Friday, February 10, 2017


unhackable is not a way to address any product, but neither is it a way to address anything, even humans, enter...

the UberWave-S phone:

I got this from a  friend, he reached out to me with this exact words "you cannot hack my secure phone" and always being up to a challenge and previously hacked the cryptophone500 , i was really feeling the need to go at this phone, after a few passive research points i could find nothing about UberWave-S , was this guy trolling me, or was it so top secret? I moved to waiting for his communication via email.

we started communicating late 2016 and he sent the phone around November from Greece, this was the package that arrived :)

and this was what i found inside

back view

front view

battery removed and 'inside' view

yes, a feature phone, as per his explanation:

Because I am a practical person, with lots of real life practical tests of the devices that I create, I decided to take a more realistic approach. I am not saying that my device is invulnerable to all kinds of attacks, but it is stealth to most of the attacks of today's technology. For example, my device is totally invulnerable in OsmocomBB attacks of any kind. Also, it is stealth to all commercial or non commercial IMSI catchers, making voice and SMS decryption impossible. Another great feature is that security is always guaranteed with the device for the user, without the need for a second device, although the security will be compromised if the recipient of the call or SMS is not using the same device AND it is under attack. But if the user of the device is under attack and the recipient is not, then the security is valid for both parties. There are some vulnerabilities, and some solutions for them, but I would like to discuss them after you test the device."

i wanted his theory and practicality to put to test, and went ahead to test it.

So i booted up my RogueBTS

and went on an MITM escaped

capturing more than enough phones in the area, but sadly i could not catch the little minx, i rebooted severally changed parameters such as distance between the phone and BTS, 5-10 meters spacing, hopped on different channels, manipulated GPS settings, this variables dictate how fast you get a connection.

however my rogueBTS works on this principles

uses 2G (attacks)/(modern ones attack 3G and downgrade to 2G)
attacks nearest BTS to jam signal and forces phone to connect to it
drops any encryption to allow direct/un-encrypted SMS/voice calls

So did i catch it, NO short answer, explanation, on removing the battery , the phone had been tampered on the screws meaning some hardware modification had been done, not wanting to mess with it i did not do any research on this however the creator did tell me this:

unscrewed-screws :)

"To give you some more information about my Secure Phone, it's not an Android or iOS device, but a feature phone and more specifically, a Samsung GT-S5610.
I am working with OsmocomBB since it's birth in 2008 and especially with the hardware part and this is where I am focused. I am not one of the developers of OsmocomBB, but since I noticed OsmocomBB, I am stuck with it, and I am mostly working on the hardware part, since I'm very good at this field. Also, my main research is in real life applications of these attacks and how to implement the hardware so the attacks are feasible in real world environments. Also, I am working mostly in the hardware part, because I'm not so good with the software, but I am very good at hardware and especially with RF.
 So, after many years of experience, I saw that there was not really a device that you could say that you're 100% protected. The 100% secure device still does not exist, but I was stunned how people was hooked up to cryptophones, and without even touching a cryptophone, I immediately knew it's vulnerabilities. Your researched verified my suspicions. It packs some security, but you must use 2 cryptophones to have a secure communication. From that point on, everything else is compromised.
 My Secure Phone was created in 2012, after a client of mine asked for a secure as possible device. I already told him that there's not such thing, but he insisted. So, by using my experience and skills, you will see the device that you will have in your hands. I tried to use a different, more radical approach, and the first thing I tossed out is the usage of major OS distributions like Android and iOS, due to the unique thing that so far no OS is secure enough and constantly new exploits are made. So, because a major requirement was secure as possible voice, SMS and data, I selected to use a feature phone. Feature devices do not use a 100% secure OS, but at least, if an attacker does not have access to the device, it's very difficult to inherit insecurities through OS upgrades and "unnecessary" connections to the internet.
 I am sorry, but I can't reveal yet more details on the conversions that I've made, but I can give you some hints. First of all, the device is totally invulnerable to OsmocomBB attacks of any kind. The device is just stealth to OsmocomBB. It is also stealth to around 99% of modern IMSI catchers. I leave 1% just in case. There is only one big problem that I can't overcome, and this is because the hack is due to an insecurity in the design of the 3gpp protocols, and there's not much to be done. Although I've found a solution to this problem, the solution degraded the device usability. An updated "patch" can be done, but as I explained, I am not a software guy to make it work as it should.
 To use the Secure Phone is very simple. You simply use it. No extra codes or mutual authentication is needed. Also, you do not need to use 2 Secure Phones to use the security features, although for both parties security, it is advised to use both parties a Secure Phone. For example. If the owner of the device is under attack and the other party is not under attack, there is no way to compromise both parties communication, all voice, SMS and data are secure. But if both parties are under attack, and the other party does not use a Secure Phone, then both parties are compromised. This is normal, but a lot better that the cryptophone's mandatory default usage from both parties of cryptophones. Also, there is no delay in the voice calls or dropped called due to non mutual authentication. No other special action is required. The safety features are enabled by default. If you can't use the device, the user of the Secure Phone is either under attack, or the Secure Phone rejects and does not accept to use insecure communication methods.
 Since you are going to make a research on a operator, I also suggest you to test my Secure Phone. Of course, the best way to do that is to use a SIM from another provider, and try do any kind of test with the equipment of the operator that you have access on."

So, as per his request he allowed sharing this information alongside his contact information

NB: this phone was created for government entities, further explanations to why the phone is not caught is because it has been 'cut off from the 2G platform' from his explanation:

"Very happy to hear that your 2G BTS didn't brake my device. The same will apply with 3G/4G, for the same reasons that your 2G didn't break the device but also, because 3G/UMTS uses mutual authentication. 4G connections provide even more information of the 4G clients to the telco providers. Also 4G does not carry voice yet. So, if you make a 3G/UMTS BTS and use a SIM from a real provider and try to break my phone, then this would not be possible, due to mutual authentication. The only way to "break" my device is to use your own programmed 3G/UMTS SIM and try to camp to your 3G BTS, but that's not an attack schenario, because you already own the 3G SIM and the keys inside. As a conlusion, even a 3G rogue BTS, your's or more advanced and professional rogue BTS, will not break the secure phone, but it would be nice for you to do any further tests that you please.
You can document, share and publish all your findings, including my contact information. "

So without much a-do Ladies and Gents, spiders and bots hackers and enthusiasts, Mr UberWave-S together with his mail address, :) 
Kindly reach out for more info on this from me or him with best regards.

No comments:

Post a Comment

Dynamic Binary Instrumentation (pt2)

Quick how to: After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/andro...