Hacker News new | more | comments | ask | show | jobs | submit login
Cell-Site Simulators Aren’t Secret Anymore (eff.org)
262 points by pavornyoh on Dec 10, 2015 | hide | past | web | favorite | 87 comments

Some version of these went up all over Philadelphia when the Pope came to town and they turned the city into a giant TSA checkpoint, replete with National Guard troops.

The Pope left.

The boxes stayed.

Edit: here's one of several pics I took: (see edit 2 below for link) anyone recognize it? Interestingly enough, the nuclear and chemical detection boxes were labeled...

Edit 2: direct photo link: https://s3.amazonaws.com/f.cl.ly/items/1X2f2i1M2P0e0n322r1X/...

That's a DAS, not a cell site simulator. Google image search for "Philadelphia distributed antenna system" and see related articles on things that look the same.

Example: http://www.commscope.com/NewsCenter/PressReleases/Popes-Visi...


Definitely a DAS. Cell site simulators look rather different and are almost never placed in fixed locations.

Oh, cool. Well, thanks for that. That's just one of several random things around, but seriously the chemical weapon detectors were labelled and chained to a pole. That was funny. :)

If you're wondering why they're called Gatso's:


Well it could be a genuine microcell, not a simulator.

Would you be so kind as to post a direct link?

EDIT: Thanks! I would really be interested in a crowdsourced wiki-style database of these. If nothing else, submit them to Wikimedia commons with coordinates.

<Message>Access Denied</Message>

Cloudapp deleted the image from too much traffic. Sorry.


Since OpenBTS launched 6 years ago they haven't been secret. All you need is a backpack with an Ettus USRP1, handful a D batteries, and a laptop. Walk into any starbucks, connect your laptop to the wifi and then SIP through Google and voila, you can snoop on everything and no one has any clue.

maybe this sounds simple to you, but it probably goes over the heads of 99.99% of people (and i'd venture to say 90% of technical people).

I believe the majority of Hacker News readers could run OpenBTS on an Ettus as a weekend project, provided they had a little systems programming experience. I think the greater problem is expense: an Ettus USRP is into the 4 figures, although you could probably make something similar with the HackRF. [1]

[1] https://greatscottgadgets.com/hackrf/

OpenBTS and YateBTS need a full-duplex radio to function. So far only Ettus radios and bladeRFs [1] have those capabilities. The bladeRF is also the cheapest option, costing in the low 3 figures (with coupon code HKRNWS). Full-disclosure, I make the bladeRF.

[1] http://nuand.com/bladeRF

HackRF is only half-duplex though, so I'm not sure you actually can.

Cellphones are only half duplex too, though.

Cellphones are half duplex but the basestation is generally full-duplex. A half-duplex basestation could probably handle no more than one cellphone. OpenBTS and YateBTS, as well as most commercial basestations, have design patterns that require tight timing capabilites that in turn lend themselves to running on full-duplex basestations.

Ah, yes, you're right, of course. I don't know why I was thinking of the phone side. (You can use two HackRFs, though.)

Didn't know that! Do they switch between transmitting and receiving constantly to keep up a 2-way data stream?

I've only worked with GSM, not anything newer, but the phone is assigned a timeslot in a repeating frame, and the uplink and downlink timeslots are offset so that the phone doesn't have to transmit and receive at the same time. As I understand it, that makes the antenna and amplifier design much simpler.

Although now that I've said that, I don't recall what happens when it's using multiple channels for packet data.

True for 2G, but for 3G and 4G most deployments are using full duplex (FDD) where reception and transmissions can happen concurrently and use different frequencies.

The only exception for 3G is China with its TD-SCDMA standard. Everywhere else, 3G is FDD.

For 4G, there is a TDD variant. It's mostly used in China and on some specific high bands (2.3/2.5 GHz around Wifi, 3.5 GHz). But in western countries when one use 4G it's FDD.

I'm not danellis and I'm not skilled in signals processing, but assuming LTE is multiplexed with TDD, yes. The radio is switched throughout time between receiving and transmission. See https://en.wikipedia.org/wiki/Duplex_%28telecommunications%2... for how TDD works.

What does this mean? Please elaborate, I have a nagging sensation regarding the open digital airwaves.

TL;DR: Basically describing an off the shelf, Stringray

OpenBTS is basically an opensource cell phone tower software stack. You phone supports older protocols for backwards compatibility as you roam. You can instruct your tower to broadcast on an older protocol, like 2G. 2G has this hilarious design flaw that the tower tells the cellphone which tower has the strongest signal. So you claim that you have super amazing signal. 2G's cryptography is broken wide open, worse then DES. So this little cell tower running on a laptop and a digital radio system has just MITM'd your phone (and everyone else) who's network it is impersonating.

I expect/assume this is the general design (which hopefully significant refinement) of most Stringray devices.

Huh? How are legitimate towers even supposed to know what the strongest signal is for a phone in an unknown location surrounded by unknown towers?

Also, do you even need to break any cryptography / MITM, or can you just be your own base station that happens to be called "AT&T"?

I don't have the details in mind but checkout https://en.m.wikipedia.org/wiki/Handoff#Implementations

Since digital, handsets validate the tower they are talking too, this info is stored on sim or device depending on model. So to intercept 2g, there is some work See https://youtu.be/DU8hg4FTm0g

> 2G has this hilarious design flaw that the tower tells the cellphone which tower has the strongest signal.

Can't go trusting those handsets now can we?

I'm not sure if this was your point or not, but we can't really trust any handset without an open baseband, of which all of the handsets we use today don't have. As long as we're stuck with proprietary blobs and their secrecy, we can't trust what's in them.

Given the technical skill shown in some of the Snowden leaks, it seems to be all but a given that these blobs are compromised from the factory by three-letter agencies. It's somewhat amusing watching the overt rhetoric of the FBI "crypto war" when the majority of even technical people make far less of a fuss over covert exploitation, which has the dual benefits of being pretty much ubiquitous and plausibly deniable. One NSL to Intel and Qualcomm, or better yet, one call to an executive with the loyalty of a few "patriotic" employees, the secret is safe, and everyone is pwned by default.

It is basically impossible to use a modern computing stack without trusting someone's proprietary blob, and the general population has little to no care about attacks at a level that they really don't understand. That's probably why all the press is on this crypto rhetoric to begin with.

>It's somewhat amusing watching the overt rhetoric of the FBI "crypto war" when the majority of even technical people make far less of a fuss over covert exploitation, which has the dual benefits of being pretty much ubiquitous and plausibly deniable.

Sounds like what John Young said today on cypherpunks mailing list[0] and something I don't see the public nor the all actors involved this "crypto c̶i̶r̶c̶u̶s̶ war" shedding light on soon:

"Kill metadata and other crypto-issue-overdone diversions.

Metadata and other crypto-workarounds resulted from the crypto wars of the 1990s which were bragged to be won rather than faked out.

The fake-out was orchestrated by some of the very same crypto warriors claiming to be against gov-controlled crypto.

A way to identify them is to note who rose to prominence and wealth in crypto com-edu-org. Still at it, ratcheting up the need for ever more crypto, acknowledging the workarounds but, but, but: Let's Encrypt, HTTPS-HTS everywhere, secure drops, freedom of the press and courage foundations, Snowden talks and tweets, FISC amicus curiea, POTUS and TLA advisories, industry lobbyists, dual hats riding the crypto gravy train and more likely, the subway out of sight.

The money and prestige to be gained by working all sides of the crypto phony war is, as Greenwald crows of Omidyar's $250M bribe, irresistable."

[0] https://cpunks.org/pipermail/cypherpunks/2015-December/01125...

I think jaquesm was making a tongue in cheek reference to the thought process of 2g's designers.

Could this be mitigated w an Android patch that disables 2G entirely? There can be a switch in Settings to reenable (eg when travelling to a country w an old network) but by default your phone should not be so vulnerable.

What? Why doesn't it work like this:

Cell phones have SIM cards with an ID and a secret key. Cell service providers have a database of these SIM associations. Cell phones encrypt IP packets in their entirety with the symmetric key and send it as the payload of some cell protocol packet that might expose my ID, if anything. Assuming the cell provider is secure and not on the dark side, this is the safest part of my my packet's trip.

I don't understand how a cell-site simulator could see what websites I visit, much less the messages I send, without knowing my key. And it's not like one could trick my phone into thinking it's the actual cell site, because it won't be able to respond to my transmission with a message that my key can decrypt.

What the heck am I missing?

FBI: "Hey, cellular provider, give us the secret key and ID for X." Provider: "Sure, thing, just one moment." ... "Here you go."


Or, if your provider has a bit of a spine:

FBI: "Hey, cellular provider, give us the secret key and ID for X." Provider: "Got a warrant?" FBI: "No problem, give a half hour to call our go-to judge." / "No, but here's a NSL."

That's assuming that is even necessary. Harris made an upgrade to their Stingray equipment called Hailstorm that intercepts 3G and 4G standards.

2G ruins everything. It is effectively wide-open now and handsets will connect to the strongest connection. This is one of the oldest problems in cryptography. It doesn't matter how great the latest and greatest is so long as the old broken standard is still widely used and supported.

Until you can purchase a phone that is not compatible with 2g, you will always be at risk of fallback attacks.

It works sort of like what you are describing in 3g & 4g networks.

So to answer your question: You are missing phones that don't work on 2G (unless there is a function to disable it in a user-unfriendly engineering menu).

The ID is probably the most important thing for them to track.

These devices do not necessarily have insight into the contents of your communications, their main feature is that they can uniquely identify and locate a phone.


I watched this DEFCON talk a while ago. Not sure if it's still relevant, but it is quite worrying.

There are apps for detecting these things. Maybe we need an app that plots locations based on anonymized submissions. Also, I wonder if it's possible to distribute blacklists. But I suppose that's buried in the radio firmware.

Care to list some of those apps?

AIMSICD is very faulty. I made full code review in my spare time and tests on OpenBTS. It can't detect SilentSMS even if they claim it can. It doesn't detect fake BTSs nor connections using them. You can connect to fake BTS, make calls, send texts, it doesn't detect anything suspicious. This project sounds serious, but it doesn't do anything. Moreover it sends data about fake BTSs to remote service - OpenCellId (they get data about cells from OCID). Recently all of this what I say here was proven on their issue board on Github.


Next week I will put my hands on SnoopSnitch.

This is SecUpwN, the project maintainer of mentioned app. Let me say this: Before discrediting an eager project like ours, RTFM! Obviously you closed your eyes the whole time when doing the "full code review", otherwise you would have read:

* https://github.com/SecUpwN/Android-IMSI-Catcher-Detector#war...

* https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/blo...

* What is the first thing popping up in our app? Right, our DISCLAIMER!

Bummer, huh? Furthermore, where are your contributions to below Issue?

* https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/iss...

Everyone with a pair of eyes is able to clearly see the warnings, disclaimers and statements all over our project that our app is still in ALPHA development. And if you really are a skilled developer and not just a troll wanting to discredit our app in favour of making another one more popular (which I think you actually are), you'd have contributed. But you're just a fake "security researcher", ranting on public sites about an open source project where everyone is invited and very welcome to add a bit to make it better. Next time, please think twice before publishing shit like yours above.

I have used both apps before.

SnoopSnitch only works on specific Qualcomm chipsets. If you want to use IMSI-catcher detectors, make sure it actually works with your specific chipset.

AIMSICD eats a decent amount of battery as it really needs GPS to be useful as a historical data source.

Both of these apps are available on F-Droid for those that prefer that distribution method.

See https://www.sba-research.org/wp-content/uploads/publications...

But Android only, it seems.

> iOS neither exposes high-level nor low-level baseband information (e.g. cell info) to applications through the official and public API.

"Cell Simulators" is a bad name. We should be calling them "Phoney Base Stations"

Agreed, a "cell-site simulator" sounds like something one uses when developing/testing mobiles phones/devices.

Personally, I would prefer "rogue" or "malicious" or something similar that adequately highlights their true intentions.

Related: A video I took at blackhat 2013 demo'ing a hacked femtocell intercepting calls. Voice is intercepted before the call even starts. https://vimeo.com/71466006

I worked for a picocell/femtocell company a few years ago, and when I started I had to get up to speed on GSM protocols. I remember thinking at the time something along the lines of, "Connecting the call and telling your phone to ring are different messages, so if instead of sending the ring, waiting for a pickup, then connecting the call you just connected the call..."

Are there any standalone tools that can be used to capture the meta-information about cell towers?

It seems like it would be really useful to crowdsource known towers, their identities and strengths, so that simulators can be singled out.

Mozilla has an even larger database.


If you want to contribute, there's an opt-in toggle in Firefox for Android.

The AIMSICD application mentioned above for Android uses this as a synchronizable data source.

OK, this seems to be all GSM towers.

I wonder how one would select the fake ones.

Edit: Not just GSM.

http://www.radiocells.org/ if you want something that's opensource both software and data. You can download whole database of wifis and cells from radiocells.

any rtlsdr or ettus radio can capture cell metadata. Most of the tools to process the captures are linux based but highly automated.

Happen to have any URLs handy that explain how to do it?

Build your own! https://github.com/Shadytel

I wonder if it would be possible to take the idea of certificate authorities and apply it to cell phone towers. Basically, each cell tower company would be a CA, and could generate a certificate for each cell tower. Major cell tower companies could then be trusted by other CAs, and cell phones could have a store of trusted CAs. Then, when a cell phone attempts to connect to a tower, a check is made to verify that the tower is trusted by a trusted CA. This way, a user could (at least maybe) revoke a certificate from a CA that has trusted a group that has set up a cell site simulator.

My knowledge of PKI is pretty shaky. Does anyone know if something like this would work and/or be an improvement?

The SIM card in your phone is, basically, a smartcard. The private/public keypair on the SIM is how your phone authenticates to the cellular network.

Is what you're asking technically possible? Sure. What motivation do the cellular companies have to implement it, though? They are currently satisfied with the level of security already offered and to do what you are asking would cost a not-insignificant amount of money with little or no return (for them).

Probably would make it hard for non-smart / low powered handsets to participate.

Is there any way to re-engineer infrastructure so that all cell-sites cryptographically identify themselves so that cellular devices can verify the identity of a cell-site before identifying itself to the cell-site?

AFIAK 3g and 4g has this. the issue is that there are still legacy 2g and gprs networks so those protocols can't be disabled yet.

shouldnt it be expected that we would be able to prevent our devices to not talk to any non 3/4G tower?

Many phones have this in settings, many other phones have this in a hidden service menu (eg http://android.stackexchange.com/a/66819)

You could, sure... if you could modify the software running on your phone. Since you can't, it's only possible for the (either hardware or software) manufacturer to build in that feature and I'm not sure they have any compelling reason to give the user that option. (It's entirely possible that this option is available on some phones but I really no idea, I haven't used anything other than an iPhone for several years.)

3G networks that still use the A5/1 cipher can also broken with a rainbow table.

>3G networks use the KASUMI block cipher instead of the older A5/1 stream cipher


I don't see any exceptions for this. Can you link to a source that states it's still possible for 3G to use A5/1?

They would just get the keys from the cellular providers-- or rather, the cellular providers would just give them the keys.

So is wiretapping illegal without a warrant or isn't it?

Because they aren't collecting just meta data with this and unlike the NSA there is likely no discipline at all about how the data is used or shared.

Policing in this country has come down to "try to stop us from doing it" instead of asking first "is this even legal" on every aspect.

I can see how it can be creepy, however my house was burglarized recently, and I would have loved to have a device that could catch the IMSI of all the mobiles in my flat at that time. I can't really do anything with the IMSIs myself but I could give them to the police after a burglary, like a CCTV tape.

Much easier just to log whatever SSIDs the phones are broadcasting. My phone currently knows about 20 wifi networks from which I can work out where I live, where I work and where I've been on holiday.

For those that are surprised that your phone is such a snitch: That can be shut off, even on app-level. There is Wifi privacy police for android, and probably something similar for ios.

I actually did just that at work. First of all I had a raspberry pi that got all the device names connected to my company wifi (the guy responsible for the network is actually just the janitor, so the wifi is basically the wild west). After a bit of puzzling I knew the MAC-addresses 90% of my closest colleague’s phones. From there it was easy to do the rest. Just set up your own wifi network and monitor SSID broadcasts.

This worked fine until iphones started randomizing their mac addresses, but since I know when a certain device appears on our work wifi, I could probably just compare when a scan was made to when a certain device was connected. I just can't be bothered.

The system is still up and running, and now even has a nice web interface that I can access from home.

I'll eventually release it as FLOSS, but I'll have to clean the code quite badly. It only requires guile and nmap, but can probably be ported to something fancier.

But can the police do anything with this SSID?

Is it presentable in court? Depends on your jurisdiction.

Can they use it as I can - to translate SSIDs into locations? https://wigle.net/

So, how long until schools decide to deploy this in the name of "student security?"

I was speaking with a friend regarding cellphone jamming, and a question was posed:

Suppose there is a piece of equipment that strictly follows all the relevant cellular protocol specs and can route 911 calls, but drops all other traffic. Is such a system illegal?

I believe your device would need type acceptance by the FCC and, presumably, a valid license to transmit/operate on those frequencies. Otherwise, yes, it would be illegal.

I don't have a citation/reference handy but, if memory serves, it is illegal (in the U.S.) to interfere with any cellular communications.

Is there a quick way to figure out if this is occurring? I've gone into one or two restaurants with their own wifi and my cell connection goes down to 3G.

At least civilly, if not criminally, yes, illegal - you don't hold a license for broadcasting on that spectrum.

Why aren't the OS vendors such as Apple, Google and Microsoft protecting users against this?

Because they are contributing to it.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact