Some version of these went up all over Philadelphia when the Pope came to town and they turned the city into a giant TSA checkpoint, replete with National Guard troops.
The Pope left.
The boxes stayed.
Edit: here's one of several pics I took: (see edit 2 below for link) anyone recognize it? Interestingly enough, the nuclear and chemical detection boxes were labeled...
That's a DAS, not a cell site simulator. Google image search for "Philadelphia distributed antenna system" and see related articles on things that look the same.
Oh, cool. Well, thanks for that. That's just one of several random things around, but seriously the chemical weapon detectors were labelled and chained to a pole. That was funny. :)
EDIT: Thanks! I would really be interested in a crowdsourced wiki-style database of these. If nothing else, submit them to Wikimedia commons with coordinates.
Since OpenBTS launched 6 years ago they haven't been secret. All you need is a backpack with an Ettus USRP1, handful a D batteries, and a laptop. Walk into any starbucks, connect your laptop to the wifi and then SIP through Google and voila, you can snoop on everything and no one has any clue.
I believe the majority of Hacker News readers could run OpenBTS on an Ettus as a weekend project, provided they had a little systems programming experience. I think the greater problem is expense: an Ettus USRP is into the 4 figures, although you could probably make something similar with the HackRF. [1]
OpenBTS and YateBTS need a full-duplex radio to function. So far only Ettus radios and bladeRFs [1] have those capabilities. The bladeRF is also the cheapest option, costing in the low 3 figures (with coupon code HKRNWS). Full-disclosure, I make the bladeRF.
Cellphones are half duplex but the basestation is generally full-duplex. A half-duplex basestation could probably handle no more than one cellphone. OpenBTS and YateBTS, as well as most commercial basestations, have design patterns that require tight timing capabilites that in turn lend themselves to running on full-duplex basestations.
I've only worked with GSM, not anything newer, but the phone is assigned a timeslot in a repeating frame, and the uplink and downlink timeslots are offset so that the phone doesn't have to transmit and receive at the same time. As I understand it, that makes the antenna and amplifier design much simpler.
Although now that I've said that, I don't recall what happens when it's using multiple channels for packet data.
True for 2G, but for 3G and 4G most deployments are using full duplex (FDD) where reception and transmissions can happen concurrently and use different frequencies.
The only exception for 3G is China with its TD-SCDMA standard. Everywhere else, 3G is FDD.
For 4G, there is a TDD variant. It's mostly used in China and on some specific high bands (2.3/2.5 GHz around Wifi, 3.5 GHz). But in western countries when one use 4G it's FDD.
I'm not danellis and I'm not skilled in signals processing, but assuming LTE is multiplexed with TDD, yes. The radio is switched throughout time between receiving and transmission. See https://en.wikipedia.org/wiki/Duplex_%28telecommunications%2... for how TDD works.
TL;DR: Basically describing an off the shelf, Stringray
OpenBTS is basically an opensource cell phone tower software stack.
You phone supports older protocols for backwards compatibility as you roam. You can instruct your tower to broadcast on an older protocol, like 2G. 2G has this hilarious design flaw that the tower tells the cellphone which tower has the strongest signal. So you claim that you have super amazing signal. 2G's cryptography is broken wide open, worse then DES. So this little cell tower running on a laptop and a digital radio system has just MITM'd your phone (and everyone else) who's network it is impersonating.
I expect/assume this is the general design (which hopefully significant refinement) of most Stringray devices.
Since digital, handsets validate the tower they are talking too, this info is stored on sim or device depending on model. So to intercept 2g, there is some work
See https://youtu.be/DU8hg4FTm0g
I'm not sure if this was your point or not, but we can't really trust any handset without an open baseband, of which all of the handsets we use today don't have. As long as we're stuck with proprietary blobs and their secrecy, we can't trust what's in them.
Given the technical skill shown in some of the Snowden leaks, it seems to be all but a given that these blobs are compromised from the factory by three-letter agencies. It's somewhat amusing watching the overt rhetoric of the FBI "crypto war" when the majority of even technical people make far less of a fuss over covert exploitation, which has the dual benefits of being pretty much ubiquitous and plausibly deniable. One NSL to Intel and Qualcomm, or better yet, one call to an executive with the loyalty of a few "patriotic" employees, the secret is safe, and everyone is pwned by default.
It is basically impossible to use a modern computing stack without trusting someone's proprietary blob, and the general population has little to no care about attacks at a level that they really don't understand. That's probably why all the press is on this crypto rhetoric to begin with.
>It's somewhat amusing watching the overt rhetoric of the FBI "crypto war" when the majority of even technical people make far less of a fuss over covert exploitation, which has the dual benefits of being pretty much ubiquitous and plausibly deniable.
Sounds like what John Young said today on cypherpunks mailing list[0] and something I don't see the public nor the all actors involved this "crypto c̶i̶r̶c̶u̶s̶ war" shedding light on soon:
"Kill metadata and other crypto-issue-overdone diversions.
Metadata and other crypto-workarounds resulted from the
crypto wars of the 1990s which were bragged to be won
rather than faked out.
The fake-out was orchestrated by some of the very same
crypto warriors claiming to be against gov-controlled crypto.
A way to identify them is to note who rose to prominence and
wealth in crypto com-edu-org. Still at it, ratcheting up the need
for ever more crypto, acknowledging the workarounds but, but,
but: Let's Encrypt, HTTPS-HTS everywhere, secure drops,
freedom of the press and courage foundations, Snowden
talks and tweets, FISC amicus curiea, POTUS and TLA advisories,
industry lobbyists, dual hats riding the crypto gravy train and
more likely, the subway out of sight.
The money and prestige to be gained by working all sides of
the crypto phony war is, as Greenwald crows of Omidyar's $250M
bribe, irresistable."
Could this be mitigated w an Android patch that disables 2G entirely? There can be a switch in Settings to reenable (eg when travelling to a country w an old network) but by default your phone should not be so vulnerable.
Cell phones have SIM cards with an ID and a secret key. Cell service providers have a database of these SIM associations. Cell phones encrypt IP packets in their entirety with the symmetric key and send it as the payload of some cell protocol packet that might expose my ID, if anything. Assuming the cell provider is secure and not on the dark side, this is the safest part of my my packet's trip.
I don't understand how a cell-site simulator could see what websites I visit, much less the messages I send, without knowing my key. And it's not like one could trick my phone into thinking it's the actual cell site, because it won't be able to respond to my transmission with a message that my key can decrypt.
FBI: "Hey, cellular provider, give us the secret key and ID for X."
Provider: "Sure, thing, just one moment." ... "Here you go."
---
Or, if your provider has a bit of a spine:
FBI: "Hey, cellular provider, give us the secret key and ID for X."
Provider: "Got a warrant?"
FBI: "No problem, give a half hour to call our go-to judge." / "No, but here's a NSL."
2G ruins everything. It is effectively wide-open now and handsets will connect to the strongest connection. This is one of the oldest problems in cryptography. It doesn't matter how great the latest and greatest is so long as the old broken standard is still widely used and supported.
Until you can purchase a phone that is not compatible with 2g, you will always be at risk of fallback attacks.
It works sort of like what you are describing in 3g & 4g networks.
So to answer your question: You are missing phones that don't work on 2G (unless there is a function to disable it in a user-unfriendly engineering menu).
These devices do not necessarily have insight into the contents of your communications, their main feature is that they can uniquely identify and locate a phone.
There are apps for detecting these things. Maybe we need an app that plots locations based on anonymized submissions. Also, I wonder if it's possible to distribute blacklists. But I suppose that's buried in the radio firmware.
AIMSICD is very faulty. I made full code review in my spare time and tests on OpenBTS. It can't detect SilentSMS even if they claim it can. It doesn't detect fake BTSs nor connections using them. You can connect to fake BTS, make calls, send texts, it doesn't detect anything suspicious. This project sounds serious, but it doesn't do anything. Moreover it sends data about fake BTSs to remote service - OpenCellId (they get data about cells from OCID). Recently all of this what I say here was proven on their issue board on Github.
This is SecUpwN, the project maintainer of mentioned app. Let me say this: Before discrediting an eager project like ours, RTFM! Obviously you closed your eyes the whole time when doing the "full code review", otherwise you would have read:
Everyone with a pair of eyes is able to clearly see the warnings, disclaimers and statements all over our project that our app is still in ALPHA development. And if you really are a skilled developer and not just a troll wanting to discredit our app in favour of making another one more popular (which I think you actually are), you'd have contributed. But you're just a fake "security researcher", ranting on public sites about an open source project where everyone is invited and very welcome to add a bit to make it better. Next time, please think twice before publishing shit like yours above.
SnoopSnitch only works on specific Qualcomm chipsets. If you want to use IMSI-catcher detectors, make sure it actually works with your specific chipset.
AIMSICD eats a decent amount of battery as it really needs GPS to be useful as a historical data source.
Related: A video I took at blackhat 2013 demo'ing a hacked femtocell intercepting calls. Voice is intercepted before the call even starts. https://vimeo.com/71466006
I worked for a picocell/femtocell company a few years ago, and when I started I had to get up to speed on GSM protocols. I remember thinking at the time something along the lines of, "Connecting the call and telling your phone to ring are different messages, so if instead of sending the ring, waiting for a pickup, then connecting the call you just connected the call..."
http://www.radiocells.org/ if you want something that's opensource both software and data. You can download whole database of wifis and cells from radiocells.
I wonder if it would be possible to take the idea of certificate authorities and apply it to cell phone towers. Basically, each cell tower company would be a CA, and could generate a certificate for each cell tower. Major cell tower companies could then be trusted by other CAs, and cell phones could have a store of trusted CAs. Then, when a cell phone attempts to connect to a tower, a check is made to verify that the tower is trusted by a trusted CA. This way, a user could (at least maybe) revoke a certificate from a CA that has trusted a group that has set up a cell site simulator.
My knowledge of PKI is pretty shaky. Does anyone know if something like this would work and/or be an improvement?
The SIM card in your phone is, basically, a smartcard. The private/public keypair on the SIM is how your phone authenticates to the cellular network.
Is what you're asking technically possible? Sure. What motivation do the cellular companies have to implement it, though? They are currently satisfied with the level of security already offered and to do what you are asking would cost a not-insignificant amount of money with little or no return (for them).
Is there any way to re-engineer infrastructure so that all cell-sites cryptographically identify themselves so that cellular devices can verify the identity of a cell-site before identifying itself to the cell-site?
You could, sure... if you could modify the software running on your phone. Since you can't, it's only possible for the (either hardware or software) manufacturer to build in that feature and I'm not sure they have any compelling reason to give the user that option. (It's entirely possible that this option is available on some phones but I really no idea, I haven't used anything other than an iPhone for several years.)
I can see how it can be creepy, however my house was burglarized recently, and I would have loved to have a device that could catch the IMSI of all the mobiles in my flat at that time. I can't really do anything with the IMSIs myself but I could give them to the police after a burglary, like a CCTV tape.
Much easier just to log whatever SSIDs the phones are broadcasting. My phone currently knows about 20 wifi networks from which I can work out where I live, where I work and where I've been on holiday.
For those that are surprised that your phone is such a snitch: That can be shut off, even on app-level. There is Wifi privacy police for android, and probably something similar for ios.
I actually did just that at work. First of all I had a raspberry pi that got all the device names connected to my company wifi (the guy responsible for the network is actually just the janitor, so the wifi is basically the wild west). After a bit of puzzling I knew the MAC-addresses 90% of my closest colleague’s phones. From there it was easy to do the rest. Just set up your own wifi network and monitor SSID broadcasts.
This worked fine until iphones started randomizing their mac addresses, but since I know when a certain device appears on our work wifi, I could probably just compare when a scan was made to when a certain device was connected. I just can't be bothered.
The system is still up and running, and now even has a nice web interface that I can access from home.
I'll eventually release it as FLOSS, but I'll have to clean the code quite badly. It only requires guile and nmap, but can probably be ported to something fancier.
I was speaking with a friend regarding cellphone jamming, and a question was posed:
Suppose there is a piece of equipment that strictly follows all the relevant cellular protocol specs and can route 911 calls, but drops all other traffic. Is such a system illegal?
I believe your device would need type acceptance by the FCC and, presumably, a valid license to transmit/operate on those frequencies. Otherwise, yes, it would be illegal.
I don't have a citation/reference handy but, if memory serves, it is illegal (in the U.S.) to interfere with any cellular communications.
Is there a quick way to figure out if this is occurring? I've gone into one or two restaurants with their own wifi and my cell connection goes down to 3G.
The Pope left.
The boxes stayed.
Edit: here's one of several pics I took: (see edit 2 below for link) anyone recognize it? Interestingly enough, the nuclear and chemical detection boxes were labeled...
Edit 2: direct photo link: https://s3.amazonaws.com/f.cl.ly/items/1X2f2i1M2P0e0n322r1X/...