6

Sorry for the somewhat vague title, it is hard to explain without the pictures as the network I connected to is Chinese (I believe). Note the cell signal in the top left corner and the name of the network carrier it is connected to.

I have AT&T as my service provider, and roaming is off. I have never seen this and am at a loss what this could potentially mean. I noticed this during work and the name and signal changed only for about 20-30 seconds before changing back to AT&T. Is this a potential and real security threat to me and potentially my coworkers? Should I notify someone in IT security of my findings?

  • iPhone 7 MN9N2LL/A
  • iOS 11 build 15A5318g
  • AT&T Prepaid Service

Chinese(?) characters up close Signal strength bar and signal type LTE

nikobradshaw
  • 63
  • 1
  • 5

2 Answers2

11

I strongly suspect those four characters are an "A", a "T", an "&" (the Sun symbol) and a "T" again. Possibly the UTF8 for 4F10, 5418, E298BC and 5418.

Actually, as @Matt observed, the little-endian UTF16 sequence 4100 5400 2600 5400 ("AT&T"), if interpreted as big-endian, becomes 䄀吀☀吀 which closely matches the strange logo that appeared in the cellphone.

Possibly whatever packet contained the carrier "logo" got corrupted, CRC notwithstanding, and was interpreted as a foreign character set.

Update: Two users added comments (unfortunately posting them as answers, which got them deleted) confirming that this happened to them; in one case on September 29th and 30th, "several times [...] traveling through North Dakota, Minnesota, Wisconsin, Illinois and Indiana... usually when AT&T signals were weak."

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • 2
    Shouldn't packets with failed (non-matching) CRC be dropped? – Azteca Jul 19 '17 at 20:32
  • 3
    I think you’re right: the byte sequence `\x41\x00\x54\x00\x26\x00\x54\x00` when interpreted as UTF-16 little endian is `AT&T`, but if interpreted as UTF-16 big endian is `䄀吀☀吀`, which as far as I can tell matches the picture. – matt Jul 19 '17 at 21:14
  • 3
    @matt and yet this yields a mystery: the packet *was not* corrupted, it just got *interpreted differently*. So the question becomes -- **why?** – LSerni Jul 19 '17 at 21:17
  • 2
    This has been insightful, thank you. Perhaps update your answer with @matt comment since it supplements the information well. I believe this to be the correct answer. Since I am on a beta version of iOS it wouldn't be crazy to think this is just some sort of quick bug and most likely not any sort of security threat. – nikobradshaw Jul 19 '17 at 22:15
  • iPhones usually get their carrier name/logo from the carrier profile (which correctly says AT&T) but during network change may briefly display the actual network name broadcasted by the base station. It seems like the BTS was always broadcasting a wrong name and you just happened to notice it because the iPhone switched networks. – André Borie Oct 02 '17 at 14:16
  • Same thing displays on Windows Phone so it's not iPhone-only. – NoBugs Dec 10 '17 at 08:30
1

I thought it would be helpful if we knew what the Chinese translated to. I asked my friend from China what that means and he says it's pretty much gibberish and nonsensical. Those are Chinese characters but do not really mean anything and are random. So it could be an abbreviation perhaps? Equivalent of something like AT&T in English.

This has never happened to me and it seems like your cellphone was ported off to a cellphone tower that declared it's name as the Chinese characters that you see. I do not think that this is meant to be malicious since any malicious cellphone base station (see Stingray: https://en.wikipedia.org/wiki/Stingray_phone_tracker) is meant to covertly implement a MITM attack. In such cases, the attack would be transparent to you and you would still see the AT&T service on your phone.

Do other AT&T users in the same area also experience such porting? Did you try bringing in another AT&T phone into this area? It is hard to say what exactly this base station is without further information.

whoami
  • 1,366
  • 9
  • 17
  • If the characters seen by the OP are Chinese characters but are nonsensical as Chinese, then could this be an instance of a [Bush hid the facts](https://en.wikipedia.org/wiki/Bush_hid_the_facts) (*mojibake*) type bug? It might actually be helpful if your Chinese friend can provide those characters in text form, and you were to include that in your answer; that would allow character encoding analysis, which could clarify whether this is the case. – user Jul 19 '17 at 18:38
  • No one else had the same issue I had, and I haven't been able to reliably reproduce it either. I tried walking to the area of the building I was in to see if I could pick it up but it never switched off AT&T at the time I tried. It wouldn't surprise me if it was just an iOS bug, but our work site has lots of valuable information that would be worth it to many blackhats, which is why this concerned me so much. They take security very seriously, so I don't want to bring this to our security team's attention unless I'm sure it isn't an innocent glitch with some text. – nikobradshaw Jul 19 '17 at 18:50
  • I asked another Chinese friend and they say they don't recognize these Chinese characters. They say that there are 100s of 1000s of Chinese characters and people usually only know the ones that are commonly used. These are not commonly used and my friend has no idea what they are. – whoami Jul 19 '17 at 19:29
  • It can be either an attack attempt or a test maybe of a 2G GSM network, if it's only on a small area (Where you can't find 4G nor 3G, it also means the antennae are small, not radio tower, so something like a BladeRF, check [Evilbts/Yatebts](https://github.com/evilsocket/evilbts) repo – Azteca Jul 19 '17 at 20:29