back to article Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC

The US Department of Homeland Security (DHS) says it has detected strange fake cellphone towers – known as IMSI catchers – in America's capital. These devices, which can masquerade as real phone masts to track people's movements and potentially eavesdrop on calls and texts, represent a real and growing security risk, the …

  1. corestore

    This has been a scandal for years

    What are the telcos doing to secure THEIR networks against such devices?! It's their networks that are being spoofed; they should by now have some secure authentication to ensure that phones ONLY connect to genuine cellphone towers, not Stingray and other devices of that ilk.

    Google, Apple etc. moved quickly to make communications more secure after the Snowden revelations - crypto on by default, end-to-end encryption, crypto on the backbone etc. But what have we heard from the telcos about Stingray? Crickets. Why? El Reg should be asking them hard questions, and being persistent about it!

    1. Ole Juul Silver badge

      Re: This has been a scandal for years

      Their networks indeed. Surely the techs maintaining these networks are aware of the landscape. Perhaps we should be asking them what they're seeing. However, I wouldn't be surprised if the answer is something along the lines of "we're not allowed to talk about that".

      1. Dave 126 Silver badge

        Re: This has been a scandal for years

        This layman's simple approach (though there may be factors in ignorant of):

        - Telcos know where their genuine masts are.

        - Phones know where they are ( GPS, maps of WiFi etc)

        - Phones know roughly where the masts they connect to are (response time)

        If all of the above data is collected it should be trivial to spot spoof masts. To collect the data would just require a good number of handsets to have an app to send connected mast locations to an agency to analyse the data.

    2. ARGO

      Re: This has been a scandal for years

      Networks operate according to the defined mobile standards. 4G (and to a lesser extent 3G) have bidirectional authentication, so your phone knows it is taking to a real network before sharing too much info. But, as the article notes, IMSI catchers force your phone down to 2G. That's a legacy standard with crappy security. There's nothing the networks can do about it short of refusing service to anything that supports 2G. Which is pretty much everything on the market. That might be seen as a tad drastic.

      Users can do something about it though - a lot of phones let the user turn off 2G through system menus.

      1. IglooDude

        Re: This has been a scandal for years

        It's fairly ironic that 2G turndown is slowly proceeding, in the US. In a few years most 2G availability will probably be provided by IMSI catcher devices.

        1. corestore

          Re: This has been a scandal for years

          Surprised it's so slow. The last 2G network was turned off in Australia last year IIRC, and there's only one left in NZ; the penultimate one was turned off here a few weeks ago.

  2. Anonymous Coward
    Anonymous Coward

    Left hand/right hand

    Do we really think the CIA, FBI, or NSA would tell DHS where they have eavesdropping devices?

    Anon, but they know who**NO CARRIER**

    1. Antron Argaiv Silver badge
      Black Helicopters

      Re: Left hand/right hand

      Pretty sure they know *exactly* where those rogue cell site simulators are located. If they're transmitting, they can be DF'd. Perhaps there are other technical measures which can be taken to nullify them...when necessary.

      1. mosw

        Re: Left hand/right hand

        "Pretty sure they know *exactly* where those rogue cell site simulators are located."

        I don't see any reason that they have to stay in one place. They could be mobile, located in a van that moves frequently.

  3. Chairman of the Bored Silver badge

    Or...

    ... probably just as likely some Billy Bob "borrowing" the stingray from work to see if he can figure out what the wife is up to... Some script kiddies with OpenBTS and a Hack RF, etc...

  4. redpawn Silver badge

    Better to let unfriendly entities spy

    on US citizens than to allow the people a secure cell phone network. After all "If you have nothing to hide you have nothing to fear" and soon will have nothing which suits the US government as evidenced by their actions.

  5. FrankAlphaXII Silver badge

    DHS probably won't know.

    Wyden of all people should probably know he needs to ask NSA if there are FISA warrants for anyone running IMSI catchers, and he knows full well that the response won't be public, if anything is said publicly they'll cite PL 86-36 which is an answer in and of itself that yes, they know who it is and why.

    The United States is not the only country that produces them and I'd be willing to bet that they're either Chinese or Russian and being used to put together target lists. Task Force Orange does much the same thing in Beijing and Moscow.

    1. I3N
      Coat

      DHS knows and said so

      'the DHS would require funding for software, hardware, and personnel to do so.'

    2. phuzz Silver badge
      Thumb Up

      The UK builds and exports plenty of IMSI catchers, don't leave us off your list!

  6. Kevin McMurtrie Silver badge

    No end-to-end encryption

    What's the difference between a cell tower, a pico cell, and a fake cell? Probably nothing unless you can look up all of the cell IDs and verify their physical location. It wouldn't surprise me if hardware hacking experts can crack open those pico cell boxes as a starting point.

  7. JeffyPoooh Silver badge
    Pint

    "...not aware how it would detect such technology..."

    The DHS department is "not aware how it would detect such technology".

    Crikey. Poor them.

    Although this margin is too small, etc.

    It's essentially trivial radio direction finding, except for some modest complications due to TDMA. Or DF on the fake tower's broadcast control channel, plus or minus any frequency hopping.

    Or just put out a $10,000 reward for information, and let the amateur radio 'fox hunters' go at it. They'd rig up a laptop with a $15 SDR stick, add a synthetic Doppler array (4 whips, electronic RF switch) on the roof of their truck, and some custom software they'd whipped up.

    Combined with APRS, collate the bearings, reposition the hunters, and there's your map.

    Then zero in to see which window it's in.

    1. Anonymous Coward
      Anonymous Coward

      Re: "...not aware how it would detect such technology..."

      It's basically a military contract, so if you're not over charging by 1000%, how are you going to have the money to bribe officials to get the contract in the first place?

    2. W4YBO

      Re: "...not aware how it would detect such technology..."

      I'd love to play like that, even unpaid. Unfortunately, due to the 1986 Electronic Communication Privacy Act, hobbyists aren't allowed to receive cellular frequencies. In the mid eighties, cellular companies lobbied Congress so they wouldn't have to scramble or digitize their, at that time, narrow FM signals. We're still stuck with it, as well as the Satellite Home Viewers Act, which did the same thing for satellite companies.

      Personally, I think if their RF energy is striking me, I should be able to do anything I want with it.

    3. Trigonoceps occipitalis

      Re: "...not aware how it would detect such technology..."

      "They'd rig up a laptop ... "

      They'd rig up a Raspberry Pi ...

      FTFY

  8. Anonymous Coward
    Anonymous Coward

    And that Cell Tower on the roof of the Russian Embassy was there for how long?

    doh!

    A clear case of the horse disappearing over the horizon before they noticed that the stable door had been blown off its hinges years ago.

    My former employers issued warnings about checking to see if you really had a connection before making business calls from their mobile phone. Most of the time we used a VOIP over VPN app for internal calls but even so in some places using a VPN is big No-No.

    Perhaps a few more people might like to understand that

    Carless Talk Costs Lives.

    1. Anonymous Coward
      Anonymous Coward

      Re: And that Cell Tower on the roof of the Russian Embassy was there for how long?

      Carless Talk Costs Lives.

      That's what I think every time some sanctimonious eco-knob starts prattling about the virtues of cycling and public transport.

  9. Anonymous Coward
    Anonymous Coward

    Fake Everything

    So many fake cell phone towers from so many agencies with so little money to check them out..

    With the antichrist now in power, this is the Anarchy in the U.S.A.

    Sorry, we're slow figuring things out.

    1. Michael Thibault

      Re: Fake Everything

      "With the antichrist now in power, this is the Anarchy in the U.S.A."

      The antichrist has been in power for decades. Don't fret, though; "we're slow figuring things out".

  10. Anonymous Coward
    Anonymous Coward

    Would foreign nation spys really install visible cell antennas?

    I doubt it they, would have aerials disguised as flag poles and the like.

    More likely that DHS has itself been scanning around and found RF carriers not disclosed on the official lists. Not an unusual event I suspect as carriers build new sites faster than the lists get updated.

    Sounds like DHS scaremongering to get more funds for "A new threat to National Security". If the DHS is so concerned why don't they raid the site and close it down?

    As for carriers not doing enough to stop RF skimming activity, no matter what action they take in this day of software defined radios there I doubt if such an action is possible.

    1. Anonymous Coward
      Anonymous Coward

      Would foreign nation spys really install visible cell antennas?

      Most IMSI catchers appear to be very compact devices, with a small range. Even an industrial scale one is smaller than a street lamp. So I'd guess for the most part yes they are visible, but so insignificant that nobody notices. And another reason not to hide is that foreign powers would be using a front company for it, with a long chain to obfuscate who is paying, and who is benefiting. I can't really see the PLA or FSB using liveried vans to put up a fake cell tower, complete with "Property of the People" plates on it.

  11. Louis Schreurs BEng

    I'm sick and tired of writers and commenters talking about -here- on a UK-based website and pointing at the situation in murrica

    1. Anonymous Coward
      Anonymous Coward

      This may help, look at all those locations around the world.

      BTW, you're free not to read it.

    2. Roj Blake Silver badge

      Re: Sick and Tired

      What happens in the US often directly affects the rest of the world, especially the UK.

      1. Mark 56

        Re: Sick and Tired

        There was a "scandal" in the UK in 2014 about aircraft flying round London in a racetrack pattern slurping mobile phone data.

        We know that "they're" spying on us. Even worse, "they" know that we know - how many shits do you think they give?

    3. Pascal Monett Silver badge

      I'm getting pretty meh about Trump news myself, but I think you're missing the point here. If some unknown entity is operating unregistered cell towers in the capital of the US, then that is important news because you should be asking yourself if there are any in London, just as I am now wondering if there are any in Paris, and how to find out.

      1. handleoclast Silver badge

        Re: and how to find out.

        There are various cell mapping apps for your phone. Install one, then go for a wander. Cover enough territory and they can locate antenna reasonably accurately (accurately enough that you can confirm visually).

        The one at cellmapper.net seems to work pretty well (not available for iPhone). There are several others, although some of them use Mozilla's Stumbler db rather than building up their own data (in my experience Stumbler data is not very good). I can heartily recommend avoiding OpenSignal like the plague.

        With cellmapper (and possibly others) you'll have to tell your phone to restrict itself to 2G to pick up the IMSI catchers as either the app or the Android API seems to prevent it recording signals using anything other than what your phone is currently connecting with (so you have to downgrade to 3G to map 3G towers, etc).

        Probably more trouble than it's worth. Unless you're paranoid.

      2. nijam

        > ... I am now wondering if there are any in Paris

        Don't worry, I'm sure you haven't been left out.

  12. lglethal Silver badge
    Go

    Calling all software engineers!

    I feel like this should not be that difficult to protect against and could probably be done pretty easily with software. An app on your phone has a list for all official fixed cell towers in your region. The App checks whenever your phone changes cell tower that the new one is one of the approved fixed towers.

    If not, it alerts the user that the cell tower is not an official fixed tower and shuts down the ability to use certain programs (decided by the user in advance - such as calls, texts, emails, etc.). Keeping the list up to date shouldnt be that hard, towers have to be reported to the FCC (or whatever your local governing body is called) and lets face it they dont spring up that regularly. And whilst it might cause some problems where temporary boosters are being used to cover maintenance/damaged towers/insufficient capacity, security for the type of users who actually care about this stuff would outweigh some minor disruptions.

    Added bonus if the program users direction finding or distance to source measurements to ensure that tower identifiers are not being faked and the "official" tower credentials are not now located 50km from where they should be...

    If anyone gets around to making this app, wing €100 my way and a crate of good beer (none of that American swill) and we'll call it even... ;)

    1. Anonymous Coward
      Anonymous Coward

      Re: Calling all software engineers!

      I suspect it would be far easier if manufacturers went back properly to the GSM spec and showed on the screen when a phone is switching down and/or goes off encryption. Add an alert function and you'd kill the problem at the root.

      Oh wait, it also catches dumb criminals, my bad.

    2. Barrie Shepherd

      Re: Calling all software engineers!

      "An app on your phone has a list for all official fixed cell towers in your region."

      Problem is maintaining the list. Networks are bringing new cells on line, taking old cells down all the time. The stinger type devices spoof a network to sniff the IMSI, so could spoof a genuine cell tower ID.

      For those interested in how easy these things are go Google "GSM in a box download". A PC (not high spec) and a SDR transceiver and you can build a basic system yourself in an afternoon, complete with SMS, authentication HLR and VLR facilities and with Asterisk added it can be your own private GSM system! Highly illegal as you would need to transmit on carrier frequencies but an example of how simple things can be.

      Granted the 'professional' stinger system are able to do more but I'm sure a dig around the WWW would enable a competent Linux person to build one.

      Products like this pose a greater risk to protection of personal data https://www.radio-tactics.com/index.php/portfolio/9-mobile-data-extraction/100-the-toolkit-solution

      Traffic Cop " Good evening sir, I suspect you were using your mobile phone, please let me plug my analyser in to check"

      Driver " I was not using my mobile phone, but OK if it gets me on my way"

      Traffic Cop " Thank you sir, it will only take 30 seconds"

      In that time your whole phone contents are compromised and currently (in the UK) with no oversight or protocols in place.

  13. sanmigueelbeer Silver badge

    Hold on ... Let me get this straight:

    1. It is ILLEGAL to use StingRay in the US;

    2. But it is perfectly legal for US intelligence agencies to use StingRay in OTHER COUNTRIES?

    Shouldn't this logic be the other way around?

    1. hugo tyson

      Legality is itself location-sensitive

      It's legal according to US law for the US to use StingRay in non-US places; doesn't mean it's legal according to the law of those places. What it means is that the US government won't act to prevent itself using such tech outside the US.

      Remember, according to US law, US law applies over the entire universe. Really.

  14. x 7 Silver badge

    Any new towers appeared in Salisbury recently?

  15. Anonymous South African Coward Silver badge

    Any new towers appeared in South Africa recently?

    Oh wait, these'll be spaffed as quick as lightning by the locals if not properly secured, so I think we're at least safe here. :p

  16. Anonymous Coward
    Anonymous Coward

    Didn't know

    I can tell you for sure, if you ask DHS/NSA/CIA if it's their equipment, you bet they will say yes. They wouldn't dare admit to "others" spying on them in a grand scale like this. They would rather take the heat of letting people think it was them, than the embarrassment of being fooled themselves. But such is the case.

  17. EJ

    I would check on the whereabouts of Huck and Olivia Pope...

  18. Clarecats

    Pwning cell phones with a stingray

    https://www.youtube.com/watch?v=fQSu9cBaojc&feature=youtu.be

    pwning cell phones with a home-made stingray. Defcon 18.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019