[Tfug] OT? Theft of service

Yan zardus at gmail.com
Fri Jan 31 10:21:37 MST 2014 

There was a presentation at Defcon a few years back about some cable modem
hacking, leveraging lots of security flaws in DOCSIS 2.0 protocol and
implementations. I don't remember how much control the guy was able to
exert (it was at least traffic sniffing, but maybe injection as well). If
you're interested, the talks (the one I saw and its apparent follow-up) are
up on youtube:

http://www.youtube.com/watch?v=BBtdZDah6iE
http://www.youtube.com/watch?v=L-5B_vs0i3E


For cell phones (at least, GSM phones from ATT and T-mobile), the wireless
research lab here is constantly screwing up our cell phone service with
their fake base stations during experiments, so that's more than feasible.
Cell phone connections can be trivially MITMed, and any encryption on the
phone calls themselves is broken. CDMA (Sprint and Verizon) probably has
analogous attacks. The wireless lab has lots of fancy multi-thousand-dollar
equipment, but I believe these things can be built for a few hundred
nowadays. Some media attention is here:

http://www.engadget.com/2010/07/31/hacker-intercepts-phone-calls-with-homebuilt-1-500-imsi-catcher/
http://en.wikipedia.org/wiki/IMSI-catcher


I would imagine DSL and phoneline would be considerably harder to MITM,
although there is evidence (http://www.scoop.co.nz/stories/SC0911/S00040.htm)
that it's possible (or, was possible in 2009) if you're dedicated enough.
The pricetag listed there for the tech is $1000.


And, of course, wifi is a lost cause. If you pour some money into GPUs, you
can brute-force an arbitrary 8-character WPA password pretty fast (I
remember a figure of 8 minutes being thrown around, but can't currently
find the supporting literature). And that's not even taking into account
the various protocol vulnerabilities in WPS, WEP (which is, amazingly
enough, still used), and some WPA implementations.

I'm not sure about the rest. I was born too late to be a phreaker, so not
too sure about the POTS stuff. And breaking into her DirectTV line just
seems weird.


While much of it is technically possible, some of it is pricey. I don't
know if people would put together thousands of dollars of sophisticated
hacking hardware and then decide to save some pocket change by harassing
the poor lady down the street. I think the likely answer is that she is not
the target of a clandestine hacking operation.

- Yan


On Fri, Jan 24, 2014 at 9:49 PM, Bexley Hall <bexley401 at yahoo.com> wrote:

> On 1/24/2014 9:43 PM, Bender wrote:
>
>  A friend-of-a-friend has effectively isolated herself out of
>>> "fear" that she is being "hacked" by her neighbors. Before
>>> getting out the tinfoil and making *hats*, I want to reassure
>>> myself that this sort of thing really is impractical, nowadays
>>> (to the extent she claims its being done).
>>>
>>
>> Some more generalities might help...
>> Age of friend?
>>
>
> I'm guessing early-mid 70's?  "Never ask a woman her age..."  :>
>
>  What sort of hacks?
>>
>
> When explaining them, she quickly gets flustered -- conflating
> issues from one technology with another, etc.  She has given up
> her land line, Dish (?) TV and internet access -- at various
> times.  Is fearful of her cell phone (to the point where I
> imagine she leaves it *off* unless she is *actively* making
> a call).
>
>  Is any WiFi involved?
>>
>
> I know she has had WiFi peripherals so that could have been an
> attack surface.  But, it's hard to get specifics (i.e., the sorts
> of things you would put in a police report or a civil lawsuit).
> And, if I "suggest" a possible attack scenario, I don't think
> she is knowledgeable enough to know if I am accurately describing
> *her* situation -- so, if she agrees with my assessment, I don't
> necessarily know if I'm correct or if she is just jumping at
> *any* possible explanation that would lend credence to her claim.
>
>
>  So, I'm inviting the pedants to nit-pick my assertions, below:
>>>
>>> E.g., a land line can be "stolen" (shared) iff the adversary has
>>> physical access to the wiring. In an apartment house, dorm, etc.
>>> this is relatively easy as there is typically a "phone panel"
>>> *somewhere* that is "lightly protected". Or, individual
>>> cable distributions *to* the rooms that aren't armored.
>>>
>>> However, in a residential neighborhood (single family, detached
>>> homes), this is a bit harder. You either access the main panel
>>> (usually under lock and key) that feeds the subdivision, *or*
>>> the small "taps" throughout the neighborhood (which usually
>>> require a special wrench to open).
>>>
>>
>> POTS is under attack from scrap metal thieves. It doesn't take long to
>> find a telco pededstal that has heavy plastic wrap to protect it from
>> the elements.
>>
>
> Hmmm... I've not seen that.  OTOH, I don't get out much... :>
>
>
>  Those main panel covers are wrenched off to sell for scrap. (in addition
>> to the copper) The latest time my POTS went out, that's what the Century
>> Link contractor told me when I asked about the box out back in the alley.
>>
>
> I can imagine the copper being a target.  A friend had the copper
> pipe for his ACbrrr (roofmount compressor) stolen one night.
>
> I was planning on making some copper lamp sconces for the outdoor
> lights but (getting that nice, natural green patina over time)
> but thought otherwise...  too much effort to risk drawing attention
> to it (while it is still "shiney copper")
>
> Stealing wire would result in a *loss* of service.  It's my
> understanding that she is claiming folks were "using her line"
> (hence getting rid of the service altogether)
>
>
>  [This assumes utilities are below grade. Overhead would be even
>>> more problematic!]
>>>
>>>  ...
>>
>>> Ages ago, CATV access was governed by access to the medium. So,
>>> a "tap" off the feed -- or, any subscriber's "drop" -- was as
>>> good as having your own account! I.e., the cable company had
>>> to physically "sniff" the neighborhood to know of theft (there
>>> were some "active" countermeasures explored to "toast" unprotected
>>> hookups).
>>>
>>> With *digital* cable (is all cable "digital", now?), I assume the
>>> media gives you *nothing* -- you need to access the output of the
>>> cable box in order to have access to *content*. I.e., you would
>>> need to have a tap *inside* the victim's home (and be limited to
>>> watching whatever *they* were watching at the time).
>>>
>>
>> There is still analog cable access in Cox areas. With a digital STB or a
>> cable card in a TV you can still access digital channels that are in the
>> clear, I believe.
>>
>
> But, there would be no need to tie into *her* cable drop.  A sniffer
> would find their feed just as easily as if they had gone to the cable
> drop directly.  I.e., they don't benefit from her having the service...
>
>
>  For cable internet, I assume the same sorts of issues as DSL would
>>> apply: access to the media (though this could be upstream from the
>>> cable box) *and* a valid account name/password.
>>>
>>
>> For cable internet you tell the provider a hard ware address off of the
>> modem. They find it in their system and provision it. There have been
>> boilerplate access credentials and what not, but someone other than me
>> would know better.
>>
>
> Again, there would be no advantage to using *her* cable drop.  And,
> no "theft" (wrt her service) -- she'd still be able to access the
> network, be unaffected by any "data metering", etc.
>
>
>  Satellite TV (Dish) would be the same as CATV (?)
>>>
>>
>> direc and dish use smart cards with encryption that make hacking the
>> service impractical.
>>
>> 5 + years ago, Dish service was being compromised with generic DVB boxes
>> from Korea. Someone would determine the latest keys and distribute them.
>> That started a race of updating the latest keys after they changed. Then
>> keys changed more and more often. Eventually the authorities caught up
>> with people distributing the keys and the encryption was improved.
>>
>
> Again, there's no advantage to "tapping" into her dish (unless you
> don't want a dish on YOUR rooftop).
>
> I.e., I can't see in any of these scenarios how a thief *benefits*
> from her having any of these services.  (That doesn't mean she isn;t
> being targeted for *harassment*)
>
>
>  Finally, is it *practical* nowadays to steal cell phone service?
>>> E.g., it was my understanding, years ago, that you could "sniff"
>>> the required authentication information from phones "left on"
>>> (my ex-BinL had many "unauthorized charges" on a phone some decades
>>> ago). But, I would assume that this is no longer practical (at
>>> least I don't hear the horror stories of it happening).
>>>
>>> Bottom line: for her to be a victim of *all* of these sorts
>>> of "attacks" (hacks), she'd have to have some really *capable*
>>> neighbors (adversaries) *and* they'd have to be *really*
>>> "motivated" (i.e., as if she had poisoned their cat, etc.)
>>>
>>> I don't want to dismiss her worries only to discover these things are
>>> *possible* -- or "likely". OTOH, it is painful to see someone going
>>> through life in fear of availing themselves of common services that
>>> others take for granted...
>>>
>>
>> Most likely, wireless is possible to be hacked. Social engineering or
>> ill intentioned associations are next.
>>
>> When dealing with tech one doesn't undertand, where the media
>> sensationalizes things, it's no wonder people get irrational. Then, if
>> you have a living situation that naturally results in isolation....
>>
>
> I think this is exactly the situation.  No idea what her "nominal"
> personality would have been like as I've only met her "in this
> condition".  She could simply be more susceptible to "FUD" -- even
> if self-inflicted.
>
>
>  I know a septuagenarian who heard media reports of exploits and went
>> open loop every time some story popped up. She did no banking or
>> anything I think is the slightest bit risky other than some web browsing
>> and email conversation with family topics. Windows updates and annual
>> antivirus maintenance was an ordeal for her. Nevertheless, she had no
>> tolerance for taking "the risk" so she cancelled AOL and computes off
>> the 'net.
>>
>
> Well, *we* don't take unnecessary risks.  E.g., why buy "on-line"
> if I can buy "in-person"?  My "work machines" are all isolated
> from the 'net, etc.  I can live with sneakerneting the few items
> that have to get on-to/off-of them.
>
> But, we don't *deny* ourselves email/web access, etc.
>
>
>  Then there's an octagenerian who has no fear. She insists on opening any
>> and all emails. She has a son who rescues her from the latest Windows
>> malware when she gets it.
>>
>
> "Ignorance is bliss"  :>
>
> (sigh)  Unfortuantely, if there really are/were *real* attacks,
> I would be better able to address them.  I'm poorly equipped when
> it comes to assuaging irrational fears...
>
>
> Thanks!
> --don
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tfug.org/pipermail/tfug_tfug.org/attachments/20140131/f60cf645/attachment-0002.html>

More information about the tfug mailing list