4 Things You Must Know About Those Rogue Cellphone Towers

Matthew Hughes 16-09-2014

Whenever you use your cell phone, you assume that it is connecting to a secure, trusted tower, and that nobody is intercepting your phone calls. Well, excluding the NSA and GCHQ What Is PRISM? Everything You Need to Know The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the... Read More , of course.


But what if that wasn’t the case? What if your phone had connected to a cell tower operated by a rogue individual, and that person was intercepting every SMS. Ever call. Every kilobyte of data sent?

It’s more likely than you think. Welcome to the weird and frightening world of rogue cell phone towers.

How Many Of Them Are There?

The mobile market in the US is a marvel to behold. There are well over 190,000 cell phone towers in the continental United States alone, collectively providing coverage to over 330,000 cell phones. There are also dozens of competing operators, each operating their own hardware. This is in addition to countless MVNOs What Is an MVNO and How Does It Save Money on Your Cellular Bill? [MakeUseOf Explains] In the US and Canada, we're taught that we need to sign contracts because cell phones and cellular service are so pricey. That's a bald-faced lie. Read More who piggyback on the hardware infrastructure of other operators.


But how many of those are rogue towers? According to an August 2014 article in Popular Science, there are 17 towers that are definitively known to be operating in the US. These are spread out through multiple states, although the largest concentrations can be found in Texas, California, Arizona and Florida. They’re also concentrated mostly in major cities, such as LA, Miami, New York and Chicago.


The discovery came to light after research undertaken by ESD America – A manufacturer of encrypted smartphones that run a a customized, hardened version of Android – showed the depth of the phony base-station problem. These towers are relatively prolific. They’re found in major population and industrial centers, as well as in close proximity to military and government buildings.

There’s a real potential for serious damage here. But how do they work?

The Anatomy Of A Rogue Base Station

Rogue base stations – hereafter referred to as interceptors – look like a standard base station to a cell phone. The simplest ones are unfathomably easy to create, with some even building interceptors around the popular (and cheap) Raspberry Pi system Raspberry Pi: The Unofficial Tutorial Whether you're a current Pi owner who wants to learn more or a potential owner of this credit-card size device, this isn't a guide you want to miss. Read More (it’s versatile enough 8 Seriously Useful Computing Tasks You Can Do With a Raspberry Pi The amount of computing tasks that you can perform with this small 3.37 x 2.21-inch computer is jaw-dropping. Read More ) and the free, open-source OpenBTS GSM access-point software. This allows the implementation of the GSM protocol, which is used by phones in oder to communicate with base stations.

However, to really convince a phone that you’re a genuine base station, you need an outlay of thousands. This limits this type of attack to a select few; namely governments and large criminal organizations. Some police stations in the US have also spent thousands on interceptors that force phones to use 2G and GPRS in an effort to easily intercept and decrypt traffic in real time.


How the Attack Works

Regardless of what phone you use, it’s running two operating systems. The first is what you use to interact with it, be that Android, iOS or Blackberry OS. Working in tandem with that is a second operating system which handles phone traffic. This operates on something called the Baseband chip. and is used to connect to the base station and to serve voice, SMS and data traffic.

Phones automatically connect to the nearest, strongest phone station signal, and when they create a new connection they send what is known as an IMSI identification number. This number uniquely identifies subscribers, and is sent to a base station once a connection is made. This is sent regardless of the authenticity of the tower.


The tower can then respond with a data packet that establishes the standard of encryption used by the phone when communicating with the tower. This depends upon the phone protocol used. For example, the default voice encryption in 3G communications (by far the most used phone protocol) is a proprietary standard called ‘KASUMI’, which has a number of noted security flaws. However, any encryption is better than no encryption, and a false base station can turn all encryption off. This could then result in a man-in-the-middle attack.


Meanwhile, the rogue tower passes on all traffic to a legitimate tower, resulting in continued voice and data services, whilst the user is surreptitiously being surveilled. It’s nasty.

What Can Be Done?

Unfortunately, the existence of interceptor towers is largely due to a number of idiosyncrasies of how cell phones work. Phones largely trust base stations implicitly, and base stations are able to determine security settings, allowing for voice, SMS and data traffic to be intercepted in transit.

If you’ve got deep pockets, you could always buy a cryptophone produced by ESD America. These come with something called ‘Baseband Firewalls’, which establish and enforce an additional layer of security on the baseband level of your phone, ensuring that interceptor towers are easy to identify and easy to mitigate against.

Unfortunately, these aren’t cheap. The GSMK CryptoPhone 500 – which boasts specs that are almost identical to that of the Samsung Galaxy S3 Samsung Galaxy S III Tips Read More – can cost up to €6,300. For the general public, that’s a lot to spend. Especially when it comes to dealing with a problem that’s depth and severity is not yet fully understood.


Until then, consumers are vulnerable. A sensible first step would be for the phone manufacturers to fundamentally change how the baseband operating system running on each phone works, so that it checks the authenticity of each tower it comes into contact with. However, that would take time, and immense collaboration between phone manufacturers, government regulators and network operators.

Are You Worried About Interceptors?

Interceptors are scary, but it’s important to remember that the number of verified rogue base stations in the wild is still very small. Despite that, they’ve identified a number of very significant issues with how cell phones work which pose a threat to anyone who uses these devices.

I’m curious to hear what you think. Worried about interceptors? Drop me a comment in the box below.

Related topics: Encryption, Smartphone Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Sam
    August 29, 2016 at 1:53 pm

    Can anyone provide LOCATIONS of these towers please? I know there is a map of several of them created by Cryptophone and some of there users. This map and specific locations should be made public.

    • Joyce Ann Lechner
      June 6, 2018 at 2:00 pm

      Unfortunately the detection of such towers can be quite difficult due to the sophistication and miniaturization of these illegal devices. Also, these days the cybercriminals are constantly changing IP addresses and posing as wireless Hotspots. I'm using an approved app from Google Play store called Signal Detector, but you need the support of trustworthy local authorities for this to be effective.

  2. Bob R
    September 21, 2014 at 3:47 pm

    If these are in fact "rogue" and their ownership is in question why aren't the viable companies demanding immediate back tracing or trace routing and removal? This is why I feel they aren't quite as rogue as the public is being led to believe.

    The technology is present to identify ownership and final destination of the redirected cell call and data traffic.

  3. Somebody's Watching Me
    September 20, 2014 at 11:24 pm

    1) why doesn't the ESD company release the custom Android build for free to install on one's own phone?

    2) do these cell towers intercept call and text data from old "dumb" phones like the Jitterbug or (yes, I have one) Nokia 3210? Or do they just pick up "data"-data from web-capable and G-network smart phones?

    3) do you think these rogue towers are part of the surplus military-equipment program that became duly controversial after the murder of Michael Brown in Ferguson, MO? Police departments listening in for rumblings from "potential unrest" among dissatisfied citizens unhappy with the entrenched status quo? Call me cynical and paranoid but it seems to me that it's not just population *numbers* in these metro areas that arouses suspicion among the "powers that be." It's population demographics. Metro regions are known for their population diversity and denizens that tend to lean more liberal and distrustful of military operations and big-money power bureaucracies. There probably isn't as much government surveillance of survivalists in Dixie or Idaho because "those people" (white guys with arsenals who don't like or trust this president or his cabinet for *various reasons*) are not perceived as a "threat" to the entrenched power structures as "others" are (people with legitimate gripes -- and probably not arsenals -- who are not white, or even guys for that matter). There are also far fewer Ruby Ridge recluses than there are dissatisfied agitators who want civil and social justice for the underprivileged of this world. Just a tinfoil rant as to why the placing of these intercepts sounds suspicious to me.

  4. John Williams
    September 18, 2014 at 12:50 pm

    "the largest concentrations can be found in Texas, California, Arizona and Florida." That'll be for the Mexican drug cartels then. This is haow they've been communicating in Mexico for years and avoiding the army and police for a long time.
    They effectively create a private cellphone network by adding attennas and equipment to existing masts. Even cheap walkie-talkies have been used with little signal repeaters stealing power from the towers.

    I suspect some of these "rouge" cells in the Southern States aren't intercepting anybody at all, they are being used for drugs and immigrant communications.
    No doubt the government then tap in to the handy drugs data and use it to arrest the bad guys.

    Why does every ordinary citizen think the government is listening in to people's daily chit-chat? What would be the point? Even the computers listening to terrorists and drug barons can only look out for trigger words and patterns of use.

    Do you really think that any government trying to get one step ahead of random acts of terror is listening to all the shit that people talk about. Look at Facebook and Twitter - 99 percent of it is utter crap .....

    • Matthew H
      September 19, 2014 at 12:29 pm

      I'm not sure I agree. In those states, they're in the large metro centers. LA. Miami. That lot. Also, they can be found up North in Chicago and New York.

  5. E. N.
    September 18, 2014 at 10:47 am

    Does anyone know WHO operates the rogue towers? My concern is their proxcemity to military and gov offices/installations and the seemingly endless barage on the U.S. gov from the Chinese hackers.

    • Matthew H
      September 19, 2014 at 12:30 pm

      That's still a mystery, I'm afraid.

  6. Rob S
    September 17, 2014 at 9:04 pm

    I like Dennis' comment. its probably easy enough to figure out who owns the *tower* as that is just a piece of infrastructure, and probably required permitting to put up... but who owns the *antennas* that are mounted on the tower might be interesting to know and harder to discover. Probably leasing a mount-point for an antenna on someone else's tower isn't so prohibitively expensive as putting up a tower in the first place, and probably the lease includes a non-disclosure clause in part to protect the leasing company from harmful signal interference and such that might occur if a direct competitor could just install a competing antenna right next to their antenna.

    What's the business model that a tower operates under? Might something be negotiated with the tower owners where these nefarious interceptors are operating, perhaps with terms like illegal, liability, and lawsuit bandied about, to get these interceptors turned off?

    Perhaps the good folks at ESD America or the FCC could be asked what steps could be (or maybe even are being?) taken. I would be very interested in reading about that.

  7. Dennis
    September 17, 2014 at 8:12 pm

    I live in Arizona now and this concerns me that we know about these rouge Towers!
    If 17 have been identified where are they...Location would be great to know. Second..who owns the rouge Towers and third...How did they get installed without cities know about them?

    • Matthew H
      September 19, 2014 at 12:27 pm

      As I said in the article, most of them are in major population centers. LA. Chicago. Miami. New York. You get the idea.
      As for 2.) and 3.)? No idea. That's still a mystery.

  8. Craig
    September 17, 2014 at 6:34 pm

    This is a very interesting and useful article even if only 17 of the towers out of a total of 190.000 are rogue ones. However, I don't understand why you say that rogue towers are "relatively prolific", since 17 is a very, very small percentage of the total. This fact reduces the importance of the problem.

    • Matthew H
      September 17, 2014 at 6:37 pm

      True. I think the biggest problem is that they're actually located in areas of immense population density. Chicago. Miami. Los Angeles. New York. As a result, they have a pretty broad impact.

  9. Robert M
    September 17, 2014 at 12:34 pm

    I don't understand why, if these towers have been identified, they are not shut down by the FCC.

    • Hans K
      September 17, 2014 at 3:56 pm

      *Sarcasm intended*
      Because the FCC doesn't give a damn...
      They seem to have no issue with making the internet unusable, why not make it so nobody wants to use cellphones too!
      Also, if a lot of people knew about this, it might hurt at&t's business and GOD FORBID doing anything that might hurt their business!
      End sarcasm.

      Seriously, I don't know why the FCC doesn't shut them down.

    • Matthew H
      September 17, 2014 at 6:37 pm

      Good question. Why don't you ask them yourself? ;)

  10. Ivan
    September 17, 2014 at 11:14 am

    "There are well over 190,000 cell phone towers in the continental United States alone, collectively providing coverage to over 330,000 cell phones. "
    that last number seems way off. please double check your source.

    • well.rested
      September 17, 2014 at 1:11 pm

      Please double-check everything... Interesting subject matter, but I had to give it a miss due to all of the typos! If you're going to publish, even to a website, you need to proof-read.

    • Matthew H
      September 17, 2014 at 6:37 pm

      You're right. My apologies. I'm going to get that fixed ASAP.

  11. Mike Gale
    September 16, 2014 at 9:43 pm

    If you're really concerned about this an answer is not to use cell phones, until they're redesigned.

    • Matthew H
      September 17, 2014 at 6:38 pm

      That's pretty challenging. I can't really work (or function, for that matter) without my Blackberry.

    • Mike Gale
      September 17, 2014 at 10:57 pm

      I guess that if enough people did the *heavy lifting* and cell phone usage went down by say 15% the chip makers, standards bodies, phone manufacturers etc. would take their collective finger out pretty quickly.

  12. Richard Mackey
    September 16, 2014 at 8:49 pm

    To be clear: I am well versed in communications tech and technology in general. I am concerned about interceptors only to the extent that it is nasty, deceptive and invasive, but it doesn't affect me in the sticks. There's no profit for people who do this sort of thing outside of connection-rich, corporate data-rich major city centres.
    And if it did happen it would be obvious to any local just from the # of bars on their phone.

    • Matthew H
      September 17, 2014 at 6:39 pm

      Interesting. Yeah, and we see that in where these interceptors are placed. Namely, major population centers, such as Chicago, LA, Miami and New York.

  13. techno
    September 16, 2014 at 8:02 pm

    Thanks for a really informative and useful post. I suspect the solution is just to implement something that bypasses the security of the towers and just impliments end to end security from the phone to the provider, this also would solve the issue of repeaters and anything else. It becomes dumb pipes.

    • Matthew H
      September 17, 2014 at 6:39 pm

      Thanks man. Much appreciated.

  14. Richard Mackey
    September 16, 2014 at 5:11 pm

    What concerns me most is the impact additional security would have on cell phone booster/repeaters. Living in the country means I have little worry about interceptors, but the distances between towers out here means I have a cell booster in my work and personal vehicles, and a repeater at home.

    • Dog
      September 16, 2014 at 8:10 pm

      You mean you really have no worries about your privacy being compromised by fake towers? Or didn't you understand the article?