It’s Real: An Ordinary Looking Device for Hijacking Your Cellphone Connection

stealth-cell-tower

Julian Oliver is a hacker-artist based in Berlin. Since at a younger age, he has been obsessed with seeing fake cell phone towers. These are the ones which look like trees but are disguised cell sites. Recently, he created a small portable cell site which can be kept in plain site in the office. What this device can do is hijack your cell phone and send you text messages before you can send an SMS.

Oliver admits that the device he created is illegal in some countries. It is so illegal that in the United States, a device which functions in much the same way was thought to have been used illegally by a local police force. The Baltimore Police used such a device counter to the Wiretap Act and other Federal Communications Commission regulations. Civil liberties groups think that the Baltimore PD may have broken the law when they used similar techniques into eavesdrop on suspects.

GSM signal vulnerability

It has been documented that GSM encryption has been cracked, however, security depends on what type of GSM your carrier uses. There are different types of GSM encryption (called A5/1, A5/2, and A5/3), and the least secure (A5/2) is no longer in use. It is important to note that A5/3 has also been cracked but not yet decrypted.

GSM uses GPRS and EDGE data protocols, and these are thought to be possibly vulnerable as well. There is no proof as yet that they have been cracked or decrypted. However, those who are more paranoid about security have no choice but be afraid precisely because there is no news about the matter. Carriers treat their data different from one another.

There are some carriers who do not encrypt their data. Even then, there are publicly available tools which can crack GPRS encryption levels GEA/1 and GEA/2. On the other hand, GEA/3 has been described as “harder to crack,” which may mean anything. GEA/4 is harder to crack as it uses 128-bit encryption. These are all 2G networks, which are rarely used nowadays. Most GSM networks use 3G, 3.5G (also called high-speed downlink packet access or HSDPA/HSPA), or 4G (LTE for long-term evolution).

IMSI catching

IMSI catching is the process of intercepting the signal from the cell phone as it travels to the cell site. This is done by creating a bogus intermediary cell site located between the phone and the real cell tower. IMSI stands for International Mobile Subscriber Identity. This is the identifying number or tag for each cell phone or SIM. This is different from the IMEI, or the International Mobile Equipment Identity, which identifies the device itself.

Cell phones make use of IMSI to identify which network they are a part of. The IMSI, however, is not always sent with the SMS or the phone call. On the other hand, the IMEI is part of the data packet sent with each phone call and SMS message. Most carriers use this as both an authentication and in anti-fraud measures.

In IMSI catching, the message is intercepted by placing a device near the target phone. It listens in and copies the message being sent before forwarding it to the actual cell site. This is a wireless tapping of the cell phone, and its legality is in question.

The Stealth Cell Tower

What Oliver did was to make a stealth cell tower and placed it in plain site. The device was disguised as an HP printer, and it contained a Raspberry Pi palm computer, BladeRF software-defined radio and two GSM antennas. The Raspberry Pi uses a free encryption app called Signal. He has also released the code for the stealth cell tower on his website. The code made use of free and open source API and some script coding.

How it works

The Stealth Cell Tower is a proof of concept meant to show how flawed GSM is. The device masquerades as the service provider and catches phones on the sly. Once it captures a phone, it sends an SMS coming from an “unknown” cell phone number. It sends the SMS without knowing any cell phone numbers.

When the cell phone user replies, the transcript is printed (as the printer is still in good working condition), with the IMSI of the captured phone. Other information is also printed, including the calling number and the phone’s IMEI. The device also makes random calls to numbers within its reach, and when the user picks up, he can hear “I Just Called to Say I Love You” by Stevie Wonder. After five minutes, the captured cell phone is let go, and the call is let through to the nearest cell tower.

This isn’t meant to be used for eavesdropping. However, it can be an irritating way to keep cell phone users from using their phones when within reach of the Stealth Cell Tower.

Warnings

This is a full-fledged device and with more coding and modification has a lot of other uses. It can not be used in the United States as its use might be against the tenets of the Wiretap Act. Notwithstanding that, it does show that GSM does have its limitations, and this device shows it. The lines are blurred about owning the device. All the parts of the device are easily available. This just shows how vulnerable GSM is.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Comment Should not be empty