Rogue Cell Towers

Summary

The Bastille Research Team proactively monitors for new radio-borne threats. Their breakthrough research and discoveries such as MouseJack and KeySniffer help to keep not just Bastille clients, but the larger ecosystem safe.

Rogue Cell Towers, AKA Stingrays or IMSI Catchers, are used to hijack cellphone connections, allowing attackers to listen to calls and read texts. An attacker can even push malware to a vulnerable phone to hack it. Another common use of Rogue Cell towers is to break 2-factor authentication.

To learn more about finding rogue cellular devices and other RF-enabled devices operating in your environment read our Bastille data sheets or request a Bastille demo.

Video Transcript

Hello, my name is Balint Seeber, and I'm the director of Vulnerability Research at Bastille. I would like to take this session to talk about rogue cell towers as a top RF threat. Rogue cell towers are cellular towers that pretend to be legitimate cell phone towers that are operated by a registered operator.

So that is, even a device such as this small can be used to imitate a cell phone tower that your phone would attempt to connect to and would think that it is actually a legitimate cell phone tower operated by T-Mobile or Verizon, AT&T for instance. Previously, this used to be quite an expensive kit to set up, on the order of hundreds of thousands of dollars.

Nowadays, it's possible to set such a rogue tower up even under a thousand dollars, and once you set up the appropriate software and configure it, you can make it look like a tower that you would ordinarily log onto, your phone would actually register with it. And what happens is 2G GSM, has a vulnerability where the phone is not actually able to authenticate the network to determine whether it's a legitimate network or not, so commonly attack vectors use a downgrade attack so that LTE and 3G will get blasted with white noise, so any phones that attempt to communicate over 3G or LTE won't actually hear the tower properly, and then downgrade to 2G and they all see, aha, there's a strong 2G GSM tower, I'll log into that 'cause it's my carrier.

And then, your phone will register, will probably not warn you that it's registering without encryption, for example, this can be turned off at the base station. And then anybody that's operating the rogue cell tower will be able to see the IMSIs, the mobile subscriber identity numbers that actually register with it, so you're able to track people that way, and state actors and non-state actors have actually used that technique.

This has been widely documented in the media. In addition, if you make any outgoing voice calls or outgoing texts, it's technically possible to reroute those onto the real network, so you can man in the middle and then listen to people's conversations and see their outbound texts. You also have data services, and so you can potentially man in the middle those data services on the rogue access point before you send them out onto the internet.

So, with less secure sites, you're able to SSL strip and downgrade the security there and see the data that's flowing through. Also, with just plain text services that are not encrypted, you will see everything as it flows through. So there's a potential to reveal sensitive data, track people, and just gather general intelligence about the movements of your targets.

Within the enterprise, this can be a problem because if people are looking at a very targeted attack, then you can gather intelligence and more information around a target that you're trying to track and potentially learn things about them and sensitive information they might, might use or disclose on their cell phone.

So that's why with Bastille, you can actually use the technology to monitor the environment, look at what cell towers are actually up and broadcasting, and compare that with a baseline so you can see if any new ones have popped up or if any new ones have popped up that look like legitimate services but with slightly odd configurations, and that way you can see whether anybody's trying to interfere with your environment.

There's ongoing research all the time being presented at security conferences where researchers look at new vulnerabilities or potential attack vectors even with the newer 3G and now 4G LTE protocols, and interesting work is coming out all the time, so, by no means does that solve all the existing security problems, and we're keeping abreast of that and monitoring that quite closely.

Thanks for very much for listening. If you'd like to learn more, please visit our website.