GCHQ hacks GRX providers to mount MitM attacks on smartphone users
Posted on 11 November 2013.
A new report by German Der Spiegel has revealed that the Government Communications Headquarters (GCHQ), the UK equivalent of the US NSA, has compromised a number of Global Roaming Exchange (GRX) providers.


There are only a couple dozen GRXs in the whole world, and they act as hubs for GPRS connections from roaming users. The ones that Der Spiegel claims have been breached are Comfone, Mach, and Belgacom International Carrier Services (BICS).

The ultimate goal of these attacks is for the intelligence agency to be able to access as the companies’ central roaming routers that process international traffic, so that they could ultimately mount Man-in-the-Middle attacks targeting smartphone users and thusly compromise the devices to serve their own goals (i.e. surreptitious surveillance).

To compromise the systems and networks of these GRXs, the agency first researched the engineers, IT personnel and network administrators working for them. After discovering much about their personal and digital lives, they would create spoofed versions of pages they often visited (such as their LinkedIn profiles and Slashdot) within which they would embed backdoor-opening malware, and then would use a technology dubbed “Quantum Insert" to serve them those pages instead of the legitimate ones, which would result in their systems being saddled with the aforementioned malware.

Well-known IT security expert and cryptographer Bruce Schneier has recently explained how the technology is used by the NSA, and to which end:

As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server…They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website…The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server…FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an internet-enabled system capable of attacking target computers in a variety of different ways.

It is unknown whether the GCHQ uses NSA infrastructure or their own.

Der Spiegel also briefly mentions another GCHQ operation dubbed "Wylekey" which has apparently successfully compromised several international mobile billing clearinghouses.









Spotlight

Free security software identifies cloud vulnerabilities

Posted on 21 October 2104.  |  Designed for IT and security professionals, the service gives a view of the data exchanged with partner and cloud applications beyond the network firewall. Completely passive, it runs on non-production systems, and does not require firewall changes.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Oct 21st
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //