I was walking around San Francisco the other day and suddenly noticed that my phone had switched from its usual AT&T provider to "China something" (maybe "ChinaNet"? I don't remember exactly what it was, and it was only there briefly). And then I got a text saying:
Welcome to the test network. Your IMSI is IMSI: 346234543252301
Not very stealth in this case. And I'm still not sure what it was. It went back to AT&T after I walked around some more.
This was likely someone running a test / dev network using OpenBTS, which is open-source software for GSM base stations. The exact phrasing of that message is the default registration message for the software: https://github.com/ttsou/openbts-p2.8/blob/master/apps/OpenB...
2G networks have basically one way auth. The phone auths to the network but the network doesn't auth to the phone. This is an oversimplification but basically how it works.
This is not entirely true. LTE is authenticated. If you force your device to not allow any base station using an older protocol (to prevent downgrade attacks), you should be fairly safe. The problem is that most phones will accept a base station that says "No, sorry, can't do LTE, how about this unauthenticated 2G AP instead?" If you are ok with your phone not having network in rural areas, setting it to LTE-only is a reasonable mitigation (assuming your device supports this).
Some of the other comments are that a 2G tower tells a phone whether it's allowed on or not, but that the phone doesn't have any verification in the other direction. That's just the design of 2G cell networks. It's not an optional setting.
Other comments say that LTE networks authenticate in both directions, so you're safe if you can set your phone to LTE-only.
Could conceivably have been a temporary test network, run by a Chinese mobile manufacturer. Typically they'd be doing on-location testing of their hardware. I used to do a lot of this kind of work with Chinese and Korean companies and we'd frequently pitch up in a city in the US, Europe or Asia with case loads of GSM test gear.
I filed a complaint with the FCC regarding a suspected jamming device. I'm pretty sure they didn't even read it. They forwarded the complaint to my wireless carrier, who sent a reply saying that the complaint had nothing to do with them and that my original complaint had reported a jammer. The FCC closed the complaint and considers it satisfied.
> Antenna-laden vans canvasing neighborhoods for radio pirates.
Got any photos, or links to accounts of these? I did a quick google image search because you think someone would have caught one in the wild by now, but no.
There's ways [1] to set up a rogue BTS / IMSI catcher that is seemingly legal [2] - by using US amateur radio bands (that are used as GSM bands in other parts of the world), not using encryption and spitting out your callsign once in a while.
Sometimes there are reserved parts of the spectrum for test networks you can get assigned for a limited time, the CCC had a GSM (and some 3G I think) network for many years.
I don't know if it was HP, but my favorite malicious printer was one that scanned documents and then randomly changed numbers in them. This was the byproduct of an overly clever compression algorithm saving bytes by replacing parts of the image with other similar parts. God only knows how much important information was corrupted by that 'feature'.
Excel is pervasive. If you consider every single spreadsheet used for financial analysis and then used to allocate resources has material bugs in it, you'll be so close to the truth as makes no difference.
Hmmmm... I remember about an Excel macro-virus that would multiply numbers (and adjust the format to hide it) in data cells by small random number, between 0.99 and 1.01 slowly over time. By the time you realized what was going on, your data was completely gone. Can't remember the name though.
I think material but well known bugs are probably less dangerous because they're deterministic.
The true insidiousness of a random mutagen exploit is the fact that you can't pin in down. Hell, you could even specifically code it to be resistant to reproduction attempts. ;)
no no no. Not the many formula implementation bugs. I mean every survey of financial models done in excel has material error in their conclusions. Regardless of known bugs in excel that microsoft won't fix. I mean that merger you just read about where the financial model was done with excel - it has material bugs in it. Material by the GAAP accounting & attest definition. > +/-5% of profit. +/- 10% of total assets. It's quite something...
I'm not sure if it's still possible or not but at one time you could "bounce" port scans and such off of networked HP printers (due to an "IP ID" bug in their IP stack, IIRC).
I did this to a very security-conscious co-worker who freaked out when he noticed his workstation being "attacked" by a printer in a computer lab.
I always wondered why these things weren't used in prisons. Maybe they are? Here in the UK there is a massive problem with smuggled phones in prisons, and since by definition their use is illegal in that environment then surely it's OK for law enforcement to jam or even intercept everything? Add to the mix the thick walls and total control of infrastructure and I see no good reason why every illegal phone can't be forced onto a fake network. Legal phones used by staff could be whitelisted.
I don't think jamming would really be reasonable in a building. If the walls can contain the jamming signal to their building then the walls will keep out the original signal anyways. I think just RF blocking paint would be a more reasonable solution but this would also interfere with any radios in use by the guards and wouldn't do anything for any prisoners that are outside during the day.
Having the cooperation of the cell service providers would be good, you could just have a small pico cell that tries to blackhole any phones in the building but if a prisoner can smuggle in a cell phone then they can probably smuggle in any other handheld radio as well.
Isn't really a thing. These paints realistically manage 30 dB attenuation at around 1 GHz, which sounds great as a percentage ("99.x% reduction!"), but isn't sufficient to actually deny cellular service. [Paint also normally doesn't cover things like windows etc. which pretty much nullifies them anyway]
You can in fact dump a phone into a fridge or freezer, which (at least here) have steel sheets all over them. Phones still get cellular service.
What you would need is screen plating and windows with RF screening meshes (and of course special window frames and so on). This is a) extremely expensive b) can manage >60 dB attenuation.
"You can in fact dump a phone into a fridge or freezer, which (at least here) have steel sheets all over them. Phones still get cellular service."
Not necessarily true. I used a fridge as a quick alternative to Faraday cage for device testing and it worked fine. It was an old, heavy fridge though, newer ones may contain more plastics and fail to shield properly.
Is there anything like a chop gun for conductive fibers? I know it wouldn't make some perfect faraday shield but a conductive epoxy like material and some ultra fine metal fibers sound like that should be decent at blocking RF and I think it would be reasonable enough to make a special chop gun for it. It would make application a ton cheaper, a lot faster, and it should still be reasonably effective.
> I always wondered why these things weren't used in prisons.
> Add to the mix the thick walls
Because thick walls do not intercept enough of the radio signal. This only works in really remote locations - but e.g. here in Munich there are a number of jails in the city area. If someone would employ a jammer there, the neighbours would protest and/or sue.
You're probably right about urban prisons. I always think of them as remote but there are plenty in places with very high signal strengths, which would create problems. Low-power pico-cells inside the prison walls could presumably be configured to not cause problems outside. But yes, RF planning is a nightmare and there would doubtless be problems.
It's very hard to make sure that the signal extends exactly to the perimeter of the prison. If your jamming signal is weaker, some corners of the prison will have reception. If it's stronger, you are illegally blocking the signal outside your prison.
Add to that that signal strength changes with weather, and you have two solutions: either lots of expensive equipment or lots of buffer land owned by the prison. Both are expensive.
Good idea, a pico cell could forward on the calls and SMS from devices with a whitelisted IMSI. Everyone else could just get there's logged and rejected.
Do phones not do any kind of cryptographic verification that the cell tower is real and that mobile data is sent securely between the phone and the tower?
For 3G/4G networks there is strong mutual authentication between the device and the network, for 2G(GSM) networks only the device is authenticated so these interception devices work by jamming the 3G/4G bands forcing the device onto the (fake) 2G network.
Indeed! A very good advice that read on this topic was this one:
As a rule of thumb, any security protocol that contains lots of "MAY" parts (options) in its specification is suspicious. Even more so if the security layer itself is optional. Ideally, a security protocol contains no "MAY" parts, not even "SHOULD" parts, but only "MUST" parts.
(Not sure where I read this, or who wrote that. So I'm paraphrasing it here. Maybe it's common sense without a single attributable source.)
there's a feature in cell modems that can indicate radio link encryption/auth..put on tinfoil hat...and it's disabled in pretty much all phone firmware
If you're willing to give up service when connecting to an untrusted source, then just use an always-on VPN and VOIP for voice + some tcp based messenger for SMS.
It just use a directional antenna to listen for the "keepalive" exchange between cell tower and device, focusing on a specific IMSI.
Also, even if your device is currently using LTE or similar, the GSM (or whatever 2G radio it has) will still be on and talking to the relevant network (unless you specifically tell the device otherwise, and the OEM allowed you to). This to provide a smoother handover should the LTE signal drop too low.
Hailstorm on the other hand is basically a jammer tuned to 3G and 4G frequencies, thus forcing any devices in range to drop down to 2G. For the general public a jammer would be a big nono, but law enforcement is a different matter.
IMSI catchers (like Stingray) are not fully passive devices. They have an operation mode where they broadcast a signal that appears to come from a legitimate cell phone tower. This captures traffic from all devices within range, targeted or not. This is why they are often called "cell site simulators" because that accurately describes how they are often used. For more information, check out this EFF page.
...but how? Comments above imply that 3G and 4G are protected with strong encryption/authentication. How is a Stingray capturing metadata from calls and SMS?
I was under the impression that Hailstorms either have valid cell tower certificates (dunno if wireless carriers are complicit) or they exploit the vast quantity of modem firmware bugs.
Could have sworn that even though a more recent network is the preferred one at that time, the older ones are still connected and listening to provide a smoother handover experience.
Depending on the device you may be able to tell it to use newer network only though (my somewhat aging Android device can opt for UMTS only for example).
Indeed. But I haven't come across any phones that let you specifically disable 2G(GSM). Most let you disable 4G or 3G, or let you prioritise one over the other, but disabling 2G altogether seems to be missing.
On Android dial [star]#[star]#4636#[star]#[star] in the phone app and you can change what types of cell networks can be connected to. Apparently doesn't work on all phones, but definitely works on my stock Nexus 5X on Android 7.
My Blackberry Priv lets me select any combination of LTE, 3G, and 2G. I currently have it set to use LTE and 3G only. That's the only phone I've seen with that feature, though.
The cell tower is trusted, and the preferred cell tower is the one with the strongest signals. That's literally the entire selection strategy.
Cell towers also choose the encryption that the cell phone should use. I don't think any currently available phone notifies you when no (A5/0) or weak (A5/1) encryption is used.
This probably has to do with the historic split between 2G/3G technologies among the major cellular carriers in the US. In the US if you want or need true nationwide coverage (say you are selling a retail IoT device and your customers expect it to work nearly anywhere) you pretty much have to go with AT&T or Verzion and switching a 2G or 3G device between them is impossible. This gives those companies a lot of power to dictate to customers what technologies they can use with their networks.
Since LTE is the lowest common denominator technology between all carriers (and LTE is the only cellular technology with hardware that supports all cellular frequency bands in the US) the cellular market in the US is being pushed very strongly in an all-LTE direction. With the inclusion of Cat-M1 and Cat-NB1 modes in LTE release 13[0], LTE will soon be usable even for low-power IoT devices. AT&T and Verizon are already racing to support those standards on their networks.[1]
The mess that is US mobile protocols and frequencies is what makes me cringe when the rest of the world these days looks to USA for the "latest" in mobile.
Damn it, Nokia had a Symbian phone you could use as a basic desktop for emails and surfing back when iPhone and Android barely did video out (and had to kill the phone screen to do so at least on Android). The mobile world basically came to a standstill, if not went backwards almost a decade, because everyone turned to the odd duck out to lead them into the future...
Kinda weird too considering you can run GSM in the HSPA guard bands without a large degradation of HSPA performance.
Typically HSPA is 5mhz+5mhz FDMA, but the carrier is only 3.6mhz+3.6mhz and can be slimmed to 4.2mhzx4.2mhz on Ericsson equipment. NSN equipment can go as low as 3.8x3.8.
In a slim HSPA situation you can run multiple 0.2x0.2 GSM channels.
LTE I've seen all over deployed in 5mhzx5mhz, but I've never seen the 3mhzx3mhz or 1.4mhzx1.4mhz configurations in the wild (they would overload easy).
Sprint has 3x3 deployed on band 26 in some boundary areas of the ibez. There have been some sites spotted in Columbus, Ohio along the ibez boundary that are 3x3 instead of the 5x5 Sprint has deployed everywhere else that's not within 100 km of Canada or Mexico.
Actually only AT&T is scheduled for a 2G sunset right now. Also I think one of the Northern European countries is choosing to maintain the GSM network and then retire UMTS. They're going to have a GSM for IOT and LTE for mobile communications. It's kind of insane. Wish I could find a source...
I don't think many GSM carriers allow internet originated, mobile terminated traffic, even for IoT. Mass compromise of IoT is going to be way less trivial for GSM capable devices than things on standard wifi.
What I'm trying to say is that while your quip is entertaining:
a) it's impractical to scan/compromise IoT devices remotely without a stupid design (by IoT standards stupid, btw- not regular internet design- we're talking REALLY REALLY STUPID).
b) I would bet my mortgage that the logic you are presenting was never considered by the relevant carriers. They're not that smart.
Not quite true. Verizon is planning to sunset 2G in 2019 [1], and is making efforts to get customers off 2G before that (similar to what AT&T has been doing). They are also rumored to be planning to shutter 3G in 2021. This leaves only T-mobile and Sprint in the US market providing longer-term 2G support, and their coverage is not great if you need to deploy devices outside major metro areas.
> They're going to have a GSM for IOT and LTE for mobile communications. It's kind of insane.
I don't think this is that insane. I doubt there are many devices that only support UMTS, but there are tons that only support GSM, including many in embedded systems that can't easily be upgraded. So by using most of your spectrum for LTE, you get spectrum efficiency, and supporting GSM you can support everything that doesn't do LTE (just not at high speeds).
Don't lots of phones still send SMS & voice calls over GSM/CDMA? I know VoLTE is appearing, but slowly & only on a couple flagship devices, and quality degrades faster with loss of signal...
Haven't actually seen the signal degradation issues you speak of, probably offset by being able to use a lower band than GSM or HSPA for my carrier.
Carriers have made it a policy to not whitelist imported devices for voLTE. IMEI needs to be whitelisted at carrier AND carrier file installed in phone needs to have support turned on. Either thing missing, no voLTE for you.
EDIT: Forgot to mention, non-voLTE still signals with LTE for incoming calls and SMS, it'll handover to HSPA/CDMA/GSM within about 2 seconds of the signal coming in. Unfortunately I don't have specifics of this process.
Actually i think most SMS is handled via "WAP" these days, meaning that it is carried as a short duration data connection rather than as a special packet in the cells control channel (GSM, dunno about how CDMA implemented it).
I guess it depends on where in the world one lives.
I'm not American, and thus my phone is free of carrier tampering.
I even learned about the SMS over GPRS (thanks) thing because a relative of mine once owned a phone where we had to turn it off to actually get reliable SMS delivery, as it defaulted to GPRS mode.
There was a very informative (terrifying?) talk at Defcon 2012 where it was demonstrated how easily you can pretend to be a GSM base station. Not sure if any of the vulnerabilites have been addressed yet, four years later.
You're using GSM here which is from 1991. It may be 2016, but your phone still primarily uses or falls-back to 1991 era protocols. Protocols which are the de facto global standard for cellular communication.
It's a collective action problem. How do you incentivize an upgrade while allowing for seamless fallback? For billions of devices made by thousands of manufacturers? Which access hundreds of different carrier networks around the world?
I think you need some industry leader to push for this. Apple could do it, or possibly Google although they have a hard time exerting influence over Android device manufacturers.
Well, here's the deal. They can't do anything as it would be a potential quality of service issue to the end user if GSM were disabled currently. Can't blame the vendors either, they built the hardware years ago that operators continue to operate. It's like wanting to blame Ford and Chevy because you bought a car from the 1950's and it doesn't have airbags.
T-Mobile and AT&T are the national carriers supporting GSM through most of their footprint, AT&T is phasing out their network at the end of the year. T-Mobile moved to A5/3 to try to slow down eavesdropping a bit. There are more rural carriers who aren't in a rush to upgrade and probably still use the older ciphers.
Currently, I am on T-Mobile. There are a few areas that never saw HSPA deployed, and voLTE is not supported on all devices and also suffers separate outages. GSM is needed in those situations as fallback.
Operators would prefer to not have customers complain about outages due to accidentally having GSM turned off. So many phones don't have the option to disable.... though I'd argue now with low band LTE, the footprint is becoming larger than GSM.
I would expect Apple to whitelist 'disable 2G' option sometime in the future for AT&T sims. If not just disabling it outright (unless gov pressure gets in the way)
EDIT: as noted below, some manufacturers/OS you can set 3G only. Android is pokey about it on some devices. With Blackberry 10, I have the option to change network generations on T-Mobile, but not if I put an AT&T sim in.
You have to remember that GSM, which provides fall back for most providers, was framed as a standard in Europe in the 90s. So when you wonder "why is this so insecure?", the answer is not naivete on the designers' parts.
But the conceit that cell towers are 'badly disguised' is incorrect; the goal is not to successfully hide, but simply to meet the much lower bar of obscuring a non-conforming shape in the environment, so that it doesn't trigger human perceptual interest.
You don't put duplicitously palm fronds on a tower to hide it; you put them so that someone scanning the cityscape from a mile away is not distracted by the utilitarian tower.
> Masquerading as a regular cellular service provider, Stealth Cell Tower surreptitiously catches phones and sends them SMSs written to appear they are from someone that knows the recipient. It does this without needing to know any phone numbers.
Pretty witty, but how does this work? Does it wait for the user to send a message and snoop?
That doesn't explain how the SMS message comes from someone the user knows. I would assume (and I think this is what GP was getting at) that the fake tower snoops on outgoing messages in order to collect numbers that the user has in their address book, and then spoofs a message from that number?
> SMSs written to appear they are from someone that knows the recipient
I don't think this means they are sent from numbers known to the recipient. Only that the content is written such that it appears to be from someone who knows the recipient.
It's called USSD, there's a short list on Wikipedia. A lot of them are carrier dependant, and some carrier models of certain handsets will block some codes.
Not the OP, but I remember these codes from my first phone, a Nokia 5110.
In addition to the already mentioned code of [STAR]3001#12345# there is also [STAR]#06# which will show your IMEI.
There were plenty of others (including spelling out 'WARRANTY' to get the manufacture date of the phone) but I forgot most of them.
Interestingly, on the iPhone, dialling anything of the format [STAR]# ...anything... # will cause the screen to go grey as if a separate app, then after a short delay tell you that your code was invalid.
This is good advice, but I'd like to point out that you could avoid the surveillance revealed in this project by simply using anything other than default SMS.
Would be interesting to deploy an app that can send encrypted/signed SMS. It would likely spike your messaging bill thought, as fitting all that in 140 would be hard, resulting in multiple SMSs going out pr message sent.
It was done before. See Signal's predecessor, Textsecure (before they added Signal protocol, pre-2.7.0).
If I recall it limited encrypted messages to 60 characters before splitting. It was also annoying in that you needed to initiate an OTR handshake to start messaging.
That handshake, or the initial exchange of public keys, is the one thing that seems to stymie general adoption of encryption for personal communication.
Current Signal fortunately doesn't make this apparent to the end user, it's install and go message whomever advertises support.
I'm ditching Pidgin-OTR today actually because of the OTR usability issues needing to handshake on every laptop restart. Will be going over to bitlbee terminating OTR on a server and then accessing my ZNC supporting push through TLS. Much less jarring.
OMEMO would be better than OTR for this, but not much supports it yet.
If only there was some robust, open, mature protocol supported by every device on the planet that supported encrypted sessions using an open, mature form of encryption.
Don't use a phone then. Identifying information is being collected and stored by the carrier for at least a month, which can then be handed to regular law enforcement upon subpoena. Federal level likely doesn't even need due process.
I'm not talking about carriers identifying you, I'm talking about people intercepting your IMEI and phone number and being able to uniquely identify you wherever you go. People have been drone strike'd based on the location of their phones.
Carriers being awful is a separate problem. My annoyance rests with the 2G protocol being awful.
I get that, and carriers are definitely stupid. But preventing people from gaining SS7 access is much easier than fixing a broken protocol in use by many devices. Blocking SS7 access is something carriers can do. Fixing 2G is just not possible, and anyone can break it, right at this very moment, with a tiny bit of hardware.
> Rather than confirming a target’s identity with operatives or informants on the ground, the CIA or the U.S. military then orders a strike based on the activity and location of the mobile phone a person is believed to be using.
You are right. This is very disturbing. I guess they do this a lot in Northern Pakistan / Waziristan area in the tribal lands and mountains? What if the Terrorist read stories like this, and gave their cell phone to mules who then get killed?
My father's family (he grew up in India in Bombay) got split in half during the Partition of India and Pakistan when the Brits left India. No wonder there is so much rage and anti-american sentiment in Pakistan (my Pakistani relatives complaint all the time on Skype)
So do cell phones automatically connect to the strongest 2G cell tower? Aren't they filtering for cell towers that only belong to their respective carrier?
The SIM includes a list of preferred and forbidden networks, but I'd guess if a non-preferred, non-forbidden network is significantly stronger than a preferred network, the phone would ask if it could connect.
Also, the fake tower could just claim to be networks that are commonly preferred.
The unlocked phones I've used can be put into auto mode (strongest signal, I guess?) or preference mode. Carrier locked phones do not switch to other providers unless there's no service. Then it'll switch over to another carrier but only allow emergency calls (911 in NA). I'm not sure what type of handshakes/communications happen in the background
2G is an open standard, and I'd imagine it's not hard to find a lecture deck about how 2G handshake and session establishment. But to briefly guide your inquiry, I recommend looking up CRO and C1/C2 criteria.
In the same vein as Reddit's ELI5 (Explain Like I'm 5) For Us Laymen (FUL) on this topic, why can't Apple/Google currently default to a Full dropdown to 2G and give the option for by choice users to never allow dropdown to 2G (or 3G/4G) at the OS Level?
Is there a legal mandate (911 Surface Area increase), a hardware impasse (phones physically can't) or is it a company decision to not allow (for whatever reason)?
Perhaps a temporary fix might be to have a on-board verifiable hash map of cell tower addresses by location. Either that, or a way to block 2G on the device.
Well, that was entirely pointless. The meat of the post (the photos of disguised cell towers) would have been exactly as relevant and impactful without that pre-pubescent "hacking". (ooh! we can run six year old software (an openbts fork) on a raspberry pi! we are so cool!)
Art is one of the tools we use in society to alert each other about issues, i.e. social commentary. The point is, that it's rhetorical so you may be having a reaction that "Yes, I already know this", because you are working from a privileged position of knowledge inside the system being commented on.
Some fairly well-known examples of art as commentary:
Given that today we live surrounded by technology, it's not surprising that artists will use that technology to comment about and around our lives, particularly to announce to those outside the sphere of technology how networks, appliances and technological actions actually are affecting their lives.
Honestly this is a great piece of workmanship, having integrated the necessary equipment into something completely innocuous that does generally get ignored or overlooked. And the fact that the printer still works with this extra hardware, is a testament to how little you can assume any piece of equipment is safe/unmodified. Interfacing the cell interception with the printer is just gravy, a real undercover device wouldn't do that, but it's neat.
The disguised cell towers aren't "the meat", they're, as described in the post, just "conceptual background". Possibly irrelevant background, as they really aren't intended to be secret surveillance devices in those cases.
That's not why it's good, that's why it exists in that state. A lot of people don't know about stuff like this and won't want to trudge through a heavy technical post.
But send them a fake SMS and maybe they'll start listening.
