How To Detect And Find Rogue Cell Towers

Software defined radios are getting better and better all the time. The balaclava-wearing hackers know it, too. From what we saw at HOPE in New York a few weeks ago, we’re just months away from being able to put a femtocell in a desktop computer for under $3,000. In less than a year, evil, bad hackers could be tapping into your cell phone or reading your text message from the comfort of a van parked across the street. You should be scared, even though police departments everywhere and every government agency already has this capability.

These rogue cell sites have various capabilities, from being able to track an individual phone, gather metadata about who you have been calling and for how long, to much more invasive surveillance such as intercepting SMS messages and what websites you’re visiting on your phone. The EFF calls them cell-site simulators, and they’re an incredible violation of privacy. While there was most certinaly several of these devices at DEF CON, I only saw one in a hotel room (you catchin’ what I’m throwin here?).

No matter where the threat comes from, rogue cell towers still exist. Simply knowing they exist isn’t helpful – a proper defence against governments or balaclava wearing hackers requires some sort of detection system.. For the last few months [Eric Escobar] has been working on a simple device that allows anyone to detect when one of these Stingrays or IMSI catchers turns on. With several of these devices connected together, he can even tell where these rogue cell towers are.

A Stingray / cell site simulator detector
A Stingray / cell site simulator detector

Stingrays, IMSI catchers, cell site simulators, and real, legitimate cell towers all broadcast beacons containing information. This information includes the radio channel number, country code, network code, an ID number unique to a large area, and the transmit power. To make detecting rogue cell sites harder, some of this information may change; the transmit power may be reduced if a tech is working on the site, for instance.

To build his rogue-cell-site detector, [Eric] is logging this information to a device consisting of a Raspberry Pi, SIM900 GSM module, an Adafruit GPS module, and a TV-tuner Software Defined Radio dongle. Data received from a cell site is logged to a database along with GPS coordinates. After driving around the neighborhood with his rogue-cell-site detector sitting on his dashboard, [Eric] had a ton of data that included latitude, longitude, received power from a cell tower, and the data from the cell tower. This data was thrown at QGIS, an open source Geographic Information System package, revealing a heatmap with the probable locations of cell towers highlighted in red.

This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work. If the heatmap shows a cell site on a fenced-off parcel of land with a big tower, it’s a pretty good bet that cell tower is legit. If, however, the heatmap shows a cell tower showing up on the corner of your street for only a week, that might be cause for alarm.

Future work on this cell site simulator detector will be focused on making it slightly more automatic – three or four of these devices sprinkled around your neighborhood would easily allow you to detect and locate any new cell phone tower. [Eric] might also tackle triangulation of cell sites with an RF-blocking dome with a slit in it revolving around the GSM900 antenna.

62 thoughts on “How To Detect And Find Rogue Cell Towers

  1. hashtag “There’s an app for that” (well, a couple actually)

    https://play.google.com/store/apps/details?id=com.gyokovsolutions.gnettrackproplus&hl=en (Paid, lots of data, nice exports, online component obviously a bit rubbish)

    http://opensignal.com/ (Free, data is a bit vague, tower locations almost useless)

    I like the hardware solution, but to get enough data for this to be useful to actually find rogue towers, apps are the way. Also, WTF clickbait headline, “This device really isn’t a tool to detect only rogue cell towers – it finds all cell towers. Differentiating between a rogue and legitimate tower still takes a bit of work.” vs “HOW TO DETECT AND FIND ROGUE CELL TOWERS”

    1. There’s also a couple of apps on f Droid that are designed to detect rogue towers, they have a map of legit towers, and if it detects some towers that don’t match up it throws an alarm.

    2. I wonder if the app is really able to differentiate between a real and masquerading tower. The per ITU standard the base stations publish their location but there is no guarantee the location is legit, signal boosters used in urban environments would probably make the task even more complicated if the signal strenght is used as unit of distance.

    3. How could a TI go about detecting a signal or recording negative frequencies/elf/emf that they are being bombarded with.. I can literally feel the buzzing then once I use an emf reader the reading is seven times higher than normal.. then once it’s being recorded the reading drops the buzzing stopd for about two minutes then on and on it goes.. also can feel my inner ears being cooked and I know the reasoning for that

  2. Pretty sure I had an app on my phone that showed me the location of cell sites at one point.

    As for identifying the rogue sites, there are a lot of buildings around here that have their own “site” (more than a femtocell less than a tower) that would make that more difficult…

    Friend of mine worked for a carrier, and saw the maps for cell towers, there was one intersection that had 4 cell sites all with in 100 feet of each other, and it was totally legit, 1 was a tower, 3 were in office spaces that got poor signal inside the building (because the tower was above them and the antenna’s don’t point down, and even if they did metal roofs would shield the signal).

    The key in picking up rogue sites is either looking for a moving site (stingrays on a plane) or looking for a new site to be created… just identifying what is there doesn’t help unless you have a list of known legitimate sites to compare against.

  3. Bypassing the internet has it’s advantages. [ as long as the encryption is strong enough. ] multi band parallel transfer via SDR might be an avenue for success. I guess it would feel like wireless dialup if only one frequency was used.

  4. No need to guess if the tower in question is legit. The FCC has a database of every cell tower in operation. There are places online with interactive maps so I’m sure there’s a *.shp for the data already out there.

      1. So true. I found an app that records when I am taken off the legit LTE tower and put onto another. They will say unknown or -38852 or things like that. Haven’t found a way to evade them yet but at least I realize when I’m being connected to them. That half the battle. The other answers will come. Tech is moving fast.

  5. So…cell base stations have unique ID numbers (and a bunch of other parameters). I suspect that if you get inside the protocol, stingrays would stick out like sore thumbs (some of the transmitted fields would be default values, vs. carefully programmed in real base stations) But, of course, all these fields would be different for each provider…

    Just a hunch…that might make IDing stingrays a bit easier.

      1. So, if that’s the case, they should be detectable. I don’t know enough about the current protocols to know for sure, but it seems like two towers with the same tower ID would be a problem for the protocol.

        Someone should be able to get a PhD out of this :-) Or, maybe we’ll see a really interesting paper at a future hacking convention.

        Wonder who will be the first to pick up a surplus Stingray at a GSA auction?

  6. There’s one big problem with cell-site detectors under the current operational theory: they assume that the malicious equipment isn’t broadcasting all the time, but that legitimate towers are. The detector can only compare “new” or “temporary” signals to pre-existing ones. That means if someone is broadcasting with malicious equipment early enough and/or long enough, they’ll be logged as a legit tower.

      1. Okay, that made me laugh. I’m serious, though. The only publicly-available database of legitimate cell towers I’ve examined (http://opencellid.org/) is out of date and incomplete at best. I’m sure there are others, but they’ll always depend on the notion that their first snapshot contains only legitimate towers.

        In a nutshell, what I’m saying is the current method by which cell-site simulators operate is inadequate. It’s a good start, but there need to be frequent, intelligent checks on the data to make sure it doesn’t mislabel malicious equipment as legitimate, or allow malicious equipment that’s already in the data to remain.

        1. Not sure how you can do that without getting eyes on the detected device. Even then, its not above the govt to prop up its own legit looking tower – hide in plain sight as they say.

          1. In some citys they hide real towers inside old abandoned buildings.
            Massachusetts (USA) has some ugly old factory buildings with dozens of broken windows and homeless people inside.
            And cellular antennae on the roof.

            We also have fake trees by the highways.

  7. Basically, you should always assume that your communications are being intercepted. Whether by your corporate IT dept, the NSA, local police, the Black Hat next door, or your mom, you’re likely to be spied on at any time. (Whether or not your data gets analyzed is another question). If you want to communicate privately, you need to employ adequate and rigorous encryption (and avoid 3rd party apps that claim to not have the keys or not save your messages but really do). If you want to go a step further, always use encryption so that your more sensitive messages do not stand out. Rotate keys often my friends!

      1. Which is essentially functionally correct in our current Orwellian society…
        I am all for realists, but, it is getting to the point that I am considering setting up my phone on my own openbts tower and turning off roaming.
        At least then I would have another layer of obscurity.

    1. I thought about that too, but I think this way is just a tiny bit simpler.

      With a (rotating) directional antenna, you need to actually rotate the antenna. That means either putting RF through a slip ring, which is probably a bad idea, or just putting an entire module on a slip ring turntable. You could scan back and forth, but that’s an inelegant solution. Not to mention a Yagi is long so you’re swinging a lot of mass around.

      The ‘rotating dome’ is significantly more simple. It would be a straight connection through an RF shielded base and a motor off to the side of the dome. Put an encoder or hall sensor on the rotating part, and you’re done. In my mind, it’s just a simpler way to have a constantly rotating directional antenna, and you’re going to need a constantly rotating antenna for what he’s using this for.

      1. You will get less gain with the shielded dipole than a real directional antenna though. Ignoring near-field effects of the dome, the antenna will still work as a dipole, with only a small sector actually receiving. The gain in the pointing direction is thus just 2.1dBi. Taking into account back-reflection will likely increase the gain somewhat, but will result in decreased directivity. Difficult to say really without simulating it.

        I would try rotating a patch antenna back-and-forth. Much less mass than a Yagi.

        1. Rough… I know… without examples the of using in books for Fox Hunting or Radio Direction Finding… people will think it’s Voodoo or something that’s not real.

          With my kit… I figured I’d go with synthetic aperture for starters upgrading from the yagi… then updating to have multiple synthetic aperatures to create a passive synthetic aperture phased array as the goal.

          Good call… how is the bandwidth and gain on the smart antennas? A phased array of discones would be sweet.

      2. Substantially less gain with that rotating radome idea plus it’d have to be a shielded radome which would be both heavy and expensive. Also, that radome would become an RF cavity to a certain extent. RF goes through slip rings all the time for both RADAR and SATCOM.

  8. I want an inexpensive cell phone signal repeater/booster where an antenna can be put outside a building with bad reception inside, and the rest of the thing, with more antennas, can be inside the building. It would need to work with all the different frequencies etc.

    Dunno why big companies like WalMart and Home Depot don’t have them in their stores already, especially when they push using their mobile websites for people to look for stuff to buy. “Use our mobile app, if you can get a signal inside our metal buildings that are nearly as RF tight as a Faraday cage.”

    1. They sell those, online.

      Reason Wal-Mart don’t sell them, I suspect, is because they’re expensive (a few hundred $ IIRC) and a niche market. That, and the potential disaster of letting People Of Wal-Mart install their own cell repeaters. You’d have more dead zones full of noise than you would actual signal. For which people would compensate, by buying more repeaters.

      1. Actually, sounds like a good business plan. Make bad repeaters and get them into the hands of a small percent of an area, they interfere with normal signal, so more people come to buy them, and the process repeats. Just have to make sure that repeaters improve the signal for the ones who buy them and damages everyone else’s.

  9. Ok, so fair enough someone can build a Cell Phone Tower in their home for not a lot of cash these days, but how the heck do they connect it to a phone company’s network without being detected?

    It’s one thing to make a tower, it’s another when people who connect to it suddenly loose all service even though they have full signal strength.

    1. You can connect it to your own landline phone. Or a mobile I suppose. It’s easy to connect to phone networks to send calls, that’s what a telephone does.

      If you wanted more lines, pay your telco for a few, like offices do.

    1. Hackaday had an article a couple years ago where a couple of guys started to get in to an att microcell but never finished the website :(

      http://hackaday.com/2012/04/12/poking-at-the-femtocell-hardware-in-an-att-microcell/

      Also, I just installed an Att METROCELL at a new building a finished. It supports up to 64 lte devices and it doesn’t require registering the numbers ala the microcell. Still only supports att band devices though. It’s been working great for the ~6wks I’ve had it up and running – only problem was it cost $5k, and that still irks me that I have to pay to allow att to provide service in my building. They should be giving them away to business customers….

      https://www.wireless.att.com/businesscenter/plans/network-coverage/att-metrocell/index.jsp

  10. Cell-site simulator are commonly called IMSI catchers or Stingrays. These are those devices that masquerade as a legitimate cell phone tower, tricking phones nearby into connecting to the device in order to log the IMSI numbers of mobile phones in the area or capture the content of communications. IMSI is simple words is an identifying number that is unique to each cell phone that stands for International Mobile Subscriber Identity. A cell-site simulator accurately and precisely describes the full capability of these devices.

    1. If anyone is absolutely serious about wanting to detect (for whatever purposes…the more sinister the better) a fake cell tower, it’s really as easy as adjusting your search parameters to the coordinates that I reside,. One might call my claim paranoid, another the beginning of a delusion of grandeur, another ……? In the not too distant past I researched ‘gang stalking’ and other related topics. Those people all sound bat shit crazy.

  11. What does it means if You keep being alerted of New cellIds in an area and they all say they belong to the same tower? Or uses same cell id ut different signals or bandwidths?

  12. Rogue cell towers are perhaps the most lucrative type of attack vector for hackers. Everyone’s life is on their smartphone, from bank accounts, credit cards, email, Amazon, etc.

    IMSI catchers broadcast a fake signal strength to get cellphones within range to connect to it. Once connected, the attacker can intercept calls and texts, drop calls, inject malicious URL’s to download malware, capture passcodes and get access to the whole keychain. Game over.

    Mobile rogue cell towers are everywhere and detectable with a cell tower app – even on an iPhone. If you are in a 5G area but connected to a UMTS or LTE tower, the attackers use the lower level encryption of these protocols to exploit and wiretap the connection. They are usually deployed within short trailers. They also implement a GPS offset to show the tower somewhere else, but the trailer/van will be close by.

    Most legitimate towers only have one protocol stack (LTE, UMTS, etc.) and they remove the older technology because tower space is limited and expensive. IMSI catchers on the other hand will have multiple protocol stacks – such as CMDA, LTE, UMTS – and some apps allow you to cycle through them. That is the first hint that it isn’t a legit tower. Also, certifying the tower exists with OpenSignal or other Tower identifier apps provides further proof.

    They execute wateringhole attacks in highly trafficked locations, such as shopping malls, farmer’s markets, etc. but law enforcement will not do anything – even with evidence. You can buy a Stingray device on eBay, purchase one from China, or build it yourself with a LimeSDR.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.