Security researchers say they have developed a new technique to recognize modern cell site simulators.
Mobile phone simulators, so-called “stingrays”, pretend to be mobile phone masts and can record information about every phone in its range – in some cases also about calls, messages and data. Police secretly use stingrays in the United States hundreds of times a year, frequently collecting data from innocent viewers.
Little is known about stingrays because they are deliberately kept secret. Stingrays were made by Harris Corp. developed and sold exclusively to police and law enforcement agencies. They are subject to strict nondisclosure agreements that prevent the police from discussing how the technology works. However, what we do know is that stingrays take advantage of errors in the way cellular phones are connected to 2G cellular networks.
Most of these bugs are fixed in the newer, faster, and more secure 4G networks, though not all. Newer simulators for mobile phone locations, so-called "hailstorm" devices, use similar errors in 4G, with which the police can sniff out newer phones and devices.
Some phone apps claim they could detect stingrays and other simulators for cellular locations, but most of them give wrong results.
But now researchers at the Electronic Frontier Foundation have discovered a new technology that can detect hailstorm devices.
Take part in the latest EFF project called "Crocodile Hunter", named after Australian conservationist Steve Irwin, who was killed by a stingray in 2006. It helps detect cell site simulators and decode nearby 4G signals to determine if a cell tower is legitimate or not.
Every time your phone connects to the 4G network, it goes through a checklist called a handshake to ensure that the phone can connect to the network. A number of unencrypted messages are exchanged with the cell tower, including clear details about the user's phone, e.g. B. the IMSI number and the approximate location. These messages, called the Master Information Block (MIB) and System Information Block (SIB), are sent by the cell tower to help the phone connect to the network.
"This is where 4G lies at the heart of all vulnerabilities," said Cooper Quintin, a senior technologist at EFF who led the research.
Quintin and his colleague Yomna Nasser, who wrote the EFF technical document on the functioning of cell site simulators, found that radio collection and decoding of MIB and SIB messages can identify potentially illegitimate cell towers.
This became the basis of the Crocodile Hunter project.
A rare public photo of a stingray, made by Harris Corp. Credit: U.S. Patent and Trademark Office
Crocodile Hunter is open source and can be run by anyone. However, a stack of hardware and software is required for functionality. As soon as Crocodile Hunter is ready for operation, it searches for 4G mobile radio signals, begins decoding the tower data and visualizes the towers on a map using trilateration.
However, the system requires some thought and human input to find anomalies that could identify a real cell site simulator. These anomalies can look like cell towers appearing out of nowhere, towers that appear to be moving or do not match known assignments of existing towers, or send MIB and SIB messages that do not seem reasonable.
That's why verification is important, Quintin said, and stingray detection apps don't.
"Just because we find an anomaly doesn't mean we found the cell site simulator. We actually have to look it up," he said.
In a test, Quintin chased a suspicious-looking cell tower to a truck outside a conference center in San Francisco. It turned out to be a legitimate mobile cell tower that was commissioned to expand the cell capacity for a technical conference inside. "Cells on wheels are pretty common," said Quintin. "But they do have some interesting similarities with cell site simulators, namely that they are a portable cell that is usually not there and is suddenly and then goes."
In another test, conducted earlier this year at the ShmooCon security conference in Washington, DC, where cell site simulators had previously been found, Quintin found two suspicious Cell towers with Crocodile Hunter: a tower that sent a cellular network identifier that was associated with a Bermuda cellular network, and another tower that apparently was not associated with any cellular network at all. Given the fact that Washington DC is not near Bermuda, this made no sense.
Quintin said the project aimed to help detect cell site simulators, but admitted that the police would continue to use cell site simulators as long as the cell networks were vulnerable to their use. The fix might take years.
Instead, Quintin said that device-level phone manufacturers could do more to prevent attacks by allowing users to disable access to older 2G networks, which would effectively allow users to log out of older Stingray attacks. In the meantime, cellular networks and industry groups should work to address the vulnerabilities that hailstorm devices are exploiting.
"None of these solutions will be foolproof," said Quintin. "But we don't even do the bare minimum."
Send tips securely via signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: zack.whittaker@protonmail.com