Chris Paget wants to demonstrate how easy it is to snoop in on mobile-phone conversations. The question is: Will the federal authorities allow it?
At the Defcon security conference in Las Vegas on Saturday, Paget is scheduled to demonstrate a device called an IMSI (International Mobile Subscriber Identity) catcher, which can be used to intercept mobile-phone data on the GSM (Global System for Mobile Communications) networks used by much of the world.
Such devices have been talked about by security researchers for years, but Paget wants to conduct a live demonstration. “The only way I can get the word out that people need to not trust GSM anymore is by demonstrating it,” he said.
The U.S. Federal Communications Commission (FCC) contacted Paget Friday morning after reports of his impending talk were published. The FCC didn’t tell him his talk would be illegal, but informed him of some relevant federal regulations, he said. “They expressed a number of concerns about the talk,” Paget said Friday in a meeting with press at Defcon.
The agency raised concerns that Paget’s device might transmit over licensed frequencies and that he might unlawfully intercept mobile-phone calls — something he says he will take steps to avoid on Saturday.
After the meeting, Paget said he will go ahead with the talk but maybe not exactly as planned. “The only question is whether or not I’ll be turning the radio on,” he said. He could be warned, fined or possibly arrested, depending on what authorities make of the incident. He plans to check with his legal counsel — the Electronic Frontier Foundation — and will then decide whether to go forward.
The IMSI catcher is essentially a fake GSM base station that tricks handsets into dropping encryption and then sending it voice traffic. Using open-source voice over IP software, Paget is then able to forward calls to their intended recipients and listen in without the caller noticing.
Paget takes advantage of the fact that the U.S. ham radio band uses the same 900Mhz frequency as European GSM phones. He operates the IMSI catcher as a ham device, but U.S. mobile phones, many of which are capable of roaming outside the country, think they’re connecting with a European GSM tower.
The demo works only for outbound calls, but Paget believes it is possible to intercept incoming calls using different techniques.
Controversy has surrounded the talk since Paget revealed the subject, with rumors that AT&T would sue to stop the demonstration. AT&T, however, has said it does not plan any such action. AT&T and T-Mobile USA both operate GSM networks in the U.S.
The FCC doesn’t comment on the legality of specific matters until it fully investigates and takes enforcement action, said Eric Bash, associate bureau chief for the FCC’s enforcement bureau. However, he referred IDG News Service to an FCC web page about rules governing the interception of radio communications.
That page makes it unclear whether the FCC has the authority to stop Paget’s demonstration. It says that while the FCC has the authority to interpret a section of the Communications Act regarding the publication of communications, “this section generally does not prohibit the mere interception of radio communications.”
However, the FCC also notes that federal and state laws could be relevant. “Some federal and state laws make intercepting and divulging radio communications unlawful and may subject the violator to severe criminal penalties,” the site says.
(Nancy Gohring in Seattle contributed to this report.)