DiscoveringandTriangulatingRogueCellTowers

EricEscobar,PESecurityEngineer

Whatisaroguecelltower?• Adevicecreatedbygovernmentsorhackersthathastheability

totrickyourphoneintothinkingit’sarealcellphonetower.

• AlsoknownasIMSIcatchers,interceptors,cell-sitesimulators,Stingrays,andprobablyafewmore.

• Roguecelltowershavetheabilitytocollectinformation aboutyouindirectlythroughmetadata (calllength,dialednumbers)

• Insomeconditionscancollectcontentofmessages, calls,anddata.

Howarecellsimulatorsusedtoday?AtHome(IntheUnitedStates):• IMSI-catchersareusedbyUSlawenforcementagenciestohelp

locate,track,andcollectdataonsuspects.

• ACLUhasidentified66agenciesand24statesthatownstingrays.• UsedtomonitordemonstrationsintheUS

• UsedinChicagopoliticalprotests

• It’spossibletomakeanIMSI-catcherathome• DEFCON18:PracticalCellphoneSpying - ChrisPaget

Howarecellsimulatorsusedtoday?Abroad:• ReporteduseinIreland,UK,China,Germany,Norway,

SouthAfrica

• Chinesespammerswerecaughtsendingspamandphishingmessages.

• Usedbygovernmentsandcorporationsalike.

What’stheIMSIin“IMSI-catcher”?• IMSIstandsforInternationalMobileSubscriberIdentity.• Isusedasameansofidentifyingadeviceonthecellnetwork.

• Typically15digitslong

• Containsgeneralinformationaboutyoudevice(Country&Carrier)• MobileCountryCode– MCC

• MobileNetworkCode– MNC• MobileSubscription IdentificationNumber– MSIN

What’sanIMSI?

IMSI=Uniqueidentifiertoyourdevice

SampleIMSI:

310 26 0123456789MCC MNC MSIN

USA AT&T UniqueIdentifier

Why you should care?• Yourphonewillconnectautomaticallytocellsitesimulators.• Thievescanstealyourpersonalinformation.

• Hacker’scantrackwhereyougo,whoyou’retalkingto,andgraballsortsofotherdataaboutyou.

• Yourdigitallifecanbesniffedoutoftheairbyanyonewithsometechnicalchops,andalaptop.

• Yourcompanycouldbeleaking tradesecrets.

• Yourprivacyisatrisk.

Whybuildadetector?• TherearesomegreatappsforAndroidphonesandthathavethe

abilitytodetectcelltoweranomalies.

• Youneedspecificphonemodels&rootforthistowork

• Iwantedadevicethatmetthefollowingconditions:• Cheap~$50/device

• Iwantedtosetitandforgetit.• Iwantedtobealertedtoanyanomalies.

• Iwantedtheabilitytonetworkmultipledevicestogether.

Howdoyoudetectaroguecelltower?• Everycelltower(BaseTransceiverStation,BTS)beaconsout

informationabout itself

• ARFCN– Absoluteradiofrequencychannelnumber

• MCC– MobileCountryCode• MNC– MobileNetworkCode

• CellID– Unique identifier(withinalargearea)• LAC– Locationareacode

• Txp – Transmitpowermaximum

• Neighboring cells

Howdoyoudetectaroguecelltower?• Typicallythesevaluesremainconstant:

• ARFCN– Absoluteradiofrequencychannelnumber

• MCC– MobileCountryCode

• MNC– MobileNetworkCode• CellID– Unique identifier(withinalargearea)

• LAC– Locationareacode• Txp – Transmitpowermaximum

• Neighboring cells

• Powerlevel

Howdoyoudetectaroguecelltower?• Ifvaluesdeviatefromwhat’sexpecteditcanmeanthatthereis

maintenancetakingplace.

• Itcanmeanchangesarebeingmadetothenetwork.

• Itcouldalsomeanthatthereisaroguecelltowerisnearby!• Theideaistogetabaselineofyourcellularneighborhood overa

periodoftime.• Itwouldbelikekeepinganeyeonthecarsthatcomeinandout

ofyourneighborhood, afterawhileyoubegintoknowwhichdoesn’tbelong.

Howdoyoudetectaroguecelltower?• Examples:

• Anewtower(UnknownCellID),hightransmissionpower

• Mobilecountrycodemismatch

• Mobilenetworkcodemismatch• Frequencychange

• LocationAreaCodemismatch

Howdoyoulocateatower?• Combineuniquecelltowerdata,receivepower,and location.• Onedetectorcanbemovedaround withanonboardGPS

• Readingsofuniquetoweridentifiers,powerlevelandGPScoordinatesallowforasingledetectortocreateamap.

• Somemath,opensourceGISsoftware,andprettycolorscanapproximatelocationsoftowersorpossibleroguetowers

Howdoyoulocateatower?

Howdoyoulocateatower?• Multipledetectorswithknownlocationsallowfortrilaterationof

thesuspectedroguetower.

• Receivepoweranddistancearenotinverselyproportional

• Regressionformulaswererequiredtobecalculatedinordertofinetunetheresults.

• Lessaccuratebutstillprettygood

Howdoyoulocateatower?

What’sthebuild?• RaspberryPi3,poweradapter,SDcard(runningstockRaspbian)• SIM900GSMModule

• SerialGPSmodule

• TVtunersoftwaredefined radio• Scrapwood&hotglue

Braceyourself…thisisquiteliterallyahack.

SIM900CellModule

Scrap wood& hot glue

Raspberry Pi

GPSModule

SerialtoUSB

Softwaredefinedradio(USBTVTuner)

SIM900• SIM900Engineeringmode

• Seventowerswiththehighestsignal

• Givesyouatonofinformationvia

aserialconnection• NoSIMcardisrequiredfor

engineeringmode

GPSSerial• Adafruit UltimateGPSmodule

• Fixespositionquickly.

• Good indoorreception

• Worksexactlyhowyouwouldexpect

RaspberryPi3• StockRaspbian OS(debian forpi)

• Pi3hasenoughpowertorunaSDR

• HasfourUSBportsforserialadapters• EasilypoweredbyaUSBbatterypack

• $20Softwaredefinedradio

• Widerangeoffrequencies

• Github:Gr-Gsm• CanlistentorawGSMtraffic

• Seealltherawframes• Notnecessaryforlocatingcelltowers

• Providesdeeperinsights

TVTuner

Datacollection:• Everythingdumps toaSQLitedatabase forlateruse

Questions?