Tracking down 'strange' configuration will work in 5G the same way. It still could be, and the pdf covers this, 'strange' configurations can happen in early deployments in 5G also. It will be a false positive for checks like this.
There are public databases of cell tower IDs, sometimes with geolocation. Do fake cellular base stations impersonate an existing tower or create a new ID?
> Even though the UE authenticates the tower there are still several messages that it sends, receives, and trusts before authentication happens or w/o authentication. This is the weak spot in which the vast majority of 4G
attacks happen
I'm a layman but here's my understanding. Imagine you're a police force and you know a criminal has a phone with IMEI of ABC123. You think the criminal might have a headquarters inside a warehouse but you want to be sure they're there before conducting a raid. Set up one of these, on arrival the target phone tells the fake tower what its IMEI is when within range, and you've got them.
as explained in the pdf: There is a part of the connection setup, that will happen before any mutual authentification: The telephone offers the IMEI/IMSI to get an initial connection. The network learns this number and it's the counterpart of a MAC address in Wifi networks.
A reminder that EFF projects like this are only possible with your continuing support: https://eff.org/support (disclosure: while I used to work at EFF when Cooper and Yomna were researching this I don't now, so I'm being COMPLETELY OBJECTIVE in this current call for donations).
I don't know if other travelers have run into this but somewhat regularly when I arrive in a different major metropolitan area, I will get scam-spam calls within a day spoofed from that area code despite the fact that my phone number has nothing to do with that region and I haven't been in that specific location either ever or at least a longtime. It happens in both North America and Europe.
I know fake base stations might not be the reason for scammers targeting my phone but would be curious if others have seen this and have their own hypothesis?
Not sure why the calls would be scam calls though. It would be one thing if they were legitimate marketing spam calls originating from phone number traceable back to the business originating the conversation but these are clearly cases where the number is faked in the new area code/country::city code in order to incentivize picking up. (Is that the car rental company? Is the hotel reaching out for some reason? Etc...)
I guess my paranoia here stems from this link in the OPs pdf[0].
Interesting. Never saw the spam numbers transition either when travelling or when living in a new area long term.
I only ever get spoofed number calls from the area code of my cell phone number. Works out pretty well because I only lived there in passing 12 years ago, so never wonder if I'm missing a real call by ignoring them.
I haven't personally experienced that, but I suspect the explanation is simpler: someone is probably re-selling your geocoded IP, which is then bucketed into a range of telephone area codes.
Although I opted to graduate with a CS degree, I still really enjoy reading novel research like this since it piques the interest I had initially starting college as an EE/CE major.
Can't wait to go to Defcon this year as well for work exactly like this!
Having a quick look : I understand they only listen and never transmit, and just decode MIB and SIB1 => why do they require a sophisticated and expensive SDR such as bladerf ? I though an rtl-sdr would be able to decode MIB (and probably SIB, but I have a doubt there because maybe the location of those resource blocks would exceed the rtl-sdr's limited bandwidth... I would need to check, but anyway it seems https://github.com/JiaoXianjun/LTE-Cell-Scanner is able to decode SIB)
17 comments
[ 2.9 ms ] story [ 54.7 ms ] thread> Even though the UE authenticates the tower there are still several messages that it sends, receives, and trusts before authentication happens or w/o authentication. This is the weak spot in which the vast majority of 4G attacks happen
I'm a layman but here's my understanding. Imagine you're a police force and you know a criminal has a phone with IMEI of ABC123. You think the criminal might have a headquarters inside a warehouse but you want to be sure they're there before conducting a raid. Set up one of these, on arrival the target phone tells the fake tower what its IMEI is when within range, and you've got them.
There is no way to avoid this.
I know fake base stations might not be the reason for scammers targeting my phone but would be curious if others have seen this and have their own hypothesis?
I guess my paranoia here stems from this link in the OPs pdf[0].
0. https://venturebeat.com/2014/09/18/the-cell-tower-mystery-gr...
I only ever get spoofed number calls from the area code of my cell phone number. Works out pretty well because I only lived there in passing 12 years ago, so never wonder if I'm missing a real call by ignoring them.
Could it be apps sharing location info?
Can't wait to go to Defcon this year as well for work exactly like this!