The Pope left.
The boxes stayed.
Edit: here's one of several pics I took: (see edit 2 below for link) anyone recognize it? Interestingly enough, the nuclear and chemical detection boxes were labeled...
Edit 2: direct photo link: https://s3.amazonaws.com/f.cl.ly/items/1X2f2i1M2P0e0n322r1X/...
EDIT: Thanks! I would really be interested in a crowdsourced wiki-style database of these. If nothing else, submit them to Wikimedia commons with coordinates.
Although now that I've said that, I don't recall what happens when it's using multiple channels for packet data.
The only exception for 3G is China with its TD-SCDMA standard. Everywhere else, 3G is FDD.
For 4G, there is a TDD variant. It's mostly used in China and on some specific high bands (2.3/2.5 GHz around Wifi, 3.5 GHz). But in western countries when one use 4G it's FDD.
OpenBTS is basically an opensource cell phone tower software stack.
You phone supports older protocols for backwards compatibility as you roam. You can instruct your tower to broadcast on an older protocol, like 2G. 2G has this hilarious design flaw that the tower tells the cellphone which tower has the strongest signal. So you claim that you have super amazing signal. 2G's cryptography is broken wide open, worse then DES. So this little cell tower running on a laptop and a digital radio system has just MITM'd your phone (and everyone else) who's network it is impersonating.
I expect/assume this is the general design (which hopefully significant refinement) of most Stringray devices.
Also, do you even need to break any cryptography / MITM, or can you just be your own base station that happens to be called "AT&T"?
Since digital, handsets validate the tower they are talking too, this info is stored on sim or device depending on model. So to intercept 2g, there is some work
Can't go trusting those handsets now can we?
Given the technical skill shown in some of the Snowden leaks, it seems to be all but a given that these blobs are compromised from the factory by three-letter agencies. It's somewhat amusing watching the overt rhetoric of the FBI "crypto war" when the majority of even technical people make far less of a fuss over covert exploitation, which has the dual benefits of being pretty much ubiquitous and plausibly deniable. One NSL to Intel and Qualcomm, or better yet, one call to an executive with the loyalty of a few "patriotic" employees, the secret is safe, and everyone is pwned by default.
It is basically impossible to use a modern computing stack without trusting someone's proprietary blob, and the general population has little to no care about attacks at a level that they really don't understand. That's probably why all the press is on this crypto rhetoric to begin with.
Sounds like what John Young said today on cypherpunks mailing list and something I don't see the public nor the all actors involved this "crypto c̶i̶r̶c̶u̶s̶ war" shedding light on soon:
"Kill metadata and other crypto-issue-overdone diversions.
Metadata and other crypto-workarounds resulted from the
crypto wars of the 1990s which were bragged to be won
rather than faked out.
The fake-out was orchestrated by some of the very same
crypto warriors claiming to be against gov-controlled crypto.
A way to identify them is to note who rose to prominence and
wealth in crypto com-edu-org. Still at it, ratcheting up the need
for ever more crypto, acknowledging the workarounds but, but,
but: Let's Encrypt, HTTPS-HTS everywhere, secure drops,
freedom of the press and courage foundations, Snowden
talks and tweets, FISC amicus curiea, POTUS and TLA advisories,
industry lobbyists, dual hats riding the crypto gravy train and
more likely, the subway out of sight.
The money and prestige to be gained by working all sides of
the crypto phony war is, as Greenwald crows of Omidyar's $250M
Cell phones have SIM cards with an ID and a secret key. Cell service providers have a database of these SIM associations. Cell phones encrypt IP packets in their entirety with the symmetric key and send it as the payload of some cell protocol packet that might expose my ID, if anything. Assuming the cell provider is secure and not on the dark side, this is the safest part of my my packet's trip.
I don't understand how a cell-site simulator could see what websites I visit, much less the messages I send, without knowing my key. And it's not like one could trick my phone into thinking it's the actual cell site, because it won't be able to respond to my transmission with a message that my key can decrypt.
What the heck am I missing?
Or, if your provider has a bit of a spine:
FBI: "Hey, cellular provider, give us the secret key and ID for X."
Provider: "Got a warrant?"
FBI: "No problem, give a half hour to call our go-to judge." / "No, but here's a NSL."
It works sort of like what you are describing in 3g & 4g networks.
So to answer your question: You are missing phones that don't work on 2G (unless there is a function to disable it in a user-unfriendly engineering menu).
I watched this DEFCON talk a while ago. Not sure if it's still relevant, but it is quite worrying.
Next week I will put my hands on SnoopSnitch.
* What is the first thing popping up in our app? Right, our DISCLAIMER!
Bummer, huh? Furthermore, where are your contributions to below Issue?
Everyone with a pair of eyes is able to clearly see the warnings, disclaimers and statements all over our project that our app is still in ALPHA development. And if you really are a skilled developer and not just a troll wanting to discredit our app in favour of making another one more popular (which I think you actually are), you'd have contributed. But you're just a fake "security researcher", ranting on public sites about an open source project where everyone is invited and very welcome to add a bit to make it better. Next time, please think twice before publishing shit like yours above.
SnoopSnitch only works on specific Qualcomm chipsets. If you want to use IMSI-catcher detectors, make sure it actually works with your specific chipset.
AIMSICD eats a decent amount of battery as it really needs GPS to be useful as a historical data source.
But Android only, it seems.
> iOS neither exposes high-level nor low-level baseband information (e.g. cell info) to applications through the official and public API.
Personally, I would prefer "rogue" or "malicious" or something similar that adequately highlights their true intentions.
It seems like it would be really useful to crowdsource known towers, their identities and strengths, so that simulators can be singled out.
If you want to contribute, there's an opt-in toggle in Firefox for Android.
I wonder how one would select the fake ones.
Edit: Not just GSM.
My knowledge of PKI is pretty shaky. Does anyone know if something like this would work and/or be an improvement?
Is what you're asking technically possible? Sure. What motivation do the cellular companies have to implement it, though? They are currently satisfied with the level of security already offered and to do what you are asking would cost a not-insignificant amount of money with little or no return (for them).
I don't see any exceptions for this. Can you link to a source that states it's still possible for 3G to use A5/1?
Because they aren't collecting just meta data with this and unlike the NSA there is likely no discipline at all about how the data is used or shared.
Policing in this country has come down to "try to stop us from doing it" instead of asking first "is this even legal" on every aspect.
I actually did just that at work. First of all I had a raspberry pi that got all the device names connected to my company wifi (the guy responsible for the network is actually just the janitor, so the wifi is basically the wild west). After a bit of puzzling I knew the MAC-addresses 90% of my closest colleague’s phones. From there it was easy to do the rest. Just set up your own wifi network and monitor SSID broadcasts.
This worked fine until iphones started randomizing their mac addresses, but since I know when a certain device appears on our work wifi, I could probably just compare when a scan was made to when a certain device was connected. I just can't be bothered.
The system is still up and running, and now even has a nice web interface that I can access from home.
I'll eventually release it as FLOSS, but I'll have to clean the code quite badly. It only requires guile and nmap, but can probably be ported to something fancier.
Can they use it as I can - to translate SSIDs into locations? https://wigle.net/
Suppose there is a piece of equipment that strictly follows all the relevant cellular protocol specs and can route 911 calls, but drops all other traffic. Is such a system illegal?
I don't have a citation/reference handy but, if memory serves, it is illegal (in the U.S.) to interfere with any cellular communications.