
How to Build Your Own Rogue GSM BTS for Fun and Profit - sweis
https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/
======
blantonl
I wouldn't even _think_ about doing this unless you are in a faraday cage
environment or other locked down RF environment where you can be absolutely
sure you have complete control over all RF emitted by the device and you know
_exactly_ which devices are able to connect.

Otherwise, in the US expect the FCC and network operators to become intimately
familiar with who you are rather quickly.

Having random public phones roam onto your rouge cellular network is a public
safety risk (potentially no 911 access) as well as any number of laws being
directly broken (unlicensed spectrum use, denial of service to legitimate
licensed networks etc).

~~~
gnu8
All very good reasons why we should be throwing more police officers as well
as the executives and owners of Harris in jail for using these things. It's
impossible to manufacture or operate a stingray without breaking the law.

~~~
evilsocket
never heard about faraday cages?

~~~
woodman
... now we just need to figure out how to lure the surveillance target into
our EM-shielded cage.

~~~
evilsocket
my point is that it's quite easy to "play" with such things without actually
breaking the law

~~~
walrus
I think you may have misunderstood the comment. In the US, Ireland, and
probably elsewhere, police are using rogue cell sites ("Stingrays") for
surveillance. The person you replied to is claiming that this is illegal, and
the police forces that are doing it should be punished. They weren't talking
about people experimenting with setting up Faraday-caged toy cell sites in
their basement — there's absolutely nothing wrong with that and it should be
encouraged!

~~~
maxerickson
_the executives and owners of Harris in jail_

They were also talking about the people that built the devices.

------
mercora
Phones automatically connect to any unencrypted BTS? This is really insane. I
thought service providers provision the sim card with white listed and
authenticated providers or only tunnel their traffic securely through foreign
networks. This is way to easy. Are there apps to detect such things?

EDIT: found 2 apps claiming to be able to detect this.

[https://play.google.com/store/apps/details?id=com.skibapps.c...](https://play.google.com/store/apps/details?id=com.skibapps.cellspycatcher)

[https://play.google.com/store/apps/details?id=de.srlabs.snoo...](https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch)

~~~
yuubi
Newer systems using 3GPP-type authentication (LTE, and I think UMTS) require
mutual authentication between the SIM and the network (details in [1] section
6.3). If the network doesn't provide a satisfactory AUTN, the mobile can't
proceed with connecting to the network because later steps in the connection
procedure need some keys derived from the authentication procedure.

I think in older GSM-derived systems, the SIM just computed an authenticator
based on a nonce provided by the network.

I know for sure that CDMA (IS-95 and 2000) and later AMPS systems supported
one-way authentication or not, as selected by the network.

I've heard rumors that attackers have to force a protocol downgrade to
something without mutual authentication by jamming the legitimate signal. The
other options for the attack would seem to include

\- obtaining the secret key value (or a set of authentication vectors) from
the legitimate network. Either of these seems more difficult to obtain than
the actual locations that the attackers claim to want.

\- obtaining K from SIM manufacturers, which has happened [2].

\- exploiting implementation defects in SIMs or mobiles.

[1] 3GPP/ETSI TS 133 102 "3G security: security architecture",
[http://www.etsi.org/deliver/etsi_ts/133100_133199/133102/13....](http://www.etsi.org/deliver/etsi_ts/133100_133199/133102/13.00.00_60/)

[2]
[https://hn.algolia.com/?query=gemalto&sort=byPopularity&pref...](https://hn.algolia.com/?query=gemalto&sort=byPopularity&prefix&page=0&dateRange=all&type=story)

~~~
mercora
Thanks, that made it much more clear to me :)

I now also read about "femtocells" used among else by Verizon (which dievices
have been hacked) that are used to extend the signal coverage by costumers. It
is an interesting topic overall. I think i will dive more into it...

~~~
newsignup
> costumers

interesting, never saw this kind of typo before, since those two letters are
quite far off..

~~~
mercora
:D

Sorry, i do all kind of weird typos, sometimes i do not spot them.

------
methou
This is exactly the method how criminals in my home country send scam texts to
victims[1], it's hard to trace since they are mobile. Before LTE towers were
widely deployed, two major GSM operators can't prevent people from connecting
to a malicious station, since 2G sim cards do not have capabilities to
authenticate operator's network.

It's a relief that major operators today are actively rolling out 4G SIM
cards, and law enforcements are taking malicious stations seriously. So today
if you set up rogue GSM BTS, you might be prosecuted.

[1]
[http://www.theregister.co.uk/2014/03/26/spam_text_china_clam...](http://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/)

------
kiwijamo
Is that an issue with more modern systems like UMTS and LTE? For some reason I
remember reading somewhere that when UMTS was introduced, the SIM card
standard was updated to include some data allowing devices to challenge UMTS
(and I assume LTE too) BTSes to provide proof in the form of an answer to a
challenge code presented by the device using data from the SIM card. Have I
got this right?

~~~
nuand
Yes, you are correct. Some parts of LTE and WCDMA use a pre shared secret and
rolling keys to allow UEs to identify themselves to the mobile network. There
are however many non-data carrying parts of LTE that are not encrypted or
authenticated, sort of how 802.11 has AES but management frames are still
fully unecrypted.

------
sschueller
I posted this yesterday already:
[https://news.ycombinator.com/item?id=11403135](https://news.ycombinator.com/item?id=11403135)

I thought you can't post duplicate content.?

~~~
brudgers
I've heard the moderator, dang, say that the duplicate system is imperfect.
Sometimes it's just luck. It looks like this has been posted several times
over the past few days.

[https://hn.algolia.com/?query=How%20to%20Build%20Your%20Own%...](https://hn.algolia.com/?query=How%20to%20Build%20Your%20Own%20Rogue%20GSM%20BTS%20for%20Fun%20and%20Profit&sort=byDate&dateRange=all&type=story&storyText=false&prefix&page=0)

~~~
striking
Duplicates are allowed if a post hasn't gotten much attention in a while.
Sometimes HN will auto-repost your post. It's not a bug, it's a feature!

------
kevindeasis
Is there a list of all the HN topics that include the keyword: "How to build
your own _____ for fun and profit"

Please don't mention the search bar.

~~~
shoo
[https://www.google.com/search?q=site%3Anews.ycombinator.com+...](https://www.google.com/search?q=site%3Anews.ycombinator.com+"for+fun+and+profit")

