Spoofed cellular towers spotted at casino and military base

News by Steve Gold

Femtocells: handy for calls, providing you know who is handling them,,,

Next time you make a mobile phone call, are you sure that your call is being handled by a legitimate cellular carrier?

According to research carried out by ESD America - and the company behind the secure CryptoPhone - there's a chance that a rogue base station may process the call.

The firm discovered the existence of large numbers of fake base stations along the Eastern seaboard of the US, as it attempted to field-test its secure and hardened Android handset, the CryptoPhone 500.

Les Goldsmith, ESD America's CEO and his team claim to have discovered dozens of fake cellular base stations that did not belong to a cellco, but were processing cellular phone calls, allowing the base station owner to intercept calls and even remotely push spyware to the device.

Interestingly, ESD says that one of the rogue base stations was apparently being operated by a casino in Las Vegas, but many were found at military bases and government facilities.

Creating a rogue 3G or 4G base station takes a lot of money and resources, but creating a 2G rogue base station is something that Nigel Stanley, practice director for cyber security at OpenSky UK, claims can be carried out for under £1,000.  

This perhaps explains why ESD found that many of the rogue base stations it encountered forced calls down to 2G, spoofing a legitimate cellular tower in the process.

According to Popular Science, which interviewed Goldsmith and his team, a total of 17 rogue cellular base stations - which Goldsmith calls Interceptors - were seen on the team's travels, many of which were staging IP attacks against the user's smartphone as many as 90 times an hour.

Goldsmith says that cellular interceptors vary widely in expense and sophistication - "but in a nutshell, they are radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption."

Baseband processor

"Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor. The baseband processor functions as a communications middleman between the phone's main operating system and the cell towers. And because chip manufacturers jealously guard details about the baseband operating system, it has been too challenging a target for garden-variety hackers," says Popular Science's report.

When Goldsmith and his team drove to a US government facility in July, he also took a standard Samsung Galaxy S4 and an iPhone to serve as a control group for his CryptoPhone 5000.

"As we drove by, the iPhone showed no difference whatsoever. On the Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree," he said.

Commenting on ESD's analysis, Nigel Stanley, practice director for cyber security at OpenSky UK - who has been investigating smartphone security for several years - said that the findings are interesting, since his own research has revealed that - using a laptop, a software telephone exchange and using a Femtocell - it is possible to build a rogue cellular base station for under £1,000.

Stanley, who has previously built a research unit - in a Faraday cage to prevent stray signals from causing problems - says that that Femtocells, which are small cellular base stations that route calls across the Internet, are widely used in the US, and often used as fill-in options to ensure the best coverage for carriers.

This means, he says, that the Femtocells are set up to accept calls from all mobile users, making the task of subverting them a lot easier than in the UK, where Femtocells tend to be locked down by default.

"For example, I have a Vodafone SureSignal that provides local coverage for my smartphone, but it is set up to only allow calls from specific handsets that are authorised by myself and Vodafone. This would make the task of creating a rogue base station in the UK a lot more difficult than in the US," he explained.
Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews