Fake Cell Phone Towers Discovered Grabbing Signals

[Jeffrey Walton <noloader () gmail com>]

http://www.cio-today.com/article/index.php?story_id=0100005SXV30

A series of fake cell phone towers designed to intercept user data has
been discovered throughout the U.S., according to the magazine Popular
Science. The organization behind the towers' construction and their
purpose remain mysteries.

In addition to listening in on encrypted phone calls, the surveillance
network is able to read SMS messages and record individuals' location
data. Nineteen such towers have been discovered throughout the U.S. in
the last week, Popular Science reported.

Unknown Culprit

The phony towers were discovered by ESD America, the company that
makes the Cryptophone 500, a customized Android handset that runs
encryption software allowing it to identify when it is being hacked.
According to ESD, eight interceptor towers were discovered by just
driving between North Carolina and Florida. A tower has also been
discovered at the South Point Casino in Las Vegas.

The towers, technically known as IMSI-catchers, work by exploiting the
weak security in the antiquated 2G communication technology. The
towers fake the credentials of a phone carrier's own towers, then
trick the handset into connecting through them. Once connected, the
towers force the phones to disable their encryption, allowing whoever
has constructed the tower to eavesdrop on phone calls, text messages,
and other data.

The phones do not alert users that their encryption has been
deactivated. However, the fake towers force phones to slow down to 2G
from 4G, so a sudden decrease in download speed may be a clue that a
phone is being tapped.

Several of the interceptors have been constructed near U.S. military
bases. Although it is impossible to say for certain who is behind the
phone-tapping scheme, the federal National Security Agency is, perhaps
ironically, an unlikely culprit. According to a VentureBeat report
quoting Andrew Jaquith, CTO of cloud security provider SilverSky, the
NSA can listen to virtually any phone call it wants to by having the
carrier tap the call.

Joseph Hall, chief technologist for the Center for Democracy and
Technology, said the discovery of the surveillance network is a
troubling development for privacy concerns.

"This is by definition surveillance, eavesdropping and in the case of
content, wire-tapping," Hall told us in an e-mail. Use of that kind of
technology represents "activities that are criminally illegal without
a warrant from a judge or consent of the user."

Operation Stingray

Local police departments in several U.S. cities, on the other hand,
have been using similar technology, known as "stingray" towers. Like
the phony towers discovered by ESD, police in cities such as Oakland
use stingray towers to eavesdrop on the phone calls of anyone
connecting through a fake tower. What police departments are doing
with the evidence gathered through the phone tapping is difficult to
determine, since departments often conceal the use of stingray towers
in court cases.

Attempts by the American Civil Liberties Union to gain access to
stingray records in Florida have been blocked by a state judge, who
allowed the records to be seized by U.S. marshals. Like the mysterious
tower network, stingray towers also force handsets to switch to the
less secure 2G protocol.

DEF CON Conference

The proof of concept for this type of attack dates to the DEF CON 2010
hacking conference in Las Vegas, where Chris Paget demonstrated how a
fake cell phone tower could mimic a real one to secretly tap phone
calls. Paget was able to build his device for only around $1,500,
which would make the technology affordable to nearly any organization
or individual.

The FCC announced an investigation in August on the use of such towers
by criminal organizations and foreign intelligence services, although
it has been aware of the vulnerability since at least Paget's 2010
demonstration.

"If the U.S. government is the source of these [IMSI-catchers], we
expect an explanation," Hall said. "If not, we expect an investigation
and for the FCC to include this development in their ongoing
investigation."

Although ESD has only been able to verify the existence of 19 such
towers so far, the company said on its Facebook page that that number
is likely to prove only the tip of the iceberg. Enterprise IT
departments and other organizations looking to secure their
personnel's mobile communications do have some options, but they are
not cheap. ESD's CryptoPhone 500, for example, is priced around
$3,500.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.