
Stealth Cell Tower Disguised as Printer - guyzero
https://julianoliver.com/output/stealth-cell-tower
======
pmoriarty
I was walking around San Francisco the other day and suddenly noticed that my
phone had switched from its usual AT&T provider to "China something" (maybe
"ChinaNet"? I don't remember exactly what it was, and it was only there
briefly). And then I got a text saying:

    
    
      Welcome to the test network.  Your IMSI is IMSI:  346234543252301
    

Not very stealth in this case. And I'm still not sure what it was. It went
back to AT&T after I walked around some more.

~~~
revelation
Also illegal. Call FCC.

~~~
cookiecaper
I filed a complaint with the FCC regarding a suspected jamming device. I'm
pretty sure they didn't even read it. They forwarded the complaint to my
wireless carrier, who sent a reply saying that the complaint had nothing to do
with them and that my original complaint had reported a jammer. The FCC closed
the complaint and considers it satisfied.

~~~
droopybuns
This is the gold standard example of the FCC's behavior towards cellular
spectrum. They have a very different mission when it comes to HAM spectrum.

Cellular spectrum: Grandstand and extract cash from the carriers.

Ham spectrum: Antenna-laden vans canvasing neighborhoods for radio pirates.

It is despicable.

~~~
themodelplumber
> Antenna-laden vans canvasing neighborhoods for radio pirates.

Got any photos, or links to accounts of these? I did a quick google image
search because you think someone would have caught one in the wild by now, but
no.

~~~
gasda
Here is a video of the inside of one.
[https://www.youtube.com/watch?v=QIGAOLJh-
XE](https://www.youtube.com/watch?v=QIGAOLJh-XE)

~~~
zodPod
Wow. Well, thanks for that! That's pretty bizarre!

------
AdmiralAsshat
And it's still only the _second_ worst modification made to HP Printers.[0]

[0]:[http://arstechnica.com/information-technology/2016/09/hps-
dr...](http://arstechnica.com/information-technology/2016/09/hps-drm-
sabotages-off-brand-printer-ink-cartridges-with-self-destruct-date/)

~~~
Houshalter
I don't know if it was HP, but my favorite malicious printer was one that
scanned documents and then randomly changed numbers in them. This was the
byproduct of an overly clever compression algorithm saving bytes by replacing
parts of the image with other similar parts. God only knows how much important
information was corrupted by that 'feature'.

~~~
ethbro
You know, you could probably cripple a society over a few years with that bug
(if the probability were tweaked right).

~~~
harry8
Excel is pervasive. If you consider every single spreadsheet used for
financial analysis and then used to allocate resources has material bugs in
it, you'll be so close to the truth as makes no difference.

Has it crippled society?

~~~
ethbro
I think material but well known bugs are probably less dangerous because
they're deterministic.

The true insidiousness of a random mutagen exploit is the fact that you can't
pin in down. Hell, you could even specifically code it to be resistant to
reproduction attempts. ;)

~~~
harry8
no no no. Not the many formula implementation bugs. I mean every survey of
financial models done in excel has material error in their conclusions.
Regardless of known bugs in excel that microsoft won't fix. I mean that merger
you just read about where the financial model was done with excel - it has
material bugs in it. Material by the GAAP accounting & attest definition. >
+/-5% of profit. +/\- 10% of total assets. It's quite something...

------
3chelon
I always wondered why these things weren't used in prisons. Maybe they are?
Here in the UK there is a massive problem with smuggled phones in prisons, and
since by definition their use is illegal in that environment then surely it's
OK for law enforcement to jam or even intercept everything? Add to the mix the
thick walls and total control of infrastructure and I see no good reason why
every illegal phone can't be forced onto a fake network. Legal phones used by
staff could be whitelisted.

~~~
MertsA
I don't think jamming would really be reasonable in a building. If the walls
can contain the jamming signal to their building then the walls will keep out
the original signal anyways. I think just RF blocking paint would be a more
reasonable solution but this would also interfere with any radios in use by
the guards and wouldn't do anything for any prisoners that are outside during
the day.

Having the cooperation of the cell service providers would be good, you could
just have a small pico cell that tries to blackhole any phones in the building
but if a prisoner can smuggle in a cell phone then they can probably smuggle
in any other handheld radio as well.

~~~
dom0
> RF blocking paint

Isn't really a thing. These paints realistically manage 30 dB attenuation at
around 1 GHz, which sounds great as a percentage ("99.x% reduction!"), but
isn't sufficient to actually deny cellular service. [Paint also normally
doesn't cover things like windows etc. which pretty much nullifies them
anyway]

You can in fact dump a phone into a fridge or freezer, which (at least here)
have steel sheets all over them. Phones still get cellular service.

What you would need is screen plating and windows with RF screening meshes
(and of course special window frames and so on). This is a) extremely
expensive b) can manage >60 dB attenuation.

~~~
lostlogin
With a fridge is the signal perhaps coming in through the door seals? This
would make the cage incomplete.

~~~
oasisbob
Also, any cable that penetrates the "shielding" can make a great antenna
unless it's specifically designed not to.

------
brianpgordon
Do phones not do any kind of cryptographic verification that the cell tower is
real and that mobile data is sent securely between the phone and the tower?

In 2016?

~~~
rupellohn
For 3G/4G networks there is strong mutual authentication between the device
and the network, for 2G(GSM) networks only the device is authenticated so
these interception devices work by jamming the 3G/4G bands forcing the device
onto the (fake) 2G network.

~~~
leeoniya
there's a feature in cell modems that can indicate radio link
encryption/auth.. _put on tinfoil hat_...and it's disabled in pretty much all
phone firmware

[http://www.jmeds.eu/index.php/jmeds/article/view/Enabling_th...](http://www.jmeds.eu/index.php/jmeds/article/view/Enabling_the_Ciphering_Indicator_on_Android)

[https://github.com/PrivacyCollective/Android-
CipheringIndica...](https://github.com/PrivacyCollective/Android-
CipheringIndicator-API)

~~~
DasIch
What's the point of such a feature anyway? I don't want my phone to even
connect to such tower, just tell me there is no service available.

~~~
pbhjpbhj
Not even to connect in an emergency? Maybe "no service, click to attempt
unsecure connection" would be better.

------
aaroninsf
Great project IMO.

But the conceit that cell towers are 'badly disguised' is incorrect; the goal
is not to successfully hide, but simply to meet the much lower bar of
obscuring a non-conforming shape in the environment, so that it doesn't
trigger human perceptual interest.

You don't put duplicitously palm fronds on a tower to hide it; you put them so
that someone scanning the cityscape from a mile away is not distracted by the
utilitarian tower.

------
brotherjerky
> Masquerading as a regular cellular service provider, Stealth Cell Tower
> surreptitiously catches phones and sends them SMSs written to appear they
> are from someone that knows the recipient. It does this without needing to
> know any phone numbers.

Pretty witty, but how does this work? Does it wait for the user to send a
message and snoop?

~~~
schwarrrtz
No. The devices automatically connect to the base station with the strongest
available signal.

~~~
vosper
That doesn't explain how the SMS message comes from someone the user knows. I
would assume (and I think this is what GP was getting at) that the fake tower
snoops on outgoing messages in order to collect numbers that the user has in
their address book, and then spoofs a message from that number?

~~~
vbit
> SMSs written to appear they are from someone that knows the recipient

I don't think this means they are sent from numbers known to the recipient.
Only that the content is written such that it appears to be from someone who
knows the recipient.

I don't know if actual spoofing is possible.

~~~
schwarrrtz
Yeah, if you look at the codebase it just selects a random string from an
array of prewritten messages and sends that.

------
Raphmedia
Monthly (daily?) reminder that you should use an app that encrypt your
messages.

~~~
sschueller
There are also apps that can tell you when you are connected to a new unknown
tower.

~~~
initram
Can you post some names and links? I'd like to check them out.

~~~
sschueller
SnoopSnitch is such an app:
[https://play.google.com/store/apps/details?id=de.srlabs.snoo...](https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch&hl=en)

------
mkhalil
So do cell phones automatically connect to the strongest 2G cell tower? Aren't
they filtering for cell towers that only belong to their respective carrier?

~~~
JTon
The unlocked phones I've used can be put into auto mode (strongest signal, I
guess?) or preference mode. Carrier locked phones do not switch to other
providers unless there's no service. Then it'll switch over to another carrier
but only allow emergency calls (911 in NA). I'm not sure what type of
handshakes/communications happen in the background

~~~
mkhalil
But even carrier unlocked phones connect to other carries, hence what they
call "roaming charges".

------
cyanbane
In the same vein as Reddit's ELI5 (Explain Like I'm 5) For Us Laymen (FUL) on
this topic, why can't Apple/Google currently default to a Full dropdown to 2G
and give the option for _by choice_ users to never allow dropdown to 2G (or
3G/4G) at the OS Level?

Is there a legal mandate (911 Surface Area increase), a hardware impasse
(phones physically can't) or is it a company decision to not allow (for
whatever reason)?

~~~
kalleboo
I've had Sony Ericsson Android phones where you can completely disable 2G/GSM,
so it seems to purely be a UI decision.

------
dev_throw
Perhaps a temporary fix might be to have a on-board verifiable hash map of
cell tower addresses by location. Either that, or a way to block 2G on the
device.

------
iRobbery
First question/thing i wonder about is if this printers toner does last as
long as expected instead of those you get with printers generally.

------
johansch
Well, that was entirely pointless. The meat of the post (the photos of
disguised cell towers) would have been exactly as relevant and impactful
without that pre-pubescent "hacking". (ooh! we can run six year old software
(an openbts fork) on a raspberry pi! we are so cool!)

~~~
foolrush
It is an art installation. About the only thing prepubescent is your
commentary.

~~~
johansch
Oh! It is art? Well, in that case it must be good.

~~~
striking
That's not why it's good, that's why it exists in that state. A lot of people
don't know about stuff like this and won't want to trudge through a heavy
technical post.

But send them a fake SMS and maybe they'll start listening.

