JusticeBeaver on Discovering and Triangulating Rogue Cell Towers

JusticeBeaver (Eric Escobar) is a security engineer at Barracuda Networks. He started as a civil engineer and moved to all things wireless networking. In this talk he discusses how to detect and locate a rogue cell tower, or IMSI catcher.

What is a Rogue Cell Tower?

A rogue cell tower is device that allows somebody, usually an authority of some sort, to do an “evil twin” attack on your phone by posing as a cell tower. Also known as IMSI Catchers, or cell-site simulators. Otherwise they are known by the brand name Stingray. According to the ACLU, 66 agencies and 24 states own Stingrays.  They are also used abroad.

These allow you to collect metadata from phones, but in some cases they can also downgrade your connection and by doing so get your calls, SMS, and data,

IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone
IMSI stands for International Mobile Subscriber Identity and it is a unique identifier for your phone

Why You Should Care?

These devices are extremely invasive. They are essentially one big net that can capture you, as a small fish.  Your phone connects automatically to the device with the strongest signal. All transmitted data is suspect – even TFA keys sent through SMS.

How Do You Detect an IMSI Catcher?

Cell towers broadcast data about themselves, and the values should remain constant. By comparing incoming data against a baseline over time,  If you detect deviations, it could be as simple as work being done on the network, OR it could be an IMSI catcher.

Examples:

  • A new cell tower
  • Country code mismatch
  • Mobile network code mismatch
  • Frequency mismatch
  • Location area code mismatch

How Do You Locate a Tower?

Once you notice an anomalous tower, you might want to figure out what it is. The best way to do this is to combine all available cell tower data with receive power and location, using a single sensor that can be moved.

Some Math and GIS software can give you some fancy maps.
Some Math and free GIS software can give you some fancy maps to locate a potential IMSI catcher.

Trilateration vs Triangulation

These are similar concepts but often confused. Essentially: Triangulation is the practice of using the intersection of strongest-signal angles of three detectors to zero in on a location. Trilateration, on the other hand, uses indirect data like signal strenth of at least three detectors to determine the location of a cell tower.

How to Build a Detector?

JusticeBeaver walks us through how to build a detector with $52 worth of parts:

Mega-hacked IMSI Catcher detector for $52
It’s a hack, but it works!

 

Getting Cell Tower Data: SIM 900 or Field Test Mode

The SIM 900 is an inexpensive device that gives you the broadcast data from the top 7 nearby towers. Engineering mode requires no SIM card, and it does not sniff data. You can also achieve this using Field Test Mode with your phones.

Typically, the SIM 900 will return data in this format, and the GPS will return data in this format. You can parse and store that in SQL or NoSQL, or whatever medium of your choice.

Beware the TV Tuner!

Depending on where you are, listening to raw GSM frames can be very illegal.

Once you Locate a Tower

You can send yourself a notification using Email, Twilio, or PushOver. If you get a notification, turn off your phone. Then you can start looking at the data.

Leave a Reply

Your email address will not be published. Required fields are marked *