Skip to content ↓ | Skip to navigation ↓

The number of calls made from cell phones every day is absurd.

Let’s just say it exceeds the population of every country where residents have access to cell phones and be done with it.

Maybe that’s not true and maybe it is. The point is – the volume of calls made every day is overwhelming.
Despair is one way to describe my reaction to the news that some cell towers in the United States could be snooping on our calls.

There are 17 bogus cellphone towers operating across the US that could be used to snoop on, and even hijack passing calls, texts and other communications, according to an article published in Popular Science last week.

Location of mystery cell towers

The towers were discovered by defense and law enforcement technology provider ESD America, known for selling secured mobile phones that claim to detect mobile baseband hacking attempts. It also manufactured the CryptoPhone 500, a modified Galaxy S3 secured phone with firewall protection and end-to-end encryption of its baseband chip, running its own custom version of Android OS (minus the vulnerabilities the company says it found and removed).

Les Goldsmith, the CEO of ESD America, used the CryptoPhone 500 to detect 17 phoney cellphone towers around the United States during the month of July. Goldsmith labels fake cell towers “interceptors.” They’re also known as IMSI catchers.

“Interceptor use in the U.S. is much higher than people had anticipated,” he told Popular Science. “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip.”

How IMSI catchers work

Cellphones connect to cellular towers with the help of a baseband processor, a chip that controls radio signals transferred between the towers and the phones. Mobile phones seek out radio signals and connect to the nearest cell tower, and each phone has to prove its authenticity to the tower it is connecting to.

That’s where IMSI catchers, which are used by law enforcement agencies, collect the IMSI identification numbers of the SIM cards used in LTE and GSM phones. Cellphone towers nearby, regardless of whether the towers are fake or real, log the device’s IMSI.

The communications between the phone and the cellular tower are encrypted, but the encryption standard has to be determined by the tower, so it could go for no encryption.

With this strategy, a bogus tower with a stronger signal than nearby towers can force decryption on connecting devices. Bogus towers can therefore inject malware by attacking the baseband processor, or transfer the outgoing communications to legit networks and conduct man-in-the-middle attacks.

Who is behind these phoney towers?

Although the towers were discovered in July, the report implied that there have been more operating across the country. Goldsmith and his team drove by the government facility with one of their handsets, an iPhone and a Galaxy S4 as part of a test.

“As we drove by, the iPhone showed no difference whatsoever. The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree,” Goldsmith said.

Warning message from CryptoPhone

The CryptoPhone’s baseband firewall triggered alerts that the phone’s encryption had been switched off and the cellular tower nearby didn’t have a name—a telltale indication of a rogue base station. Standard towers deployed by major carriers will have a name but interceptors are often unnamed.

The tower also forced the CryptoPhone from 4G to 2G, an old protocol that makes it easy to decrypt on the spot. The iPhone and Galaxy S4 didn’t even show that they were under the same attack.

Although it was unclear who these towers belong to, ESD found several of them located near U.S. military bases.

“Whose interceptor is it? Who are they, that’s listening to calls around military bases? Is it just the U.S. military, or are they foreign governments doing it? The point is: we don’t really know whose they are,” said Goldsmith.

It’s not the NSA – the agency can tap any number of calls without requiring bogus towers, VentureBeat said:

Not the NSA, cloud security firm SilverSky CTO/SVP Andrew Jaquith told us. “The NSA doesn’t need a fake tower,” he said. “They can just go to the carrier” to tap your line.

Goldsmith thinks this wasn’t the work of hacker gangs, given the expense involved in accessing some of the locations where the towers are based. The technology is not trivial, too. Phones have a different OS for using the baseband processor, a chip acting as the middleman between the cell towers and the device’s OS.

Broadcom, Intel and other popular baseband chip manufactures keep baseband details under tight control, making it a long stretch for most hackers.

An unnamed American expert speaking to The Register put forward a more casual explanation:

“It is most probable that these sites are to allow coverage to groups of people that are not in a conventional coverage area (such as paying customers in a casino, or military groups),” the source said. “I would suggest that university campus areas may do the same.”

Goldsmith didn’t reveal GSMK CryptoPhone 500’s price or sales figures, but an MIT Technology Review puts the retail price of the handset at an eye-watering $3,500.

I don’t see baseband firewall alerts coming to modern handsets anytime soon. So let’s just root for the FCC task force to get to the bottom of these bogus towers, as they really need to find out who is setting them up.

 

Related Articles:

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Hacking Point of Sale
  • kaithe

    So, in essence this story says that someone drove down a road near a military base and their Cryptophone detected a fake cell phone base (even the use of 'tower' is misleading).

    The rest is a bunch of speculation.

    There is so much more we need to know. For instance, did anyone try to triangulate it? What does one look like? Why did the speculation not extend to foreign powers? Surely the FCC would have an interest in tracking these things.

    So many questions, so few answers!

  • Peter Dinklage

    Some phones offer an option to not communicate on 2g networks does that help solve this issue for end users?

  • Coyote

    Peter: "Help" not "solve" is the way of putting it. It is basically a safety mechanism that while good, is not a solution by itself. It is just like computer security: it is a many layered thing. Security in general, is this, even (personal security included).

    And kaithe: your suggestions are (rather, "could be") also speculation, if you think about it. Maybe that's all the information available. Maybe not. Usually things that are uncovered do take time before further things are explained (this goes for everything in life). In the end, things usually are revealed as they are discovered but it might take time (trying to suggest one thing or another is merely speculation as well). And the FCC? Hmm, depend on your definition I think, of want. They're not exactly the best with everything, are they? What agency is? Until they report something (or someone claims as such) we cannot really know (guessing is of course possible though).

  • Haseeb Ahmad Ayazi

    CryptoPhone 500 also secure us from NSA or other Security agencies as well?? because the law enforcement agencies are causing more Privacy leakage than the poor hackers.

  • Sergio Brincado

    Great article, I did not know that.

  • I had no idea that there were fake cell towers and that they could hijack calls and texts. That's some scary technology and it makes you wonder if you've ever been spied on before. As more and more cell towers are built to expand coverage, I wonder how many more fake ones will be intertwined with them.