A new technique can detect newer 4G ‘stingray’ cell phone snooping – ProWellTech
Security researchers say they have developed a new technique to detect modern cell site simulators.
Cell site simulators, known as “stingrays”, impersonate cell towers and can acquire information about any phone in its range, including in some cases calls, messages and data. The police secretly distribute breeds hundreds of times a year in the United States, often acquiring data about innocent bystanders in the process.
Little is known about breeds because they are deliberately shrouded in secret. Developed by Harris Corp. and sold exclusively to the police and law enforcement agencies, the breeds are covered by strict non-disclosure agreements that prevent the police from discussing how the technology works. But what we do know is that breeds take advantage of flaws in the way cell phones connect to 2G cellular networks.
Most of these flaws have been fixed in the newest, fastest and safest 4G networks, though not all of them. The latest simulators of cellular sites, called “Hailstorm” devices, exploit similar defects in 4G that allow the police to snoop on newer phones and devices.
Some phone apps claim to be able to detect races and other mobile site simulators, but most produce erroneous results.
But now researchers from the Electronic Frontier Foundation they discovered a new technique that can detect Hailstorm devices.
Enter EFF’s latest project, nicknamed “Crocodile Hunter” – named after Australian conservative Steve Irwin, killed in 2006 by a stingray bum – helps detect cell site simulators and decodes nearby 4G signals to determine if a cell tower is legitimate or not.
Whenever the phone connects to the 4G network, a checklist, known as a handshake, runs to make sure that the phone is allowed to connect to the network. It does this by exchanging a series of unencrypted messages with the tower, including unique details on the user’s phone, such as his IMSI number and approximate location. These messages, known as MIB (Master Information Block) and SIB (System Information Block), are transmitted from the tower tower to allow the phone to connect to the network.
“This is at the heart of all 4G vulnerabilities,” said Cooper Quintin, a senior staff technician at the EFF, who led the research.
Quintin and fellow researcher Yomna Nasser, author of the EFF technical document on how cell site simulators work, have discovered that radio collection and decoding of MIB and SIB messages can identify potentially illegitimate cell towers.
This became the foundation of the Crocodile Hunter project.
Crocodile Hunter is open source and allows anyone to run it, but requires a pile of hardware and software to run. Once installed and up and running, Crocodile Hunter searches for 4G cellular signals, starts decoding tower data, and uses trilateration to view the towers on a map.
But the system requires some thought and human input to find anomalies that could identify a real cell site simulator. Those anomalies can look like cell towers that appear out of nowhere, towers that seem to move or that don’t match the known mappings of existing towers or that transmit MIB and SIB messages that don’t seem to make sense.
That’s why verification is important, Quintin said, and apps that detect breeds don’t.
“Just because we find an anomaly, it doesn’t mean we found the cell site simulator. We really have to go check it out,” he said.
In a test, Quintin tracked down a suspicious-looking cell tower on a truck outside a convention center in San Francisco. It turned out to be a legitimate mobile cell tower, contracted to expand cell capacity for a technology conference inside. “Cells on wheels are quite common,” said Quintin. “But they have some interesting similarities with cell site simulators, namely as they are a portable cell that usually isn’t there and suddenly it is, and then it goes away.”
In another test conducted earlier this year at the ShmooCon security conference in Washington, DC, where cell site simulators were previously found, Quintin found two suspected cell towers using Crocodile Hunter: a tower that transmitted a mobile network identifier associated with a Bermuda cellular network and another tower that did not appear to be associated with a cellular network at all. Neither made a lot of sense, given that Washington, DC is nowhere near Bermuda.
Quintin said the project was intended to help detect cell site simulators, but admitted that police will continue to use cell site simulators until cell networks are vulnerable to their use, an effort that may require years to be solved.
Instead, Quintin said phone manufacturers could do more device-level to prevent attacks by allowing users to disable access to legacy 2G networks, thereby allowing users to undo legacy parsnip attacks. In the meantime, cellular networks and industry groups should work to fix vulnerabilities that exploit Hailstorm devices.
“None of these solutions will be foolproof,” said Quintin. “But we’re still not doing the bare minimum.”
Send suggestions securely on Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: firstname.lastname@example.org