top of page

Research in Depth: Rogue Cellular Access Points

As part of our continuing push for answers we decided to provide an update on rogue access point activity that we have been observing and investigating. After we started noticing strange activity of our own and the media reports previously mentioned in our reports we began looking into this type of activity and we have come up with some very interesting discoveries over the last few days.

As part of our risk management, Jigsaw Security has access to resources to include very large databases of information. As part of our research, we accessed and leveraged many of these data sources to confirm information posted in this story.

Businesses and Persons that Don't Exist!

While conducting other work late last week we crossed paths with a vehicle the was out of place. We didn't pay it much mind until we started reviewing data from the work we were completing and realized that the vehicle was emitting a ton of RF. Luckily we had some photographs from our other work so we had identification information. Upon researching we realized that the vehicle was registered to an individual that had been deceased for 4 years and to a business that was owned by the individual that no longer exist.

The interesting thing was that the vehicle just like our earlier observation of the rogue cellular access points was moving and the signals we observed from this vehicle also were moving.

Unknown Mobile Rogue Access Point

We purposefully have provided a photo in which the license plate was not visible so that we did not expose the operator of the vehicle.

What you can't see in this photo is that the roof rack on this vehicle was not the standard rack and we suspect that it was being utilized as an antenna array.

You can also see a shore power port on the drivers side of the vehicle.

Notes on the Activity

The vehicle was transmitting on frequencies typically used by cellular towers and was also communicating on VHF as well (confirmed as a nationwide frequency for a particular agency). The vehicle remained mobile and was driving along a major highway first heading west and then turning and driving east for quite some time (no apparent destination) on the same highway. The vehicle was observed for an extended period of time and the signal coming from the vehicle was constant (and at a constant power level).

Conclusion and Thoughts

While agencies can utilize this technology without having to get FISA and CALEA warrants pretty easily, the interesting thing is that we (companies and civilians) are able to track the locations of these signals if we utilize fixed reception points to triangulate the origin of the signals being generated. While this used to cost hundreds of thousands of dollars to pull off, now we can do it easily with consumer off the shelf hardware that is readily available.

NOTE: We purposefully did not photograph any of the individuals associated with these vehicles and have also not recorded any information that may be utilized to identify the operators.

Traditionally we have not worried too much about this type of attack yet lately the cost of the technology required to pull off attacks was out of the reach of hackers. However with the availability of test equipment, software defined radios being very inexpensive and curious onlookers, these attacks are easily pulled off by nearly anyone curious about the technologies at play. Also the cellular companies could put in place checks and balances to prevent this type of activity. We will have more on this in our upcoming series on cellular attack vectors.

19 views0 comments
bottom of page