2

I just read the answer to this question Mobile numbers capture and transmit data and it sounds surprisingly simple for calls/SMS (and data?) to be intercepted by a fake base station.

From what I understand, if you were to walk past such a fake base station, your phone would automatically connect to it if the signal is strong enough and then the attacker has access to your phone.

The only way I can imagine protectin against this would be to explicitly specify which base station(s) the device can connect to. Would this give security or would the reduction in available networks to connect to make it impractical?

Community
  • 1
Bendy
  • 135
  • 2
  • 8

3 Answers3

1

Note that I am not an expert in this field, this information is gleaned from other sources.

3G Interception tools are about to appear (or may well have already done so).

The "Stingray" from Harris is the most commonly quoted product and is widely used by US "law enforcement" (or maybe that should be law ignorement!)

The tech blog Techdirt is a blog I regularly follow and is an excellent source of information regarding government use of these devices.

I've found at least one article on some tools that claim to detect and protect against rogue cell towers. Another article here talks about some ideas on protection against the reasons for using fake towers. Such as monitoring for constant tower resets (location tracking), disabling GPS (location tracking again) and secondary voice encryption.

Incidentally, such devices are not only a US problem. A recent wardrive through London found at least 20 fake towers (see the article on Techdirt).

Julian Knight
  • 7,092
  • 17
  • 23
0

Unfortunately not the way you are thinking. But things are never simple on information security.

Most of phones that I'm aware of, does not let you select a specific tower you want to connect. This is a usual GUI for Android:

enter image description here

and the relevant ones on Engineering mode GUI:

enter image description here

Why you want WCDMA only

There are others too, but I won't add here since it's not relevant to what you want to accomplish.

An attacker can pretend to be any carrier, so selecting your phone to only connect to Verizon for example, does not add security since the attacker can just pretend to be a Verizon tower.

The other sections (3G service, preferences and access point names are also irrelevant to security).

When you really think about, it should be simple to prevent these attacks...should the carrier make their tower locations public and giving you the ability to manually select which tower your device you will connect you would be safe. If phones also could recognize when a tower just pop up from nowhere and refuse to connect to it would be good too. Often attackers use airplanes or vehicles to carry the rogue tower and this also should be a big red flag for a phone (how many legit carrier towers are there that can move around?)

Resuming there are few things you, as user can do to protect yourself from these attacks.

But very often when you are under attack of a rogue tower, they will try to force you to use 2G, since it can be decrypted in real time (unlike 3G/4G) and you can tell your phone to only use 3G/4G like I did. This is the only thing I think you can do as user. Using a VPN for your mobile data is a good additional layer of security too.

I'm not aware of any other OS for phones that allow you to select more things than this option sadly.

But the most dangerous attacks from rogue tower is the SMS they can send you silently and with malicious payloads. So far a advanced user could try to mess with their OS so much that they can't receive or process SMS anymore but I don't know how feasible or effective this would be.

The only thing you can do to protect your calls is to use a VOIP that uses encryption, like Whatsapp functionality to call over internet. That would be secure even if they downgrade you to 2G. (Note that Whatsapp is owned by Facebook)

So far there is some open-source effort to defend against this...like Android IMSI-Catcher Detector

You know what is funny? After I selected WCDMA only, I never used 2G again. I used to get downgraded to 2G a lot, but since I live in a developing country I doubt that was the government flying planes over cities to mass interception like they do all the time in US. I think it was just my Carrier doing traffic shaping to me...so you can as well get a better mobile data if you deny 2G!

Freedo
  • 2,253
  • 5
  • 18
  • 28
  • This is great thank you - have you heard of the app "Tasker" on android? It has a function `Cell near` which could perhaps be used to only connect to certain towers? http://tasker.dinglisch.net/userguide/en/help/sh_index.html – Bendy Jul 10 '15 at 08:14
  • The phone cannot really locate the tower, so even if carriers publish their towers' location it won't do much good. However, this attack only works on 2G, because on 3G there is mutual authentication, so the phone verifies the tower it connects to. – KovBal Jul 10 '15 at 12:39
  • I've edited to add more details and a open-source software that try to detect rogue Towers. and @KovBal the same way the tower knows where is the phone, the phone also knows where is the tower. I'm sure that if Apple or Google developers wanted to create something to mitigate against that they could – Freedo Jul 10 '15 at 17:19
  • The carrier can triangulate the phone's location, if the phone has multiple towers in its line-of-sight, but a phone cannot do the same. I'm sure that OS developers _could_ do _something_, but dealing with rogue cell phone towers is the task of the authorities. They have the necessary infrastructure for the job. – KovBal Jul 11 '15 at 12:45
0

Just creating an extra answer here to make it more visible for people to find...

After reading around the subject, the only 'security' to protect yourself from these stingrays seems to be the below app that is only available on Android so far:

SnoopSnitch

It doesn't stop your phone connecting to these stingrays, however it can apparently detect when you're connected to one and make you aware of it.

Also worth noting is that to install it you need root access to your phone and running on a Qualcomm chipset

Bendy
  • 135
  • 2
  • 8
  • That isn't the only app. See the links in my answer. Not sure these apps would get through Apple approvals which may be why you don't see them there - maybe also Apple don't provide low enough access to the hardware. – Julian Knight Jul 10 '15 at 12:37