3

It is possible to to crack WiFi either WPA2/PSK or WPA. But is it possible to somehow eavedrop/observe the signal from dongles or internet that is there on the phones ? Sort of a packet capture but for cellular internet. And if capture of that traffic is possible, can we somehow use impersonate someone and use their internet ?

If I were to run a Wifi Dongle in promiscuous mode near a phone that use mobile internet, would I pick up anything ? If not why ?

ng.newbie
  • 265
  • 2
  • 6

3 Answers3

1

it possible to somehow hack the signal from dongles or internet that is there on the phones

Yes, definitely. The most economically feasible attack would be a man-in-the-middle with an open source SDR transciever

This paper has an excellent implementation with a USRP, attacking 4G with commercially available open-source tools.

Here is a video of this attack on GSM

You'll need hardware in the order of hundreds of dollars.

And no, WiFi dongles will not work for this

J.A.K.
  • 4,793
  • 13
  • 30
0

You would not pick anything up since mobile phones communicate with the tower over a different frequency.

Wifi: 2.4 Ghz

Mobile Phone data: 800/900Mhz here, but it differs per country

It is propably possible to "hack" the signal in some way if your phone data provider isn't keen on security.

Black Magic
  • 1,212
  • 1
  • 10
  • 15
  • 2
    Frequency is *not* the limiting factor here. LTE chipsets *are* capable of operating in the 2.4 GHz bands, since there are LTE specifications for ISM band operations. But they're still different standards than WiFi. – Marcus Müller Jan 20 '17 at 08:22
  • @MarcusMüller So what if a modified receiver was there ? then can't I capture data from the spectrum of mobile phone data ? Once I capture it is there any thing I can do with it ? – ng.newbie Jan 20 '17 at 08:35
  • 1
    @MarcusMüller While they may be in the same ISM band, 2.4 GHz WiFi usually runs at a fixed 20 MHz-wide channel, whereas mobile communications typically use a different OFDM or DSSS modulation. Even if the frequencies were the same, no WiFi receiver would be able to tell that something is going on. – forest Sep 11 '18 at 06:13
  • Also, WiFi uses 2400 to 2500 MHz. Only LTE band 41 has any overlap, and it's 2496 to 2690 MHz, so the overlap between them is virtually non-existent. Since the minimum channel bandwidth for that LTE band is 5 MHz, the lowest frequency it can pick up that overlaps with 802.11g/n is from 2496 to 2500 MHz (smaller than the smallest WiFi channel). I can't imagine how an LTE chipset could possibly pick up WiFi signals (or vice versa), even with such a tiny overlap. It's really a modulation _and_ frequency issue. – forest Sep 11 '18 at 06:19
0

But is it possible to somehow hack (analyze and decipher) the signal from dongles or internet that is there on the phones ?

We're talking about cellular networks here, most probably mainly 3G and 4G (for most people: UMTS and LTE).

So yes, you can always receive what's in the air; that's the physics of radio communications.

The data on the air is first compressed, packetized, encrypted, assigned to specific time, frequency and/or code multiplexing slots for each user, modulated using a specific procedure, than mixed up to the up- or downlink frequency and transmitted (by the mobile device or the base station, respectively).

By being standards, all these steps are well-documented.

Using so-called software defined radio devices, you can basically receive anything on the air – "all" you have to do is write the software that reverses or implements the steps mentioned above.

But herein lies the hardness: LTE and UMTS, generally, can use pretty advanced crypto, and it's very unlikely you can circumvent that to even read what a specific user is getting/transmitting in packets.

You can, however, analyze, with sufficient antennas, receivers, and knowledge when a specific user within your vicinity is actively sending or receiving data. By the "shape" of that traffic, it's often easy to deduct what they are doing – having a phone call, surfing, chatting, watching videos on youtube... and that is often an interesting piece of information.

So, without very much in-depth knowledge and an unlikely access to the cryptographical secrets involved, you won't be able to decipher the data meant for another user or impersonate that – you can, however, capture and analyze what information is available for anyone. There's several examples of that – gr-lte implements more than just a downlink broadcast channel decoder in GNU Radio.

With the correct knowledge of all secrets involved, you can of course get your package capture – in fact, that's pretty much what design/research projects like srs-lte and srs-ue are meant for, and these are freely available. Note that there's, unless you're in control of the device of the user or the base station, no feasible way (to my knowledge, at least), of recovering secrets used in the communication between base station and user equipment.

Also note that older standards, namely GSM, often use much weaker crypto.

If I were to run a Wifi Dongle in promiscuous mode near a phone that use mobile internet, would I pick up anything ? If not why ?

No. Why? Simply because it's a different kind of wireless system. Your WiFi Dongle doesn't "speak" cellular; otherwise, you wouldn't need different hardware for Wifi and cellular, would you?

Note that there's even LTE in ISM bands where WiFi also operates, but "same frequency" doesn't mean "same technology", very much like you can't receive WiFi with your cordless telephone or understand a foreign language just because it happens on the same frequency as your native language.

Marcus Müller
  • 5,843
  • 2
  • 16
  • 27
  • By hack I mean analyze and decipher. Also so is there an equivalent of a WiFi packet capture for cellular internet ? – ng.newbie Jan 20 '17 at 08:28
  • @ng.newbie **edit** your question to say that, please. – Marcus Müller Jan 20 '17 at 08:28
  • Already did that – ng.newbie Jan 20 '17 at 08:31
  • @ng.newbie updated my answer – Marcus Müller Jan 20 '17 at 08:40
  • Tell me something, if the crypto is so strong for cellular internet why can't Wifi protocols use something similar ? – ng.newbie Jan 21 '17 at 17:47
  • I don't understand this question, @ng.newbie. could you elaborate? – Marcus Müller Jan 21 '17 at 17:49
  • `But herein lies the hardness: LTE and UMTS, generally, can use pretty advanced crypto` This is what you have written in your answer. I am asking why can't Wifi protocols use the same level of crypto. People are still trying to crack WPA using brute force, so I was thinking why can't WiFi use the same level of security ? – ng.newbie Jan 21 '17 at 17:53
  • I did not say WiFi did not use advanced crypto! And you even say that, "using brute force"; an encryption that you can only brute-force decrypt, and allows for sufficient key length, is secure. What's your point? – Marcus Müller Jan 21 '17 at 18:00
  • Okay, I guess its my mistake. I just assumed the WiFi crypto is not strong enough since WiFi packet capture, decryption is more common. – ng.newbie Jan 21 '17 at 18:11
  • 1
    `But herein lies the hardness: LTE and UMTS, generally, can use pretty advanced crypto` **This is not true.** They use a 64-bit version of the KASUMI cipher. It is not particularly advanced and not particularly secure, even if it is better than GSM's horribly-broken A5/1 cipher. WiFi crypto (at least 802.11i) is _far_ more secure than UMTS/LTE. – forest Sep 11 '18 at 06:22
  • 1
    @forest AFAIK KASUMI is 3G-only, and *is* pretty secure by current standards. As everywhere, the quality of the cipher is often not the important aspect in system security – typically, the specs or implementations have pitfalls or loopholes, and that what breaks or makes the system. But again, I'm not aware of KASUMI being weak in practice. I'm not a cryptographer, but if there's cryptographers coming to this page later, I think they'd like a citation of your source for that assessment! – Marcus Müller Sep 11 '18 at 07:00
  • 1
    @MarcusMüller It's not weak due to cryptanalysis (although it is not ideal compared to MISTY), but due to using a 64-bit secret repeated twice to form the 128-bit key for the cipher, which makes it possible to attack with brute force. Not to mention, there is no public key exchange so a resourceful adversary could still decrypt all traffic retroactively if they get access to the per-device key. – forest Sep 11 '18 at 07:55
  • 1
    Er, MISTY1, not MISTY. Anyway, a good bit of information on GSM and LTE security is in [this blog post](https://blog.cryptographyengineering.com/2013/05/14/a-few-thoughts-on-cellular-encryption/), which explains how KASUMI is more secure than A5/1, but still has problems (notably lack of forward secrecy, downgrade attacks, and use of a static key, plus more subtle cryptographic weaknesses). – forest Sep 11 '18 at 08:02