Paget warned attendees ahead of time what he planned to do:
1. If you’re in an area where your cellphone calls might be intercepted, there will be prominent warning signs about the demo including the time and date as well as a URL for more info. This will be the only time when unknown handsets will be allowed to connect; at all other times only pre-registered handsets will be granted access. You will be clearly warned that by using your cellphone during the demo you are consenting to the interception, and that you should turn your cellphone off during that time if you do not consent. A recorded message with essentially the same info will also be played whenever a call is made from the demo network.
2. The demo itself will be performed from a machine with no hard drive, only a USB key for local storage. At the end of the demo this USB key (including all logs, recordings, and other data) will be handed over to the EFF for destruction. No logs, recordings or other data will be exported from the machine except as necessary to connect calls during operation.
3. Transmit power will be kept to a maximum of 250mW (for comparison, a handset is typically 2W) and will comply with all relevant FCC regulations to operate in the band.
4. At all times, for all connected handsets, a best-effort will be made to connect calls successfully to their destination. It is unlikely that any 911 service can be provided, however a best effort will be made to connect any emergency calls to a suitable local destination.
How did he do it? Using open source software along with $1500 in hardware, he used two antennas to create a base station that impersonated an AT&T base station. At least thirty phones in the room connected to the fake base station, enabling Paget to route the calls through a VoIP system while recording them to a USB device. (Global System for Mobile Communications) communications are supposed to be encrypted but since some countries do not allow strong encryption, a network can tell a phone not to encrypt its transmission.
Reassuringly, the range of such a device is small, meaning that only a small group of phones can be compromised by such an attack. Nonetheless, the demonstration shows a vulnerability that will surely be of concern for both AT&T and T-Mobile.
Defcon, the world's largest hacker convention, is held in Las Vegas each year. Last year Paget delivered a talk on RFID cloning.