4G and CDMA reportedly hacked at DEF CON

At the DEF CON 19 hacking conference, which took place between August 4 and 7, it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations.

For now the only evidence that such an attack occurred is the report of Coderman(Opens in a new window) on the Full Disclosure mailing list. Coderman seems to be a relative veteran of security and open source mailing lists, though, and he says he has attended six DEF CONs. If he's telling the truth, then this attack would represent the first ever man-in-the-middle attacks on two networks that have so far proven to be unhackable. For the ailing and nigh-stillborn CDMA this isn't such a huge issue -- but if 4G has fallen, just as AT&T, Sprint, Verizon, and cellular companies around the world begin to plow huge dollars into its roll out, this could be a massive blow.

Coderman's report suggests that, like Wi-Fi MITM(Opens in a new window), which regularly harasses surfers at DEF CONs and other hacker conventions, the attackers were able to inject custom packets into the 4G and CDMA data stream. These forged packets allowed the attackers to create on-screen prompts that, if clicked, installed a rootkit on the PC or Android device. If you've seen "fake AV" pop-ups while surfing the web, then that's a good analogy for what this man-in-the-middle attack is capable of. Once the rootkit (or similar backdoor) is installed, it's simply a matter of connecting to the exploited device via SSH. Coderman says the attackers could also monitor conversations, which suggests that not only can packets be injected, but they can also be sniffed and decoded in real-time.

Without more information from Coderman, another savvy DEF CON hacker, or from the hackers themselves, it's hard to prove that this attack actually occurred. It's still very early days, too -- Coderman only posted his findings to the mailing list a few hours ago -- but if we see some more activity on the mailing lists or a reaction from a cellular carrier with an interest in 4G, then we'll be sure to update this story. It's also worth pointing out that we don't know which version of 4G has been hacked. HSDPA, WiMAX, and LTE all use different transport layers and security methods, and the repercussions will depend on which one has fallen.