17 comments

[ 2.9 ms ] story [ 54.7 ms ] thread
Very cool. Do these techniques apply to 5G only base stations as well?
Tracking down 'strange' configuration will work in 5G the same way. It still could be, and the pdf covers this, 'strange' configurations can happen in early deployments in 5G also. It will be a false positive for checks like this.
There are public databases of cell tower IDs, sometimes with geolocation. Do fake cellular base stations impersonate an existing tower or create a new ID?
Can someone explain how is this possible in the first place, i.e. how do those fakes pass authentication checks from the phone/sim card?
FTA:

> Even though the UE authenticates the tower there are still several messages that it sends, receives, and trusts before authentication happens or w/o authentication. This is the weak spot in which the vast majority of 4G attacks happen

I'm a layman but here's my understanding. Imagine you're a police force and you know a criminal has a phone with IMEI of ABC123. You think the criminal might have a headquarters inside a warehouse but you want to be sure they're there before conducting a raid. Set up one of these, on arrival the target phone tells the fake tower what its IMEI is when within range, and you've got them.

The point here is: if the owner of the IMSI catcher has some preknowledge about the target phone.

There is no way to avoid this.

as explained in the pdf: There is a part of the connection setup, that will happen before any mutual authentification: The telephone offers the IMEI/IMSI to get an initial connection. The network learns this number and it's the counterpart of a MAC address in Wifi networks.
A reminder that EFF projects like this are only possible with your continuing support: https://eff.org/support (disclosure: while I used to work at EFF when Cooper and Yomna were researching this I don't now, so I'm being COMPLETELY OBJECTIVE in this current call for donations).
I don't know if other travelers have run into this but somewhat regularly when I arrive in a different major metropolitan area, I will get scam-spam calls within a day spoofed from that area code despite the fact that my phone number has nothing to do with that region and I haven't been in that specific location either ever or at least a longtime. It happens in both North America and Europe.

I know fake base stations might not be the reason for scammers targeting my phone but would be curious if others have seen this and have their own hypothesis?

Could it simply be that a lot of advertisers have enough data about you to link your phone ip to your phone number?
Not sure why the calls would be scam calls though. It would be one thing if they were legitimate marketing spam calls originating from phone number traceable back to the business originating the conversation but these are clearly cases where the number is faked in the new area code/country::city code in order to incentivize picking up. (Is that the car rental company? Is the hotel reaching out for some reason? Etc...)

I guess my paranoia here stems from this link in the OPs pdf[0].

0. https://venturebeat.com/2014/09/18/the-cell-tower-mystery-gr...

Interesting. Never saw the spam numbers transition either when travelling or when living in a new area long term.

I only ever get spoofed number calls from the area code of my cell phone number. Works out pretty well because I only lived there in passing 12 years ago, so never wonder if I'm missing a real call by ignoring them.

Could it be apps sharing location info?

I haven't personally experienced that, but I suspect the explanation is simpler: someone is probably re-selling your geocoded IP, which is then bucketed into a range of telephone area codes.
Although I opted to graduate with a CS degree, I still really enjoy reading novel research like this since it piques the interest I had initially starting college as an EE/CE major.

Can't wait to go to Defcon this year as well for work exactly like this!

Having a quick look : I understand they only listen and never transmit, and just decode MIB and SIB1 => why do they require a sophisticated and expensive SDR such as bladerf ? I though an rtl-sdr would be able to decode MIB (and probably SIB, but I have a doubt there because maybe the location of those resource blocks would exceed the rtl-sdr's limited bandwidth... I would need to check, but anyway it seems https://github.com/JiaoXianjun/LTE-Cell-Scanner is able to decode SIB)