TSCM: Rogue Cellular Towers Increased Threat
Norfolk, Virginia - Jigsaw Security's Technical Surveillance Countermeasures team is warning of a high number of rogue cellular towers. We have been watching with interest and collecting information to show that this is an ongoing problem on US soil.
A recent Federal study found signs that surveillance devices that are specifically designed to intercept text messages, calls and other sensitive information such as handset location was confirmed by the US Department of Homeland Security as part of a letter from DHS to Sen. Ron Wyden (D-Ore.) on May 22nd. What is interesting is that Jigsaw's TSCM team has been observing this type of activity for far longer than the DHS study and has had to put countermeasures in place for internal communications based on threats that we started observing in 2016-2017 in several US locations (provided below). We do not have that ability to know if these rogue access points are being operated by Federal agencies or law enforcement, however some of the locations where we have detected this activity are very strange and in some cases out of the way with small populations and not in large metropolitan areas as one would expect. One of the things that tipped us off specifically was that according to OpenSignal (https://opensignal.com/), some of the areas where we have observed this activity had little or no coverage in areas where we were noticing full signal strength as well as strange handset activity whereas when a call was completed, we noted that the sound quality was different than what we are accustomed to with echo and other strange anomalies.
News Media Reports (Related):
Washington Post Article: Signs of sophisticated cellphone spying found near White House, U.S. officials say
As part of the Washington Post story Sen. Wyden released the following statement "Given the reports of rogue spying devices being identified near the White House and other government facilities, I fear that foreign intelligence services could target the president and other senior officials."
Our concern is that in many cases we have observed GSM phones stepping down services from 3G to 2G which is one indicator that something may be amiss, especially in areas where 3G coverage is good. When this occurs we assume that the connection (at least in larger metropolitan areas) has been compromised. Checking the tower ID of the base station in some cases has confirmed this. We know that technology specifically created to ensure good coverage such as PicoCell technology is being abused. Several carriers were caught leaving default passwords on the PicoCell hardware which allows researchers to then come up with very clever ways to use man in the middle attacks to capture traffic going to or from those PicoCells.
We also know that IMSI catchers are in use by many agencies including local, state and federal police, as well as foreign intelligence agencies. The technology is small enough to be carried in a briefcase and typically the threat actors will get as close as possible to their targets when collecting data.
Again in the Washington Post article the letter revealed that DHS was aware of reports that a global cellular network messaging system, called SS7, was being used to spy on Americans through their cellphones. Such surveillance, which can intercept calls and locate cellphones from anywhere in the world, is sometimes used in conjunction with IMSI catchers.
Specific Locations Mentioned in the Washington Post Article:
Russian Embassy and Embassy Row in Northwest Washington
Jigsaw Security has observed the same activity at the following locations:
Gaylord National Resort and Convention Center Baltimore, MD
Mandalay Bay Las Vegas, NV
McCarran Airport Las Vegas, NV
Chesapeake Regional Airport Chesapeake, VA
USCIS Seattle, Washington
Seattle-Cacoma International Airport
F Street and surrounding areas Washington DC
Suntrust Office Building and surrounding areas Richmond, VA
Norfolk Airport Norfolk, VA
Multiple Locations Los Angeles, CA
Once of the things that we noticed was that our battery life suffered greatly when we were connected to these unknown towers and that they sometimes used channels that were not typically seen in these areas during connections to normal towers. We would also note our phones would be in a standard location and would be receiving 4G, then 3G and finally 2G connections and then after several minutes (and sometimes great lengths of time) 4G connections would return, then after awhile we would observe the step down even though the 4G signal was good at specific locations.
Getting a Baseline
In order to detect this activity you must have a good baseline of the area in which the observation is taking place. With the cost of software defined radios getting cheaper, there are inexpensive methods of detecting the activity. In fact one of the courses we teach concerning corporate eavesdropping methods covers this topic in detail as well as how to detect the activity inexpensively and accurately. Getting a baseline of an area is quite easy to do. You have to collect the information for a long time and see what channels are being used so you have something to compare when things occur that are out of the normal scope of operations for the area. It could mean that the cellular operator is conducting maintenance (which we observed in the Outer Banks, North Carolina recently when a tower completely went offline for 5 minutes), or that a rogue cellular access point has been powered on.
One other telltale sign is signals stronger than the FCC legal limit. We know that carriers will not break the rules because they can be heavily fined, but a rogue operator simply doesn't care and will power up a radio at 20W, 50W and we even observed one rogue AP with a 200W signal which is definitely not a legitimate tower. Seeing signals above 3-4 watts of EIRP is a sure sign that something is wrong. We fully understand that cellular communications can transmit above the levels so we looked for situations that demonstrated very large swings in output power. These locations were mapped and marked and are listed in a table below that includes the full list of recently observed suspected rogue tower activity.
Airplanes and Signal Trickery
We have also observed aircraft hovering above specific areas for long periods of time especially during periods of civil unrest. We have read news reports on aircraft mounted signals systems in use by some parties authorized to utilize the technology. Many of these aircraft are observed for days or even weeks hovering in specific areas and then they appear somewhere else in the country. Some of the activity mentioned below came about because we observed aircraft activity and decided to go and see if our baseline in the area had changed, in all but 1 case our baseline of activity had changed. If we observed phones stepping back down to 3G or 2G we marked that as a suspected hit.
Leveraging Engineering Mode
There are many devices available that allow cellular monitoring. Even without a SIM card, we can still see information about the towers in a given location. Because giving you the instructions to do this would potentially put innocent peoples communications at risk we wont tell you how to do it. There are many tutorials for those interested in looking for towers out there, the Internet is your friend.
Engineering mode is the key to finding rogue access towers.
Why don't phones warn us?
First of all let's just put this out there. Cellular providers have disabled the warnings for A5/0 which essentially disabled the cryptography on the handset. This makes it easy to do man in the middle attacks. The only way to turn these warnings back on is by creating your own image or finding a program that can read diagnostic information from the handset. Android phones are your best option for rooting the phone and loading utilities that can tell you if the crypto is enabled or disabled on the handset. This should be a huge indicator of an issue as no carriers will typically disable the encryption on a handset.
One other thing to keep in mind is that there is no real expectation of privacy if these devices are used in public spaces. For instance if you start a phone call inside the mall with others around, agencies may justify illegal position by asserting that cell phone users have no right to privacy in public spaces. We have seen very specific court cases come about with this very argument and surprisingly judges have sided with the law enforcement agencies in many cases.
Bad Guy with Time
One thing to keep in mind is that this technology is not just available to law enforcement and Government. I personally do not care if the Government listens to my calls as I have nothing to hide, however that doesn't mean that it's right for them to do so. In the 80's and 90's the technology to pull off these types of attacks were very expensive putting it out of reach of most criminal entities. However in early 2001, software defined radio prices started falling rapidly and now anybody with $20 can look for cellular signals. For a few hundred dollars more, they can actually eavesdrop on calls and text messages. The real threat comes from foreign entities that want to target specific technologies for espionage purposes. This may explain why many of these rogue cellular towers are popping up around some of the most sensitive locations in Washington DC and in airports where there is a high level of traffic. Just like when card skimmers try and find very busy gas stations, threat actors will try and capture information in very busy, public spaces with large gatherings of persons. The likelihood of capturing something of use goes up drastically when there are large amounts of people in a confined area such as conferences, concerts or recreational locations.
In short we know that we are being targeted on US soil from governments, hackers and law enforcement. There are very specific things you can do to greatly lessen the chances of connecting to a rogue access point which we will cover in a future TSCM related blog post.
Since our initial publication of this post we have noted several more locations in which strange cellular activity has been reported. Our current list of locations is growing as are the means of detection. In short someone forgot to remove the GSM information recently and we were able to identify the agency using the technology as well as the fact that the actual tower was moving. Yes you heard that correctly. By deploying multiple low cost radios in very specific locations around our offices we have been able to map out the use of Stingray like technology in our area. Not only have we observed the moving cellular tower, but we also noted that the time being provided by the tower was off by 2 minutes (might want to check that next time before deploying).
We will have more information soon. The sudden complete disappearance of towers and then new tower ID on reconnect is also a dead giveaway.