As it turns out, you do not even need cell site simulators / false base station to do IMSI catching.
In my research, I developed a technique to attack a phone with low power from km away, without being able to be detected at all with traditional tools like SeaGlass or Crocodile Hunter. It‘s published here and works against production LTE networks, no downgrade attacks whatsoever necessary:
Here's something I've never understood about these: as devices that transmit on FCC-licensed bands, wouldn't each use of these require specific permission from the FCC? Especially for state level law enforcement and state courts, they wouldn't have the authority to authorize this without the federal government saying it's OK.
That's a question shared by several US senators [0]. Ron Wyden sent a similar letter in 2018, which received a response from an assistant attorney general, not the FCC [1].
> The FCC's involvement in cell site simulators began years ago when it first approved commercial sales to law enforcement. Documents disclosed under FOIA show that the company that sells Stingrays had local police departments lobby the FCC close to ten years ago for approval.
Last I looked at this the FCC had issued an exception to the normal rules against intentional interference. The resulting license is based on the idea that the devices will only be used under emergency conditions. Presumably the operators of the devices are having lots of emergencies.
I think the problem here is that the federal law against intentional interference is quite definite. So this is the best loophole that the FCC could come up with.
I dont think they need to xmit beyond the baitphone making standard connections.
Also there are apps for scanning and tracking celltower stength and mass-logging GPS data. I think that data could be the input to their detector... don't need a trunk full of HW.
Yes, there are (eg. wigle.net, mostly based around wifi, but also scans cell towers), but the data is very noisy, since every phone is different and everyone wears it differently (if you wear it higher, in a shirt pocket, you'll get higher signal levels than if you carry it in a pants pocket, or in your hand, or if you have an old iphone, if you're holding it in your left hand instead of the right).
Would anyone who downvoted this please explain why they think this system needs any special permission from the FCC? Afaict, it's simply monitoring the interactions of its bait phone with towers.
Probably downvoting your comment about not needing a trunk full of hardware.
“ These sensors have advantages over phones because they can contain specialized cellular scanning equipment and external antennas for farther reception ranges. While phone apps can see limited information on the tower currently connected to, our sensors scan the spectrum to measure hundreds of channels at a time and dozens of broadcast properties.”
So there is an advantage over using a regular cell phone and an app.
If I read the results correctly, weird to see a potential cell-catcher at the US Immigration center. Could this reasonably be interpreted as "someone is sniffing immigrant's cell traffic" .. gathering intelligence about potential candidates for immigration?
Just a wild guess, but If I were trying to find illegal immigrants, seeding a social graph with legal immigrants might be a good place to start. (This comment is in no way an endorsement of the methods or goals of ICE.)
I did my green card interviews and got my citizenship in that USCIS building, and based on what I observed first hand in the waiting room, I'm not entirely surprised they are monitoring cell phones in the area.
During the "migrant waves" a few years ago (2015+, when angela merkel invited them, then left most of them "outside"), our telcos actually gave out free sim cards with a few gigs of data traffic as a "gift" to migrants, and there was a lot of complaining since noone figured out that those can be used for tracking those people, both in my country and also other EU countries, wherever they went legally or not.
Weird? Sorry, but the US intelligence services are collecting _everything_ they can get their hands on. Of course they'll collect data from immigrants.
Does this still work against current cell networks, is it a downgrade attack to 2g or are there other holes in how the network authenticates itself to the phone?
Thank you for noticing. I am always trying to explain to vehicle dwellers, off the grid users, and housed people who have solar how DC -> DC rather than DC -> AC -> DC is the way to go, but people can't seem to understand beyond the AC that they get in a usual house from the energy company.
Any efficient “DC to DC” converter is going to invert DC to AC as step one. If you need different dc voltages, an inverter coupled with various ac-dc power supplies in low power applications is perfectly fine.
I was going to mention that but you beat me to it... The power distribution is not very efficient, but hey, if it's stupid and it works, then it's not stupid.
The "works" part of the phrase does a lot of heavy lifting. Things can "work" in one dimension/context and fail in others. Stupid things can also "work" in several dimensions/contexts as well as smarter solutions.
> Leaded gasoline worked, but it was so stupid it actively made people stupid.
Yeah and airborn nickel causes cystic fibrosis with the highest concentrations found in the home in built up areas, blown in like dust, and inhaled Methylcyclopentadienyl manganese tricarbonyl causes but doesnt cause Parkinsons.
Surprising what the scientists can find but wont put their names to it.
To be fair, the conversion to AC to go through a transformer on each wart imparts a decent amount of isolation on the voltage supply side.
Does that actually matter? Probably not, but I find the comparison to Docker apropos. Sometimes it's just easier to add/keep abstraction/isolation simply on the small off chance that it's lack does get in your way as long as that abstraction/isloation itself doesn't get too much in your way.
Yeah. I went down the rabbit hole of ways to remove most of those components but I guess it’s easy to instruct others on how to setup.
Hotspots often support NEMA GPS protocol to use them as a GPS receiver. All those devices could be powered more efficiently with a DC to DC power supply.
> There are some cases where legitimate cell towers will be moved to deal with a temporary increase in demand, like a sporting event, but this is relatively uncommon.
My understanding is these are quite commonly used for concerts, sporting events etc., Vodafone called them COWS (Cell site on wheels).
Anecdotally when the Vodafone CEO of the time came to visit NZ, some lackeys were charged with staying physically close behind him with a COW so he would always see good reception.
One brand of these is "Funklochstopfer", which extended the Telekom network at this year's Chaos Communication Camp (maybe also Eventphone, but not O2, apparently).
An international mobile subscriber identity-catcher, or IMSI-catcher, is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. Essentially a "fake" mobile tower acting between the target mobile phone and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack.
"GSM phones authenticate to the tower, but the tower doesn’t authenticate back. This means that anyone can create a ‘fake’ tower that your phone will connect to. The major problem here is that in GSM, the tower gets to pick the encryption algorithm! That means your attacker can simply turn encryption off (by setting encryption ‘algorithm’ A5/0) and simply route the cleartext data itself.In theory your phone is supposed to alert you to this kind of attack, but the SIM chip contains a bit that can de-active the warning. And (as researcher Chris Paget discovered) carriers often set this bit."
Along with the sibling comment, there are also protocol downgrade attacks analogous to what HSTS prevents in HTTP/S. IIRC these require active jamming, but if you're .gov who cares. This is a reason why security-conscious OSes like Graphene allow explicitly disabling older protocols.
I always figure that the times when I have 3 bars and yet zero internet are when local leo is using a stingray. You would think cell providers would sue over the disruption of their service.
/i am mostly clue free about this stuff so this post might include erroneous assumptions
Check if your phone has dropped to 2G. It is rare to find a location which only has 2G coverage but when it happens while voice/sms works OK data speed drops to almost zero.
In my research, I developed a technique to attack a phone with low power from km away, without being able to be detected at all with traditional tools like SeaGlass or Crocodile Hunter. It‘s published here and works against production LTE networks, no downgrade attacks whatsoever necessary:
https://dl.acm.org/doi/10.1145/3495243.3560525