by Marc Goodman
Back in the real world of noncelebrities, a spoofed caller ID means criminals can listen to your messages at the office and learn valuable information regarding pending business transactions, mergers and acquisitions, and even personal medical data. From a social engineering perspective, telephone spoofing creates a powerful tool for the criminal mind. A spoofed telephone call to a company’s IT department requesting a system password reset or the latest Wi-Fi key is much more likely to be successful if the call appears to be emanating from within the company’s own internal telephone infrastructure, a perennially successful ruse.
On the personal front, deceiving your mobile phone’s screen with a spoofed caller ID is also a go-to tool of bank scammers. Financial institutions such as Bank of America and Chase offer telephone banking, and criminals have routinely spoofed the phone number of an account they want to access. Once the bank’s telephone system sees a call coming in from your phone number, all the bad guys need is a little bit of personal information (such as the last four digits of your Social Security number or your mother’s maiden name)—information readily available on the digital underground or in your Facebook profile—and they are in. Worse, criminals can spoof your bank’s telephone number and call you to elicit information, such as your security questions, and then turn around and call your own bank using your spoofed mobile number and the security data you innocently provided to access your account.
Organized crime groups have even successfully spoofed the federal government in their outbound calls and made millions doing it. In what the Internal Revenue Service described as its largest tax scam to date, fraudsters have spoofed the agency’s phone number calling your mobile phone. You see an inbound call from the IRS—oh, crap … what’s this all about? you wonder. On the other end of the line is an IRS agent who informs you that you are delinquent on your taxes and that you must pay the IRS immediately to avoid further penalties. Victims of the scam are told that “given the severity of the crime and your prior delinquent status, we will only accept payment via bank wire or prepaid debit card.” To add credibility to the scam, the purported IRS agents confirm the last four digits of the taxpayer’s Social Security number (which leaked in any one of the numerous big-data breaches previously discussed). Those individuals who pose questions of the so-called IRS employee are met with a barrage of threats such as arrest, revocation of their business proceeds or driver’s licenses, and even deportation if the mark has a foreign-sounding name.
Scammers bolster the creditability of the claims by hacking other screens and by adding bit players to the ruse. After their phone calls, victims often receive official-looking e-mails on “IRS letterhead” that confirm the call and demand payment. They also receive additional calls from their local police departments with caller ID spoofed (such as Amherst, Massachusetts, Police Department) or purportedly from state DMV officials (such as State of Georgia DMV). These additional “officials” confirm the ruse with scripts such as “This is Detective Smith from the Amherst Police Department. We just received notification from the IRS saying you’re delinquent on taxes and now criminally liable for payment. I don’t want to have to come out there and arrest you in front of your family. If you can make the payment this week, then the IRS has told me no arrest will be necessary.” According to the Treasury Department inspector general, more than twenty thousand individuals have fallen prey to the scam.
Trust in screens may cost you not only your money but potentially your life. In a phenomenon known as swatting, bored hackers have been able to telephone police 911 emergency phone systems with spoofed telephone identities in order to report nonexistent crimes, resulting in the response of heavily armed police SWAT units. Even though the hacker may be in Maine, because he used your phone number in Miami, that’s where the cops are heading. The deadly game begins when criminals spoof your phone number and then dial 911. A woman screams into the phone, “My husband shot my mother and baby, and now he’s holding me hostage … PLEASE come quick … He’s got a shotgun and an AK-47 … Hurry … he’s crazy!” A recording of gunshots can be played in the background for good measure. Now a deadly trap has been set.
In the meantime, you’re sitting at home on the couch eating ice cream with your wife and kids, enjoying the latest episode of The Big Bang Theory. The cops think a woman inside is moments away from being murdered, and the police are marshaling all available black-and-whites and the local SWAT unit to come save her. When the two sides meet, there is a deep cognitive dissonance and the encounter proves a dangerous powder keg. The cops have surrounded the house and are yelling for you to put your hands up and come out. Your kids are screaming, and your wife is confused. You’re not complying well with the police commands, making them further suspicious something horrible is going on. You don’t want to go out of your house and confront a group of maniacs (even if they are cops) pointing rifles at you. To the police, your refusal to cooperate heightens the tension. Their next step is shoot some flash-bang grenades through the windows of your house and see what happens. Perhaps alternatively you were fast asleep when a teenage hacker a few states away swatted you. The cops show up, and you are awoken by noises outside your window. You think it’s burglars, and you reach for your gun to go investigate. Now you’ve walked outside with a gun in hand, and you are met with six members of the local SWAT team pointing little red lasers at your forehead. This scenario can’t end well.
The FBI recorded at least four hundred incidents of swatting in 2013 alone, with victims across the country, from Ohio to California. Mostly, it’s just hackers doing it for the “lulz,” because they can. Pre-Internet days, the big teenage hoax was ordering pizzas and having them sent to the kid you didn’t like in school. Now kids are ordering SWAT units with guns to carry out their pranks. For instance, in 2009 a group of teenagers from Massachusetts were convicted of carrying out more than three hundred swatting attacks. In some of the cases, the teens met their victims on social networks or online dating sites and retaliated against them if, for example, they refused to engage in sexual conversations. In fact, swatting is the perfect complement to the fictitious Craigslist sex ads that jealous exes post to exact revenge on former lovers, putting them at even greater risk.
Increasingly, celebrities and high-profile public figures are targeted by the practice. In 2013, a twelve-year-old boy in Los Angeles was prosecuted for swatting Ashton Kutcher’s Hollywood home and Justin Bieber’s Calabasas, California, estate. He also swatted a local bank and reported a robbery in progress. Other celebrity victims of swatting include Russell Brand, Tom Cruise, Rihanna, Charlie Sheen, and Miley Cyrus. It is only by a miracle that no innocent civilians have been killed as a result of swatting incidents, though several police officers have been injured while risking their lives responding at full speed to bloodcurdling spoofed calls for help to 911.
Another way criminals can subvert the screen on your phone is by attacking its baseband—that is, the inner guts actually running your phone. The baseband handles all communication between what you see on your screen and a bevy of radio antennas that control everything from the text messages you receive to your voice calls and Wi-Fi signals, as well as supergeeky telecommunications protocols such as GSM, UMTS, HSDPA, and LTE. Because the baseband is both proprietary and nonpublic, most telephone handset manufacturers implement these underlying operating systems in an insecure fashion. They believe in security by obscurity: this software is so far down in the weeds nobody can figure it out, and thus we needn’t worry about security, goes the logic. Of course they are wrong.
A number of hackers, governments, and security researchers have begun to successfully reverse engineer the baseband chips and code, revealing a wide array of security vulnerabilities that can be used to access and modify data on a phone remotely. In early 2014, such a security flaw and back door were found in the baseband software of Samsung Galaxy phones, allowing hackers access to user data stored on the devices. Because modern smart-phone handsets are nothing more than
miniature computers, their screens, like those of their larger brethren, can be manipulated to display an altered reality meant to deceive. The FBI has reportedly used the technique to turn phones into bugging devices by altering the phone’s usual interface and having it place a covert call to the FBI to allow for remote monitoring. In other words, even when the device showed nothing more than your home screen of apps, it was actually on a phone call to the Feds listening in on you.
Criminals can manipulate these screens the same way, often using techniques that you might never expect. For example, when you dial a number on your mobile device, you do so by pushing a series of numbers on your screen in order to be connected to your party. But how do you know the number you dialed was the one you were connected to? Simple enough if you dial Mom and she picks up your call. But what about when you dial Citibank, Bank of America, or Wells Fargo? You’re not reaching a banker at the local branch the way you might have twenty years ago. Instead, you’re being connected to someone you’ve never spoken to before from a call center, generally in a foreign country manned by people with foreign accents.
By using mobile phone malware, hackers can install a “rootkit” on your mobile phone that gives them control over all features of the device, including its touch screen and number pad. Rootkits are malicious software that hide normal computer processes and functions from a user’s view and give hackers administrative or “root” access to any device. Organized crime groups know the 800 numbers for financial institutions around the world. If your phone is infected with malware, once you dial your bank’s customer service number, the rootkit detects one of its targeted institutions is being phoned and can intercept and reroute the call. It is another classic man-in-the-middle attack that allows the criminals to shape and mold the reality you see on your screen and bend it to their desired outcome.
As a result, when you dial 1-800-4MY-BANK, your call is invisibly rerouted to a call center manned and operated by international organized crime. Given the wide use of foreign call centers by financial institutions, who would question an accent on the other end of the line when you spoke to your “bank”? The spoof would be relatively easy to perpetrate. Once you were connected, you would be asked for your account number, mother’s maiden name, password, and other security information “just to verify you.” Next you would be told, “Oh, I’m sorry, sir or ma’am, our computers have just gone down. Tech support tells us they should be up in the morning. Would you mind calling back?” Nothing in that conversation would seem suspicious to anybody who’s had to deal with call center employees in the past. The only difference would be that by the end of the phone call, the criminal would have access to your personal and banking details and would use them in rapid succession to remove all funds from the account. All of this is possible because the screens on our phones show us not reality but a technological approximation of it. Because of this, not only can the caller ID and operating system on a mobile device be hacked, but so too can its other features, including its GPS modules. That’s right, even your location can be spoofed.
Lost in Space: GPS Hacks
In the 1997 James Bond movie, Tomorrow Never Dies, we find Mr. Bond investigating a spoofing attack on the GPS navigation of a British frigate. In the story line, the navigation of the HMS Devonshire is tampered with by an evil genius who uses an “encoding box” to send the ship off course. As a result, the Devonshire enters Chinese territorial waters and appears to be sunk by the Chinese navy. To the British, however, the frigate was clearly in international waters, and thus the Chinese have committed an act of war. The actions of the villain have their desired effect: Britain and China are now on a path toward war. Once again Hollywood was prescient in its vision of future evil.
The Global Positioning System (GPS) is a space-based, low-earth-orbiting “constellation of 24 navigational satellites” that provides location and time information anywhere on the planet. It is an “invisible utility” that we rely on to get around town, deliver packages, find the closest Starbucks, coordinate air traffic control, manage public safety, and even command missile guidance. Paper maps have become obsolete. Instead, we have come to rely on the navigation screens we see before us every day and readily assume the computer knows best. In fact, around the world, there is example after example of drivers blindly following their navigation screens instead of their own two eyes and as a result turning down one-way streets or even off bridges. In Spain, when a GPS device suddenly told a man to turn right, he obliged and went off the road into La Serena, the largest reservoir in western Spain. Although his passenger survived, the driver drowned—all because he followed the directions on the screen before him.
A report from the U.S. Department of Homeland Security warned that America’s critical infrastructure was “increasingly at risk from a growing dependency on GPS for positioning and navigation.” The press release for a similar report from the U.K.’s Royal Academy of Engineering was even more stark in its assessment: “Society may already be dangerously over-reliant on satellite radio navigations systems like GPS …[S]ignal failure or interference could potentially affect safety systems and critical parts of the economy.” As it turns out, just as cyber infrastructure is poorly protected, wide open, and wholly hackable, so too is our satellite and radio spectrum infrastructure.
The Global Positioning System is a brilliant technological accomplishment, but the actual satellite GPS signals we receive, although perfectly functional, are very weak, akin to viewing a car headlight from twelve thousand miles away. The signals cannot be boosted further because of the limited power supply on any one satellite, and, what’s worse, they can easily be overpowered by broadcasting noise on the same frequency, thereby blocking other ground-based devices from receiving navigational information.
Previously, only military forces practiced in the art of “electronic warfare” had access to the technology and know-how to disrupt GPS signals. The strategic implications of doing so are obvious. If you can block your enemy’s navigation systems, then you can interfere with the movement of his troops, ships, tanks, and navy. You can also severely harm an adversary’s civilian critical national infrastructure. We had a taste of this in the United States in January 2007 in San Diego, California, when the entire city went on the “electronic fritz.” Just about midday, air traffic controllers suddenly found that their systems were malfunctioning. At local hospitals, doctors’ pagers ceased to work, and in the port of San Diego ship navigation faltered. For two full hours, cell phones in the city stopped working, and ATMs failed to dispense cash. About as close to a Bruce Willis movie as you can get in America’s Finest City. What had caused this massive outage? For three days, the event remained a mystery until the navy finally came forward and admitted it had been conducting a training exercise and testing a new radio-jamming technology.
Sometimes the military jamming of GPS signals is not an accident. North Korea routinely lashes out at its neighbor to the south and blocks its GPS signals. Pyongyang uses three tractor-trailer-sized jammers that it can reposition in order to block satellite navigation to much of South Korea. The longest GPS attack carried out by the North occurred in early 2012 and ran for sixteen days, causing disruption to 1,106 aircraft and 254 ships. Owing to Moore’s law, GPS signal technology is becoming smaller, cheaper, and more powerful. As a result, it’s not just armed forces that can have access to navigational jammers; now every Tom, Dick, and Harry can get one, with notable results for your screens.
Though illegal in the United States, GPS jammers are widely available online on Web sites such as www.jammer-store.com. For a mere $50, anybody can buy a dashboard model that plugs into your car’s cigarette lighter and create an electromagnetic bubble that will surround you as you drive. Their use is more popular than you might imagine. Increasingly, companies are putting GPS on all vehicles in their commercial fleets. Doing so helps long-haul trucking companies, delivery firms, police departments, taxi outfits, armored car carriers, and cable providers track e
mployees, manage operations, increase fuel efficiency, and quantify the productivity of employees. To the workers driving these vehicles, the addition of GPS tracking feels as if Big Brother is always watching them. In response, employees began sabotaging the devices by cutting the wires or removing them altogether. Of course, doing so got them in hot water with their employers. Now a $50 jammer does the same trick and leaves no evidence behind.
The problem with these portable jammers is that they can extend up to five hundred feet around the vehicles using them. That means that depending on the power of the device, for every one truck driver who doesn’t want to be seen napping by his boss, fifty to a hundred cars will also have their GPS signals blocked. But your car or phone’s navigation is actually the least critical network disrupted by the jammer. As we saw in the San Diego incident, though not immediately obvious, cell-phone towers, power grids, air traffic control, and ATMs also depend on GPS-embedded systems to function properly. When local truck drivers go off the grid, they are taking many other people and services with them, and hundreds of incidents of collateral damage have been reported annually. For example, in London, for ten minutes a day, traders were discovering that their trades were not going through because there was a problem with the time-stamping mechanism in the system. Baffled exchange personnel wondered whether they were under some kind of cyber attack by a foreign power. Nope, just a London truck driver who parked his truck next to the exchange when making his deliveries once a day for ten minutes.