DEF CON 24 Hacking Conference

DiscoveringandTriangulatingRogueCellTowers
EricEscobar,PE
SecurityEngineer
Whatisaroguecelltower?
• Adevicecreatedbygovernmentsorhackersthathastheability
totrickyourphoneintothinkingit’sarealcellphonetower.
• AlsoknownasIMSIcatchers,interceptors,cell-sitesimulators,
Stingrays,andprobably afewmore.
• Roguecelltowershavetheabilitytocollectinformation about
youindirectlythrough metadata (calllength,dialed numbers)
• Insomeconditionscancollectcontentofmessages, calls,and
data.
Howarecellsimulatorsusedtoday?
AtHome(IntheUnitedStates):
• IMSI-catchersareusedbyUSlawenforcementagenciestohelp
locate,track,andcollectdataonsuspects.
• ACLUhasidentified 66agenciesand24statesthatownstingrays.
• Usedtomonitor demonstrationsintheUS
• UsedinChicagopoliticalprotests
• It’spossibletomakeanIMSI-catcherathome
• DEFCON18:PracticalCellphoneSpying - ChrisPaget
Howarecellsimulatorsusedtoday?
Abroad:
• ReporteduseinIreland, UK,China, Germany,Norway,
SouthAfrica
• Chinesespammers werecaughtsending spamand
phishing messages.
• Usedbygovernmentsand corporations alike.
What’stheIMSIin“IMSI-catcher”?
• IMSIstandsforInternational MobileSubscriberIdentity.
• Isusedasameansofidentifyingadeviceonthecellnetwork.
• Typically15digitslong
• Containsgeneralinformation about youdevice(Country&Carrier)
• MobileCountryCode– MCC
• MobileNetworkCode– MNC
• MobileSubscription IdentificationNumber – MSIN
What’sanIMSI?
IMSI=Uniqueidentifiertoyourdevice
SampleIMSI:
310
MCC
26
MNC
0123456789
MSIN
USA
AT&T
UniqueIdentifier
Why you should care?
• Yourphone willconnectautomaticallytocellsitesimulators.
• Thievescanstealyourpersonalinformation.
• Hacker’scantrackwhereyougo,whoyou’retalkingto,andgrab all
sortsofotherdataabout you.
• Yourdigitallifecanbesniffed outoftheairbyanyonewithsome
technicalchops,and alaptop.
• Yourcompanycouldbeleaking tradesecrets.
• Yourprivacyisatrisk.
Whybuildadetector?
• TherearesomegreatappsforAndroid phonesandthathavethe
abilitytodetectcelltoweranomalies.
• Youneedspecificphonemodels&rootforthistowork
• Iwantedadevicethatmetthefollowingconditions:
• Cheap~$50/device
• Iwantedtosetitandforgetit.
• Iwantedtobealertedtoanyanomalies.
• Iwantedtheabilitytonetworkmultipledevicestogether.
Howdoyoudetectaroguecelltower?
• Everycelltower(BaseTransceiverStation,BTS)beaconsout
information about itself
• ARFCN– Absoluteradiofrequencychannel number
• MCC– MobileCountryCode
• MNC– MobileNetworkCode
• CellID– Unique identifier(withinalargearea)
• LAC– Locationareacode
• Txp – Transmitpowermaximum
• Neighboring cells
Howdoyoudetectaroguecelltower?
• Typicallythesevaluesremainconstant:
• ARFCN– Absoluteradiofrequencychannel number
• MCC– MobileCountryCode
• MNC– MobileNetworkCode
• CellID– Unique identifier(withinalargearea)
• LAC– Locationareacode
• Txp – Transmitpowermaximum
• Neighboring cells
• Powerlevel
Howdoyoudetectaroguecelltower?
• Ifvaluesdeviatefrom what’sexpecteditcanmeanthatthereis
maintenancetakingplace.
• Itcanmeanchangesarebeingmadetothenetwork.
• Itcouldalsomeanthatthereisaroguecelltowerisnearby!
• Theideaistogetabaselineofyourcellularneighborhood overa
periodoftime.
• Itwouldbelikekeepinganeyeonthecarsthatcomeinandout
ofyourneighborhood, afterawhileyoubegintoknowwhich
doesn’tbelong.
Howdoyoudetectaroguecelltower?
• Examples:
• Anewtower(Unknown CellID), hightransmission power
• Mobilecountrycodemismatch
• Mobilenetworkcodemismatch
• Frequencychange
• LocationAreaCodemismatch
Howdoyoulocateatower?
• Combineunique celltowerdata,receivepower,and location.
• Onedetectorcanbemovedaround withanonboard GPS
• Readingsofuniquetoweridentifiers,powerlevelandGPS
coordinatesallowforasingledetectortocreateamap.
• Somemath,opensourceGISsoftware,and prettycolorscan
approximatelocationsoftowersorpossibleroguetowers
Howdoyoulocateatower?
Howdoyoulocateatower?
• Multipledetectorswithknownlocationsallowfortrilaterationof
thesuspectedroguetower.
• Receivepoweranddistancearenotinverselyproportional
• Regressionformulas wererequiredtobecalculatedinorder
tofinetunetheresults.
• Lessaccuratebutstillprettygood
Howdoyoulocateatower?
What’sthebuild?
• RaspberryPi3,poweradapter, SDcard(running stockRaspbian)
• SIM900GSMModule
• SerialGPSmodule
• TVtunersoftwaredefined radio
• Scrapwood&hotglue
Braceyourself…
thisisquiteliterallyahack.
SIM900Cell
Module
GPSModule
SerialtoUSB
Scrap wood
& hot glue
Raspberry Pi
Softwaredefinedradio
(USBTVTuner)
SIM900
• SIM900Engineering mode
• Seventowerswiththehighestsignal
• Givesyouatonofinformation via
aserialconnection
• NoSIMcardisrequiredfor
engineering mode
GPSSerial
• Adafruit UltimateGPSmodule
• Fixesposition quickly.
• Good indoorreception
• Worksexactlyhowyouwouldexpect
RaspberryPi3
• StockRaspbian OS(debian forpi)
• Pi3hasenough powertorunaSDR
• HasfourUSBportsforserialadapters
• EasilypoweredbyaUSBbatterypack
TVTuner
• $20Softwaredefinedradio
• Widerangeoffrequencies
• Github:Gr-Gsm
• CanlistentorawGSMtraffic
• Seealltherawframes
• Notnecessaryforlocatingcelltowers
• Providesdeeperinsights
Datacollection:
• Everythingdumps toaSQLitedatabase forlateruse
Questions?