Whenever you use your cell phone, you assume that it is connecting to a secure, trusted tower, and that nobody is intercepting your phone calls. Well, excluding the NSA and GCHQ, of course.
But what if that wasn’t the case? What if your phone had connected to a cell tower operated by a rogue individual, and that person was intercepting every SMS. Ever call. Every kilobyte of data sent?
It’s more likely than you think. Welcome to the weird and frightening world of rogue cell phone towers.
How Many Of Them Are There?
The mobile market in the US is a marvel to behold. There are well over 190,000 cell phone towers in the continental United States alone, collectively providing coverage to over 330,000 cell phones. There are also dozens of competing operators, each operating their own hardware. This is in addition to countless MVNOs who piggyback on the hardware infrastructure of other operators.
But how many of those are rogue towers? According to an August 2014 article in Popular Science, there are 17 towers that are definitively known to be operating in the US. These are spread out through multiple states, although the largest concentrations can be found in Texas, California, Arizona and Florida. They’re also concentrated mostly in major cities, such as LA, Miami, New York and Chicago.
The discovery came to light after research undertaken by ESD America – A manufacturer of encrypted smartphones that run a a customized, hardened version of Android – showed the depth of the phony base-station problem. These towers are relatively prolific. They’re found in major population and industrial centers, as well as in close proximity to military and government buildings.
There’s a real potential for serious damage here. But how do they work?
The Anatomy Of A Rogue Base Station
Rogue base stations – hereafter referred to as interceptors – look like a standard base station to a cell phone. The simplest ones are unfathomably easy to create, with some even building interceptors around the popular (and cheap) Raspberry Pi system (it’s versatile enough) and the free, open-source OpenBTS GSM access-point software. This allows the implementation of the GSM protocol, which is used by phones in oder to communicate with base stations.
However, to really convince a phone that you’re a genuine base station, you need an outlay of thousands. This limits this type of attack to a select few; namely governments and large criminal organizations. Some police stations in the US have also spent thousands on interceptors that force phones to use 2G and GPRS in an effort to easily intercept and decrypt traffic in real time.
How the Attack Works
Regardless of what phone you use, it’s running two operating systems. The first is what you use to interact with it, be that Android, iOS or Blackberry OS. Working in tandem with that is a second operating system which handles phone traffic. This operates on something called the Baseband chip. and is used to connect to the base station and to serve voice, SMS and data traffic.
Phones automatically connect to the nearest, strongest phone station signal, and when they create a new connection they send what is known as an IMSI identification number. This number uniquely identifies subscribers, and is sent to a base station once a connection is made. This is sent regardless of the authenticity of the tower.
The tower can then respond with a data packet that establishes the standard of encryption used by the phone when communicating with the tower. This depends upon the phone protocol used. For example, the default voice encryption in 3G communications (by far the most used phone protocol) is a proprietary standard called ‘KASUMI’, which has a number of noted security flaws. However, any encryption is better than no encryption, and a false base station can turn all encryption off. This could then result in a man-in-the-middle attack.
Meanwhile, the rogue tower passes on all traffic to a legitimate tower, resulting in continued voice and data services, whilst the user is surreptitiously being surveilled. It’s nasty.
What Can Be Done?
Unfortunately, the existence of interceptor towers is largely due to a number of idiosyncrasies of how cell phones work. Phones largely trust base stations implicitly, and base stations are able to determine security settings, allowing for voice, SMS and data traffic to be intercepted in transit.
If you’ve got deep pockets, you could always buy a cryptophone produced by ESD America. These come with something called ‘Baseband Firewalls’, which establish and enforce an additional layer of security on the baseband level of your phone, ensuring that interceptor towers are easy to identify and easy to mitigate against.
Unfortunately, these aren’t cheap. The GSMK CryptoPhone 500 – which boasts specs that are almost identical to that of the Samsung Galaxy S3 – can cost up to €6,300. For the general public, that’s a lot to spend. Especially when it comes to dealing with a problem that’s depth and severity is not yet fully understood.
Until then, consumers are vulnerable. A sensible first step would be for the phone manufacturers to fundamentally change how the baseband operating system running on each phone works, so that it checks the authenticity of each tower it comes into contact with. However, that would take time, and immense collaboration between phone manufacturers, government regulators and network operators.
Are You Worried About Interceptors?
Interceptors are scary, but it’s important to remember that the number of verified rogue base stations in the wild is still very small. Despite that, they’ve identified a number of very significant issues with how cell phones work which pose a threat to anyone who uses these devices.
I’m curious to hear what you think. Worried about interceptors? Drop me a comment in the box below.