Think your calls and texts are secure? Think again.
Nefarious devices have long masqueraded as cell towers in a bid to intercept data from mobile devices. But at this week's (virtual) Black Hat, Cooper Quintin, Senior Staff Technologist at the Electronic Frontier Foundation, outlined a way to detect these bogus base stations, and offered suggestions on how to prevent their use altogether.
Everything Old Is New Again
Phony cell towers have been a mainstay of Black Hat and security research for years. Traditionally, the attack worked like this: the bad guy sets up a mobile cell station, like a Femtocell, and then jams the 3G and LTE bands. This forces nearby phones to connect via 2G, which uses a broken encryption system. Once phones connect, the attacker can see anything moving to and from victims' phones.
Police and other law enforcement agencies do the same with IMSI-catchers, which also simulate cell towers and trick devices into connecting. The use of these devices has long been controversial and shrouded in secrecy, but little was known about newer devices that targeted the 4G LTE bands. "We simply had no idea how they worked," Quintin said today.
This is important not only because 2G is increasingly obsolete, but because 4G offers numerous security improvements. LTE devices, for example, use better cryptography, and don't blindly connect to nearby cell towers. Understanding how LTE IMSI catchers worked would shed light on unknown vulnerabilities that might exist in the system.
In 2019, EFF Technology Fellow Yomna N tackled the problem, eventually producing a report that outlined the theoretical operation of a 4G IMSI catcher. In his presentation, Quintin showed how the first six steps of connecting a cellular device to a base station happened totally in the clear, and authentication didn't happen until the seventh step.
"This is where the dragons were," he said. During these initial steps, all sorts of important information could be extracted from the target device by a cell site simulator. It could even trick victims' phones into using a 2G connection, again opening up transmissions to the attacker.
Importantly, Quintin said that unless it's able to pull of its 2G switch, the new cell site simulators probably aren't able to intercept your data. But newer 4G IMSI catchers can track devices and surveil large crowds, like those found at protests.
Tracking the Towers
Security wonks have already released several tools for finding bogus cell towers. Some rely on software-defined radio technology, while others are simply smartphone apps. But while they're useful, none are adequate for ferreting out newer cell site simulators, Quintin said.
So the EFF produced its own tool: Crocodile Hunter. Why the name? "Stingray" is the brand name for an IMSI catcher marketed to law enforcement. It's also the animal that killed Steve Irwin, star of the TV program Crocodile Hunter.
Crocodile Hunter uses a Raspberry Pi and about $500 worth of radio equipment. The setup gatherers data about all the surrounding cell sites, and then compares that information against an open-source database of known cell towers. Anything that's a mismatch gets marked on a map with a skull.
Quintin stressed, however, that just because something's anomalous doesn't mean it's nefarious. Suspicious sites were found and examined. If it turned out to be attached to a tower or a building, that was probably legit. "If it's not a building at all but an unmarked van, well, that's more suspicious," said Quintin.
One thing Crocodile Hunter can't do is communicate with the questionable cell towers, and for good reason—"EFF lawyers helpfully pointed out, that would be illegal," explained Quintin.
The problem is that Crocodile Hunter isn't licensed by the FCC for such operations. That's too bad, because it would give researchers a lot more information about the suspect cell sites.
A Better Future
Work on Crocodile Hunter is ongoing, and Quintin hopes to improve its detection capabilities and bring down the cost of construction. The EFF has released all the information about Crocodile Hunter on GitHub, where any enterprising researcher can build their own version. The technology is currently being used in DC and New York, as well as in Latin America through the Fake Antenna Detection (FADe) project, Quintin said.
While detecting bogus cell towers is all well and good, Quintin has an eye on making it much harder for anyone to use IMSI catchers, or similar technologies, to surveil people. He called on Apple and Google to provide a toggle so users who don't need to use 2G can simply switch it off in Android and iOS. "This would eliminate the worst abuses such as downgrading to 2G," he said.
Quintin also suggested that the pre-authentication messages for 4G (and, he noted, 5G) either be eliminated or encrypted. Manufacturers and standards groups, Quintin suggested, should also make customer privacy a greater priority.
"None of these are foolproof, and none of these will stop [cell site simulators] entirely, but we aren't even doing the bare minimum," said Quintin.
Still, the talk ended on an upbeat note: "With a little elbow grease, and a little bit of political effort, this problem of IMSI catchers could be solved."
Further Reading
- Reporting Foreign Interference in US Elections Can Earn You a $10M Reward
- Zoom-Bombers Disrupt Bail Hearing for Alleged Twitter Hacker
- What to Expect at Black Hat 2020
- Report: Garmin Paid the Ransomware Demand
- More in Security