular network with its unique Electronic Serial Number (ESN) and Mobile Identification Number (MIN).  AT&T should easily be able to find the cell tower covering the cell phone, right?

Well, technically AT&T can do that, but as a matter of policy, they don’t release this information without a subpoena. And that would need to come from the police.

Were there other options? Well, AT&T offered to turn off the service to the stolen iPhone and (for a fee) send him a new one. An offer that he took since he wanted to get into the mobile world.

Then, as luck would have it, the thief tried a test application on the iPhone call AirGraffiti. This app logs the GPS coordinates of the cell phone.

Here is a map showing some of the GPS coordinates reported for the cell phone.

  Keep in mind that iPhones are both 3G and WiFi capable. So, when AT&T had turned off the stolen phone’s service, the thief just started using the WiFi service.

GPS map view

There were a couple of challenges in this case. Since the phone was stolen, the thief had no expectation of privacy. However, everyone else in the neighborhood still did! So, we needed to be able to search for the stolen phone only. Next, we wanted to make sure that we were passively listening, we did not want to generate traffic and try to cause the iPhone to respond. And we did not want to listen to content. We only wanted to look for the MAC address of the cell phone.  The MAC addresses should be unique for each iPhone, and it is difficult to spoof the MAC address can be of an iPhone. These restrictions ruled out tools such as wireshark, netstumbler and kismet.

My company builds AP-Finder, software that can track the location of WiFi devices. Since the owner had the MAC address for the iPhone, all I needed to do was run AP-Finder. I searched for the iPhone’s MAC address and drove through the area reported by the GPS coordinates. Sure enough, I got a hit!

Using the results of this search, I contact the State Police and told them about the case and what I had. They came out to do the search using AP-Finder, and sure enough they also got a hit. Using the signal strength feature of AP-Finder, we were able to locate the house containing the cell phone. (Below is a sample of the AP-Finder’s search by MAC feature.

This technique has promise, but there is still more to do…



  The end result. The cell phone was recovered and the thief was charged with fourth degree theft, and third degree computer crime violations. All of this was done without issuing a subpoena to the cell phone carrier or ISP for information.

wireless networks and spies

Recently, federal authorities announced the arrest of 10 spies. While this happens from time to time, what has made this case noteworthy is the use of private, peer to peer (also known as ad-hoc) wireless networks used by the alleged spies as well as other advanced data hiding techniques. 

The federal complaint, available at Scribd or at mainjustice.com, discusses how temporary networks were alleged to have been used to allow the spies to secretly move data without physically meeting. For example, there is a mention in the government complaint that a secret appeared to be passed between one spy in a bookstore and a second spy that was standing  on the street.

As the communications were not done directly through the Internet but through these temporary networks, agents needed to be physically close to the subjects.  Since the wireless signals are usually limited to 300 feet from transmission to reception, investigators would either need to be near the spies or would need a specialized antenna that could increase the signal strength. Either of these options could be obvious.

In this complaint, MAC addresses were used to identify the potential spies. A MAC address is basically a unique identifier for a computer or smart phone when it is using a wireless network. Since these addresses are unique, the federal agents were able to detect that a network was being set up between the same two individuals repeatedly over a six month period.

This complaint shows a high level of sophistication by the  alleged spies and by the FBI. This should prove to be an interesting case as it wides through the legal system.

Using a credit card over the Internet is safer than in-person?

In early September, the AP reported that a hacker plead guilty to theft of credit card numbers. (The full story, by Denise Lavoie, can be found here.)   The story provided some detail on how the hacker obtained the credit cards.  It turns out that the hacker(s) searched for open or otherwise poorly protected wireless networks used by a corporation to transmit credit cards internally. Once a weak or open wireless network was found, the hackers installed a program to collect the credit card number used for in store purchases.

  In this case, it was less safe to make a purchase using your physical credit card than it would have been to make the same purchase over the Internet.
Why? Because credit card numbers are not generally protected when they are transmitted within a corporate network, and they have not been for years. One of the first reported stories of a case where a hacker broke into a corporate wireless network to steal credit card numbers was reported in 2004.

  What can a consumer do in the short term? No too much other than have a second credit card that you can use if your primary credit is shutoff due to fraudulent use. It is difficult to tell whether a store where you make a credit card purchase is protecting your credit card number. While you can ask the store employees, you might not get a reliable answer because they may just not know. And, if your credit card number is discovered to be “compromised” by a hacker, you are usually protected.  For example, US federal law (specifically, the FDIC regulation 6500, section 226.12), cardholders liability is limited to $50 for fraudulent purchases.) It is inconvenient to have your credit card compromised since your credit card will be shut off and you will need to obtain a new one. This is a downtime of 2-5 days on average.

The corporations that are not protecting the credits card numbers in transit can do more to protect those numbers, of course. They can encrypt the data that is transmitted internally, and they should look to have their wireless network implementations assessed for security concerns.

wireless network poll results!

It has been a little too long since my last post. It is time to start catching up!

First off, in the last posting, I had asked two short questions.
#1, Can multiple wireless networks co-exist in the same room on the same channel? The answer is yes.  When a user connects to a wireless network by network name, they are actually connecting to a specific access point by MAC address.

 Take a look at figure 1 below, a screen shot from AP-Finder. (click on the image to enlarge it.)


It shows three APs. Note that two APs outlined in yellow are on the same channel. They have different network names, and most importantly, different MAC addresses. The different MAC addresses of the APs is the key to how two different wireless networks can peacefully co-exist on the same wireless channel at the same time.  

 This leads us to the the answer for the next question.

#2 Can multiple wireless networks co-exist in the same room on the same channel with the same network (SSID) name? The answer for this one is also yes as well, as long as each wireless AP has a different MAC address.  And, every AP will have a different MAC address (unless someone tampers with them. Unique MAC address are, of course, assigned at the factory when they are manufactured.)

A side effect of the fact that two wireless networks can co-exist on the same channel at the same time is that it is possible to monitor wireless communications on multiple networks (as long as they are on the same channel). In fact, it is possible to monitor communications over a wireless network without ever joining the network. In Linux, this can be done by setting the wireless network card into monitor mode.  Sniffing a network in “monitor mode” allows for a passive way to collect wireless communications that is undetectable by the network users/owners.