Pinterest Stumbleupon Whatsapp

Whenever you use your cell phone, you assume that it is connecting to a secure, trusted tower, and that nobody is intercepting your phone calls. Well, excluding the NSA and GCHQ What Is PRISM? Everything You Need to Know What Is PRISM? Everything You Need to Know The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the... Read More , of course.

But what if that wasn’t the case? What if your phone had connected to a cell tower operated by a rogue individual, and that person was intercepting every SMS. Ever call. Every kilobyte of data sent?

It’s more likely than you think. Welcome to the weird and frightening world of rogue cell phone towers.

How Many Of Them Are There?

The mobile market in the US is a marvel to behold. There are well over 190,000 cell phone towers in the continental United States alone, collectively providing coverage to over 330,000 cell phones. There are also dozens of competing operators, each operating their own hardware. This is in addition to countless MVNOs What Is an MVNO and How Does It Save Money on Your Cellular Bill? [MakeUseOf Explains] What Is an MVNO and How Does It Save Money on Your Cellular Bill? [MakeUseOf Explains] In the US and Canada, we're taught that we need to sign contracts because cell phones and cellular service are so pricey. That's a bald-faced lie. Read More who piggyback on the hardware infrastructure of other operators.


But how many of those are rogue towers? According to an August 2014 article in Popular Science, there are 17 towers that are definitively known to be operating in the US. These are spread out through multiple states, although the largest concentrations can be found in Texas, California, Arizona and Florida. They’re also concentrated mostly in major cities, such as LA, Miami, New York and Chicago.


The discovery came to light after research undertaken by ESD America – A manufacturer of encrypted smartphones that run a a customized, hardened version of Android – showed the depth of the phony base-station problem. These towers are relatively prolific. They’re found in major population and industrial centers, as well as in close proximity to military and government buildings.

There’s a real potential for serious damage here. But how do they work?

The Anatomy Of A Rogue Base Station

Rogue base stations – hereafter referred to as interceptors – look like a standard base station to a cell phone. The simplest ones are unfathomably easy to create, with some even building interceptors around the popular (and cheap) Raspberry Pi system (it’s versatile enough 8 Seriously Useful Computing Tasks You Can Do With a Raspberry Pi 8 Seriously Useful Computing Tasks You Can Do With a Raspberry Pi The amount of computing tasks that you can perform with this small 3.37 x 2.21-inch computer is jaw-dropping. Read More ) and the free, open-source OpenBTS GSM access-point software. This allows the implementation of the GSM protocol, which is used by phones in oder to communicate with base stations.

However, to really convince a phone that you’re a genuine base station, you need an outlay of thousands. This limits this type of attack to a select few; namely governments and large criminal organizations. Some police stations in the US have also spent thousands on interceptors that force phones to use 2G and GPRS in an effort to easily intercept and decrypt traffic in real time.

How the Attack Works

Regardless of what phone you use, it’s running two operating systems. The first is what you use to interact with it, be that Android, iOS or Blackberry OS. Working in tandem with that is a second operating system which handles phone traffic. This operates on something called the Baseband chip. and is used to connect to the base station and to serve voice, SMS and data traffic.

Phones automatically connect to the nearest, strongest phone station signal, and when they create a new connection they send what is known as an IMSI identification number. This number uniquely identifies subscribers, and is sent to a base station once a connection is made. This is sent regardless of the authenticity of the tower.


The tower can then respond with a data packet that establishes the standard of encryption used by the phone when communicating with the tower. This depends upon the phone protocol used. For example, the default voice encryption in 3G communications (by far the most used phone protocol) is a proprietary standard called ‘KASUMI’, which has a number of noted security flaws. However, any encryption is better than no encryption, and a false base station can turn all encryption off. This could then result in a man-in-the-middle attack.

Meanwhile, the rogue tower passes on all traffic to a legitimate tower, resulting in continued voice and data services, whilst the user is surreptitiously being surveilled. It’s nasty.

What Can Be Done?

Unfortunately, the existence of interceptor towers is largely due to a number of idiosyncrasies of how cell phones work. Phones largely trust base stations implicitly, and base stations are able to determine security settings, allowing for voice, SMS and data traffic to be intercepted in transit.

If you’ve got deep pockets, you could always buy a cryptophone produced by ESD America. These come with something called ‘Baseband Firewalls’, which establish and enforce an additional layer of security on the baseband level of your phone, ensuring that interceptor towers are easy to identify and easy to mitigate against.

Unfortunately, these aren’t cheap. The GSMK CryptoPhone 500 – which boasts specs that are almost identical to that of the Samsung Galaxy S3 – can cost up to €6,300. For the general public, that’s a lot to spend. Especially when it comes to dealing with a problem that’s depth and severity is not yet fully understood.

Until then, consumers are vulnerable. A sensible first step would be for the phone manufacturers to fundamentally change how the baseband operating system running on each phone works, so that it checks the authenticity of each tower it comes into contact with. However, that would take time, and immense collaboration between phone manufacturers, government regulators and network operators.

Are You Worried About Interceptors?

Interceptors are scary, but it’s important to remember that the number of verified rogue base stations in the wild is still very small. Despite that, they’ve identified a number of very significant issues with how cell phones work which pose a threat to anyone who uses these devices.

I’m curious to hear what you think. Worried about interceptors? Drop me a comment in the box below.

Leave a Reply

Your email address will not be published. Required fields are marked *