How To Detect And Find Rogue Cell Towers
Software defined radio stations are getting better and better all the time. Hackers in balaclavas know it too. from what we saw at HOPE in New York a few weeks ago, we are only months away from being able to put a femtocell into a desktop computer for under $3000. In less than a year, bad, bad hackers could be tapping your cell phone or reading your text message from the comfort of a van parked across the street. You should be afraid, even though police departments everywhere and every government agency already have that capability.
These fake cell sites have a variety of capabilities, from being able to track an individual phone, collecting metadata about who you called and for how long, to much more invasive surveillance, such as intercepting SMS messages and what websites you visit on your phone . The EFF calls them cell site simulators, and they are an incredible violation of privacy. While there were certainly several of these devices at DEF CON, I only saw one in a hotel room (see what I’m getting at here?).
No matter where the threat comes from, fake cell towers still exist. Just knowing they exist isn’t helpful—proper protection against governments or balaclava-wearing hackers requires some kind of detection system. In the last few months [Eric Escobar] works on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers is turned on. With several of these devices linked together, it can even tell where those rogue cell towers are.
Scatters, IMSI catchers, cell site simulators, and real, legitimate cell towers, all emitting beacons containing information. This information includes the radio channel number, country code, network code, identification number unique to a large area, and transmission power. To make it more difficult to detect fraudulent cell sites, some of this information may be changed; transmission power may be reduced if, for example, a technician is working on site.
To build your cell detector, [Eric] logs this information into a device consisting of a Raspberry Pi, a SIM900 GSM module, an Adafruit GPS module and a software-defined radio key for a TV tuner. Data received from a cell site is recorded in a database along with GPS coordinates. After driving around the neighborhood with a cheater detector mounted on the dashboard, [Eric] there was a lot of data including latitude, longitude, received cell tower feed and cell tower data. This data was thrown QGISan open source package for a geographic information system, revealing a heat map with the likely locations of cell towers highlighted in red.
This device really isn’t just a fake cell tower detector – it finds all cell towers. Differentiating between a rogue and a legitimate tower still requires some work. If the heatmap shows a cell site on a fenced-off plot of land with a large tower, it’s a pretty good bet the cell tower is legit. However, if the heat map shows a cell tower showing up on your street corner for just a week, that could be cause for concern.
Future work on this cell site simulator detector will be focused on making it a bit more automated – three or four of these devices scattered around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] it can also handle triangulation of cell sites with an RF-blocking dome with a slot in it rotating around the GSM900 antenna.