
Cell-Site Simulators Aren’t Secret Anymore - pavornyoh
https://www.eff.org/deeplinks/2015/12/government-can-you-hear-me-now-cell-site-simulators-arent-secret-anymore
======
themartorana
Some version of these went up all over Philadelphia when the Pope came to town
and they turned the city into a giant TSA checkpoint, replete with National
Guard troops.

The Pope left.

The boxes stayed.

Edit: here's one of several pics I took: (see edit 2 below for link) anyone
recognize it? Interestingly enough, the nuclear and chemical detection boxes
were labeled...

Edit 2: direct photo link:
[https://s3.amazonaws.com/f.cl.ly/items/1X2f2i1M2P0e0n322r1X/...](https://s3.amazonaws.com/f.cl.ly/items/1X2f2i1M2P0e0n322r1X/4C9295AC-A89F-459F-947E-A01226E3E47D.JPG)

~~~
jauer
That's a DAS, not a cell site simulator. Google image search for "Philadelphia
distributed antenna system" and see related articles on things that look the
same.

Example: [http://www.commscope.com/NewsCenter/PressReleases/Popes-
Visi...](http://www.commscope.com/NewsCenter/PressReleases/Popes-Visit-
Prompts-Wireless-Network-Investment-in-Philadelphia-with-CommScope-DAS/)

[http://www.nj.com/salem/index.ssf/2015/09/pope_francis_in_ph...](http://www.nj.com/salem/index.ssf/2015/09/pope_francis_in_philly_will_wireless_service_be_ab.html)

~~~
_djo_
Definitely a DAS. Cell site simulators look rather different and are almost
never placed in fixed locations.

------
ipunchghosts
Since OpenBTS launched 6 years ago they haven't been secret. All you need is a
backpack with an Ettus USRP1, handful a D batteries, and a laptop. Walk into
any starbucks, connect your laptop to the wifi and then SIP through Google and
voila, you can snoop on everything and no one has any clue.

~~~
hayksaakian
maybe this sounds simple to you, but it probably goes over the heads of 99.99%
of people (and i'd venture to say 90% of technical people).

~~~
adrtessier
I believe the majority of Hacker News readers could run OpenBTS on an Ettus as
a weekend project, provided they had a little systems programming experience.
I think the greater problem is expense: an Ettus USRP is into the 4 figures,
although you could probably make something similar with the HackRF. [1]

[1]
[https://greatscottgadgets.com/hackrf/](https://greatscottgadgets.com/hackrf/)

~~~
archimedespi
HackRF is only half-duplex though, so I'm not sure you actually can.

~~~
danellis
Cellphones are only half duplex too, though.

~~~
archimedespi
Didn't know that! Do they switch between transmitting and receiving constantly
to keep up a 2-way data stream?

~~~
danellis
I've only worked with GSM, not anything newer, but the phone is assigned a
timeslot in a repeating frame, and the uplink and downlink timeslots are
offset so that the phone doesn't have to transmit and receive at the same
time. As I understand it, that makes the antenna and amplifier design much
simpler.

Although now that I've said that, I don't recall what happens when it's using
multiple channels for packet data.

~~~
yaantc
True for 2G, but for 3G and 4G most deployments are using full duplex (FDD)
where reception and transmissions can happen concurrently and use different
frequencies.

The only exception for 3G is China with its TD-SCDMA standard. Everywhere
else, 3G is FDD.

For 4G, there is a TDD variant. It's mostly used in China and on some specific
high bands (2.3/2.5 GHz around Wifi, 3.5 GHz). But in western countries when
one use 4G it's FDD.

------
alexvr
What? Why doesn't it work like this:

Cell phones have SIM cards with an ID and a secret key. Cell service providers
have a database of these SIM associations. Cell phones encrypt IP packets in
their entirety with the symmetric key and send it as the payload of some cell
protocol packet that might expose my ID, if anything. Assuming the cell
provider is secure and not on the dark side, this is the safest part of my my
packet's trip.

I don't understand how a cell-site simulator could see what websites I visit,
much less the messages I send, without knowing my key. And it's not like one
could trick my phone into thinking it's the actual cell site, because it won't
be able to respond to my transmission with a message that my key can decrypt.

What the heck am I missing?

~~~
kinghajj
FBI: "Hey, cellular provider, give us the secret key and ID for X." Provider:
"Sure, thing, just one moment." ... "Here you go."

\---

Or, if your provider has a bit of a spine:

FBI: "Hey, cellular provider, give us the secret key and ID for X." Provider:
"Got a warrant?" FBI: "No problem, give a half hour to call our go-to judge."
/ "No, but here's a NSL."

~~~
doctorshady
That's assuming that is even necessary. Harris made an upgrade to their
Stingray equipment called Hailstorm that intercepts 3G and 4G standards.

------
mirimir
There are apps for detecting these things. Maybe we need an app that plots
locations based on anonymized submissions. Also, I wonder if it's possible to
distribute blacklists. But I suppose that's buried in the radio firmware.

~~~
rubicon33
Care to list some of those apps?

~~~
tomlongson
Android IMSI-Catcher Detector: [https://secupwn.github.io/Android-IMSI-
Catcher-Detector/](https://secupwn.github.io/Android-IMSI-Catcher-Detector/)

SnoopSnitch:
[https://play.google.com/store/apps/details?id=de.srlabs.snoo...](https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch)

~~~
akerro
AIMSICD is very faulty. I made full code review in my spare time and tests on
OpenBTS. It can't detect SilentSMS even if they claim it can. It doesn't
detect fake BTSs nor connections using them. You can connect to fake BTS, make
calls, send texts, it doesn't detect anything suspicious. This project sounds
serious, but it doesn't do anything. Moreover it sends data about fake BTSs to
remote service - OpenCellId (they get data about cells from OCID). Recently
all of this what I say here was proven on their issue board on Github.

[https://github.com/SecUpwN/Android-IMSI-Catcher-
Detector/iss...](https://github.com/SecUpwN/Android-IMSI-Catcher-
Detector/issues/75)

Next week I will put my hands on SnoopSnitch.

~~~
SecUpwN
This is SecUpwN, the project maintainer of mentioned app. Let me say this:
Before discrediting an eager project like ours, RTFM! Obviously you closed
your eyes the whole time when doing the "full code review", otherwise you
would have read:

* [https://github.com/SecUpwN/Android-IMSI-Catcher-Detector#war...](https://github.com/SecUpwN/Android-IMSI-Catcher-Detector#warnings)

* [https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/blo...](https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/blob/development/DISCLAIMER)

* What is the first thing popping up in our app? Right, our DISCLAIMER!

Bummer, huh? Furthermore, where are your contributions to below Issue?

* [https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/iss...](https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/issues/75)

Everyone with a pair of eyes is able to clearly see the warnings, disclaimers
and statements all over our project that our app is still in ALPHA
development. And if you really are a skilled developer and not just a troll
wanting to discredit our app in favour of making another one more popular
(which I think you actually are), you'd have contributed. But you're just a
fake "security researcher", ranting on public sites about an open source
project where everyone is invited and very welcome to add a bit to make it
better. Next time, please think twice before publishing shit like yours above.

------
droopybuns
"Cell Simulators" is a bad name. We should be calling them "Phoney Base
Stations"

~~~
jlgaddis
Agreed, a "cell-site simulator" sounds like something one uses when
developing/testing mobiles phones/devices.

Personally, I would prefer "rogue" or "malicious" or something similar that
adequately highlights their true intentions.

------
mmaunder
Related: A video I took at blackhat 2013 demo'ing a hacked femtocell
intercepting calls. Voice is intercepted before the call even starts.
[https://vimeo.com/71466006](https://vimeo.com/71466006)

~~~
danellis
I worked for a picocell/femtocell company a few years ago, and when I started
I had to get up to speed on GSM protocols. I remember thinking at the time
something along the lines of, "Connecting the call and telling your phone to
ring are different messages, so if instead of sending the ring, waiting for a
pickup, then connecting the call you just connected the call..."

------
codezero
Are there any standalone tools that can be used to capture the meta-
information about cell towers?

It seems like it would be really useful to crowdsource known towers, their
identities and strengths, so that simulators can be singled out.

~~~
bottled_poe
It exists: [http://opencellid.org](http://opencellid.org)

~~~
yqoa1r0jb0p0
Mozilla has an even larger database.

[https://location.services.mozilla.com/downloads](https://location.services.mozilla.com/downloads)

If you want to contribute, there's an opt-in toggle in Firefox for Android.

------
ikawe
Build your own! [https://github.com/Shadytel](https://github.com/Shadytel)

------
atallcostsky
I wonder if it would be possible to take the idea of certificate authorities
and apply it to cell phone towers. Basically, each cell tower company would be
a CA, and could generate a certificate for each cell tower. Major cell tower
companies could then be trusted by other CAs, and cell phones could have a
store of trusted CAs. Then, when a cell phone attempts to connect to a tower,
a check is made to verify that the tower is trusted by a trusted CA. This way,
a user could (at least maybe) revoke a certificate from a CA that has trusted
a group that has set up a cell site simulator.

My knowledge of PKI is pretty shaky. Does anyone know if something like this
would work and/or be an improvement?

~~~
jlgaddis
The SIM card in your phone is, basically, a smartcard. The private/public
keypair on the SIM is how your phone authenticates to the cellular network.

Is what you're asking technically possible? Sure. What motivation do the
cellular companies have to implement it, though? They are currently satisfied
with the level of security already offered and to do what you are asking would
cost a not-insignificant amount of money with little or no return (for them).

------
malandrew
Is there any way to re-engineer infrastructure so that all cell-sites
cryptographically identify themselves so that cellular devices can verify the
identity of a cell-site before identifying itself to the cell-site?

~~~
gruez
AFIAK 3g and 4g has this. the issue is that there are still legacy 2g and gprs
networks so those protocols can't be disabled yet.

~~~
samstave
shouldnt it be expected that we would be able to prevent our devices to not
talk to any non 3/4G tower?

~~~
fulafel
Many phones have this in settings, many other phones have this in a hidden
service menu (eg
[http://android.stackexchange.com/a/66819](http://android.stackexchange.com/a/66819))

------
ck2
So is wiretapping illegal without a warrant or isn't it?

Because they aren't collecting just meta data with this and unlike the NSA
there is likely no discipline at all about how the data is used or shared.

Policing in this country has come down to "try to stop us from doing it"
instead of asking first "is this even legal" on every aspect.

------
cm2187
I can see how it can be creepy, however my house was burglarized recently, and
I would have loved to have a device that could catch the IMSI of all the
mobiles in my flat at that time. I can't really do anything with the IMSIs
myself but I could give them to the police after a burglary, like a CCTV tape.

~~~
lotsofcows
Much easier just to log whatever SSIDs the phones are broadcasting. My phone
currently knows about 20 wifi networks from which I can work out where I live,
where I work and where I've been on holiday.

~~~
cm2187
But can the police do anything with this SSID?

~~~
lotsofcows
Is it presentable in court? Depends on your jurisdiction.

Can they use it as I can - to translate SSIDs into locations?
[https://wigle.net/](https://wigle.net/)

------
KazWolfe
So, how long until schools decide to deploy this in the name of "student
security?"

------
EFruit
I was speaking with a friend regarding cellphone jamming, and a question was
posed:

Suppose there is a piece of equipment that strictly follows all the relevant
cellular protocol specs and can route 911 calls, but drops all other traffic.
Is such a system illegal?

~~~
jlgaddis
I believe your device would need type acceptance by the FCC and, presumably, a
valid license to transmit/operate on those frequencies. Otherwise, yes, it
would be illegal.

I don't have a citation/reference handy but, if memory serves, it is illegal
(in the U.S.) to interfere with any cellular communications.

~~~
FLUX-YOU
Is there a quick way to figure out if this is occurring? I've gone into one or
two restaurants with their own wifi and my cell connection goes down to 3G.

------
mtgx
Why aren't the OS vendors such as Apple, Google and Microsoft protecting users
against this?

~~~
akerro
Because they are contributing to it.

