Rogue Cell Phone Towers Found Intercepting Calls

An unsettling number of rogue cell phone towers in the United States have been uncovered by a team of high-profile researchers, they identified the towers can spoof legitimate towers and tap into phone calls.

A team of researchers named, ESD America, a high-profile digital defense firm based in Las Vegas, demoed that rogue cell towers, also known as “interceptors”, may be processing a large number of calls in commercial areas.

ESD America is the same firm that built the secure CryptoPhone, the oldest and most expensive high-security cell phone on the market. The company provides equipment and training to more than 40 countries with a goal to provide high-end technical security assistance to governments and corporations around the world.

To find these rogue towers, ESD America set out to field-test their secure Android handset, the CryptoPhone 500, and came across a number of fake base stations across the Eastern seaboard of the United States. ESD America CEO, Les Goldsmith, told Popular Science that he fond 17 faulty mobile towers throughout the United States that force phones to backdown to an easy-to-break 2G connection while then switching off encryption.

“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases. So we begin to wonder – are some of them U.S. government interceptors? Or are some of them Chinese interceptors?” Goldsmith said.

Who is behind the rogue cell towers remains unknown Goldsmith said. He then referred to the fake towers, or “interceptors”, in terms that they may be able to perform man-in-the-middle (MitM) attacks. Meaning the rogue towers processes the call, siphons off for interception and proceed by passing the call to a legitimate network.

The way interceptors exploit smartphones as described:

“Interceptors vary widely in expense and sophistication – but in a nutshell, they are radio-equipped computers with software that can use arcane cellular network protocols and defeat the onboard encryption. Whether your phone uses Android or iOS, it also has a second operating system that runs on a part of the phone called a baseband processor. The baseband processor functions as a communications middleman between the phone’s main O.S. and the cell towers. And because chip manufacturers jealously guard details about the baseband O.S., it has been too challenging a target for garden-variety hackers.”

Goldsmith said when the ESD team drove to a United States government facility in the Nevada desert in the early month of July, they brought along a standard Galaxy S4 and an iPhone to serve as a control group for his CryptoPhone 5000. Goldsmith explains the CryptoPhone lit up like a Christmas tree”, while the Samsung and iPhone showed no signs of calls begin intercepted.

“As we drove by, the iPhone showed no difference whatsoever. On the Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree,” Goldsmith explained.

In the explained case, the issue remains that the phone never alerts the end user if the encryption was switched off while interacting with these interceptors.

The questions remains, who is responsible for the interceptors? In one case, an interceptor was discovered inside a casino in Las Vegas, many were found in other commercial locations. Media reported that some were found near military bases, which is false as ESD stated here.

“Edward Snowden revealed that the N.S.A. is capable of an over-the-air attack that tells the phone to fake a shut-down while leaving the microphone running, turning the seemingly deactivated phone into a bug,” Popular Science claimed.

“And various ethical hackers have demonstrated DIY interceptor projects, using a software programmable radio and the open-source base station software package OpenBTS – this creates a basic interceptor for less than $3,000. On August 11, the F.C.C. announced an investigation into the use of interceptors against Americans by foreign intelligence services and criminal gangs.”

ESD reported that these interceptors are most commonly not cell towers or similar. They are computers pretending to be cell towers. Too add, the interceptors were found to have nearly a one mile range.

What is the solution to not getting attacked by these rogue interceptors? Well, ESD is the provider of the CryptoPhone and recommends their product to circumvent the rogue attacks.

Popular Science stated that if you are not of any interest to the United States government, or rarely if ever leave the country, a cryptophone is not the best solution. The primary market for the CryptoPhone are executives who do business in Asia, Goldsmith stated.

One item to take into account when deciding if a CryptoPhone is right for you, is the fact that it cost $3,500, which is nearly five times the price of competing technology such as the BlackPhone.

Goldsmith told MIT Technology back in March that ESD couldn’t keep up with demand since NSA revelations as of last year.

Other commercial technology to resist interceptors does not exist. The issue is that the phone has to connect to the tower to make the call, and such cannot be detected by simple technologies from big-box retailers.