 Hi, my name is Cooper Quinton and I'm here to talk to you today about detecting 4G base stations in real time First a little bit about me. I am a senior security researcher with the Electronic Frontier Foundation I have a toddler and a new baby who is less than one week old Which should explain the bags under my eyes because I'm very tired and it should also explain the dad jokes in this presentation I'm also a former teenage phone freak I spent a number of years building strangely colored boxes to do nefarious things to the phone system Which might explain why I got into the work that I'm going to present here today. I Work for EFF or the Electronic Frontier Foundation If you're not familiar with us our work can be found at EFF.org We're a member supported nonprofit and we defend civil liberties as they intersect with technology We think things like freedom of speech the right to assembly and the right to privacy Exist online as well as offline and when you intersect when you interact with technology as well as when you don't and we've Defended been defending these rights worldwide for more than 30 years. I Work for the EFF threat lab specifically and I'm going to talk about that in a second But before I do I want to take a moment to thank my colleague Yamuna She's no longer at EFF and has joined a new company, but this work is as much hers as it is mine She's a really amazing and smart person and if you like this work You should check her out at rival elf on Twitter. None of this would have been possible without her So what is threat lab threat lab looks at technology that targets at-risk people? specifically activists human rights defenders Journalists domestic abuse victims immigrants sex workers minority populations and political dissidents anybody who is at risk of Violence for doing the work. They do or simply being who they are and The technology that we look at usually shares a few similar goals to gather intelligence on political opposition to spy on people illegally or when they've left the country To locate captured extort and harass people whose views you disagree with and Generally to stifle their freedom of expression and prevent them from speaking out and doing the work. They do or even just living their lives We look at a couple of different types of technology in this work one of the main types of technology that we look at is State-sponsored malware and spyware This is malware used to spy on people through their phones or their computers and that's a big part of what we do But another part of what we do is look at the technologies that law enforcement Use to spy on people on the streets when they're going about their daily lives and one of those technologies is known as a cell-site simulator So what is a cell-site simulator? A cell-site simulator is a transmitter or receiver that intercepts metadata and location information from cellular phones often by masquerading as a legitimate cell tower The terms MC catcher stingray hailstorm fake base station and cell-site simulator Are all pretty much interchangeable and for the purposes of this presentation. We will use them interchangeably So they all mean the same thing So how did we get interested in cell-site simulators? Well, it all started back around Thanksgiving of 2015 When I started getting messages from people at the Standing Rock Indian Reservation in North Dakota At that time there was a large series of protests going on at Standing Rock to protest a pipeline which was being built through the reservation to deliver oil and People at those protests had started seeing strange things which they thought might be Indicative of the presence of a cell-site simulator Some of them had installed applications on their Android phones which reported to detect cell-site simulators And they sent me the screenshots of the detections. I thought that these Screenshots were suspicious enough that I thought it was worth going out to Standing Rock To see if I could detect these for myself So I loaded up a few different apps on my phones and I grabbed a couple of $20 software to find radios and Off I went. When I got to Standing Rock, I started running the apps. I started scanning the 2g GSM cellular spectrum for any anomalies with the software defined radios and said about to see what I could learn and What I learned is that I have no idea what I was doing The apps were showing me some results But I couldn't really figure out what those results meant Did they mean there was actually an MC catcher around or did they just mean that they that the cellular cellular network Was having a hard time and failing in the normal ways that cellular networks fail all the time furthermore, I looked at what the 2g Spectrum was producing from my software to find radios and realized quickly that there were no 2g GSM towers Anywhere in the area Real or fake there was nothing going on on that spectrum at all all of the connections in the area were over 3g or 4g So this was very confusing. I didn't know what to make of this I certainly hadn't found any hard evidence of MC catchers and it seemed like the methods that I was using Wouldn't quite work Up until that point all of the knowledge that we had about MC catchers was based on an older model called the stingray as shown here the stingray is made by a company called Harris Corporation and It is perhaps the most famous MC catcher it works natively on 2g and it takes advantage of vulnerabilities in The 2g specification to trick phones into connecting to it and giving up their location and made a data for their calls Now since there was no 2g anywhere in the area of Standing Rock We figured that any MC catchers that were out there must be operating natively on 4g or LTE What's more? We had just discovered that the city of Oakland, which is a major city in California Had upgraded their stingray to a new model of MC catcher called the hail storm The hail storm purported to operate natively on 4g and have all the same characteristics All the same capabilities that the stingray has This was interesting to us because up until now we had assumed that 4g LTE Had fixed all of the vulnerabilities that the stingray could take advantage of and therefore might be impervious to MC catchers But clearly this was not the case So we figured that the best thing to do was figure out how 4g LTE native cell-sighted motor such as the hail storm Could possibly work and more importantly, could we be able to detect them? We said about reading Yamada and I said about reading all of the academic papers We could for the next year about vulnerabilities in the 4g LTE protocol And what we found are that there are several different vulnerabilities that next-generation CSS Could be taking advantage of Yamada wrote all these up in a really excellent white paper called gotta catch em all which is a Nice high-level summary of all of the vulnerabilities and how they work I'm not gonna get into this here because Yamada's paper is really excellent and you should really just go read that But suffice to say it we found several ways and we feel like we have a pretty good understanding of how a hail storm or a similar Cell-sighted simulator might work So now that we've found out how they work, how often are they being used? Well in the US we can use for information act requests to figure that out at least from government usage So the immigration and customs enforcement wing of the US government used their cell-sight simulator 466 times between 2017 and 2019 according to documents obtained by the American Civil Liberties Union In local law enforcement the city of Santa Barbara used their cell-sight simulator 231 times in 2017 Roughly equaling the number of times that the cell-sight simulator was used by ICE a federal agency but for one small city in California on The other hand Oakland, California, which I talked about earlier only used their cell-sight simulator three times in 2017 four times in 2018 and once in 2019 and We think that the reason for this difference is that Oakland has strong privacy laws about when the police can use the cell-sight simulator Why they can use the cell-sight simulator and what sort of reporting they have to do after they use it And we think this is evidence that those privacy laws actually work very well But of course not everybody can be We can't request freedom of information documents from everybody For example, we think that foreign spies are using MC catchers around Washington DC and the US Capitol And we think this because the Department of Homeland Security put out a report saying that they had found several MC catchers in the area Which they assumed were operated by foreign spies We also think that cyber mercenaries such as the NSO group are using MC catchers There was a report from and to see international about how NSO group had used MC catchers to spy on a Moroccan journalist Presumably on behalf of the Moroccan government Also, we think that criminals are using MC catchers there's some body of evidence that Mexican drug cartels are using MC catchers to keep tabs on the Mexican federal forces that are going after them and This makes sense. It only costs a couple of thousand dollars to build a really nice MC catcher And this is certainly within the budget of a well-funded Crime group such as a cartel or even a smaller crime group such as a robbery ring So since we can't forget everybody we also want to figure out how we can detect for GMC catchers There are a couple of previous attempts at this and two schools of thought which I'll call app-based and radio-based The app-based school of thought such as Android MC catcher detector at Snoop Snitch Usually is a free Android application that can be downloaded from the Android Play Store They are easy to use but they can only get data about the Transmitters or base stations that your phone is connecting to They also get a lot of false positives and false negatives because a lot of the things that Might look like MC catcher activity are also things that happen often in the cellular network And you have no way to tell whether this is a normal glitch or something. That's actually suspicious On the other hand there is a school of thought called radio-based MC catchers And these are things such as the C glass project out of University of Washington or the Sitch project by Ash Wilson The advantages of these are that you can get better data You can get data about all of the transmitters or base stations in an area Not just the ones that your phone is connecting to and you can get lower level information The cons are the downsides are that they're harder to set up and use you have to know Linux You have to know some programming and you have to buy some hardware. So it's not as cheap So after looking at these we thought can we detect 4g cell site simulators? How can we improve on these previous? Attempts well one thing we can do is to is collect lower level data We like the radio-based approach to be able to see all the towers in the area Not just the ones that our phone chooses to connect to and we can also compare that data over time to look for changes and suspicious new events But the most important Improvement that we can make is to not look at 2g or in GSM towers Which all the previous technologies do but to look at the 4g spectrum and to look at the anomalies We expect to see in 4g MC catchers and the other really important thing we can do is verify the results Meaning to actually track down suspicious sour towers and see them with our own two eyes If the suspicious base station is On top of a normal cell tower, that's probably fine If it's on top of an embassy belonging to a foreign government That is more suspicious and if it's in the back of an unmarked van That is extremely suspicious and most likely to be an MC catcher So me and Yamuna set out building our detector, which we call crocodile hunter crocodile hunter is an open-source software stack, which is based on SRS LTE SRS LTE is an open-source LTE implementation Which implements not only the base station and back end of LTE But also the mobile phone equipment itself. It can be a LTE client as well as an LTE server We also use Python for the database and front end and heuristics and number crunching About whether something is a suspicious base station or not The hardware stack is a laptop or Raspberry Pi running Linux a USB GPS dongle a software defined radio and two LTE antennas This is very small and can easily fit into a backpack Or into your car for concealability So this is an example of the crocodile hunter user interface Each of the orange dots and black skulls are a base station. This was collected in downtown San Francisco in 2019 The black skulls are base stations that we think are suspicious But of course not every one of them in fact in this case probably none of them are Cell-sites emulators, but they are all base stations that crocodile hunter found suspicious and we should probably follow up on The way that crocodile hunter works is we use SRS LTE To scan a list of the 4g frequencies for information blocks These are packets which are sent out by the base stations Fairly frequently which contain information like a cellular ID Unique ID for the base station and a few other pieces of interesting information SRS LTE decodes those system information blocks and sends them back to the Python server over a local socket The Python server then does a few things. The first thing we do is try to Is try to map out the antennas in real time We use a method called trilateration Which is similar to triangulation and some radio physics to estimate where all the base stations are located We then can compare this to a public open-source database such as wiggle or open cell ID To see if this transmitter has a history. Is this transmitter regularly seen in that area? Is this transmitter One that's been in that area for a while And this is predicated on the idea that cell side simulators will tend to be mobile and only show up for a little bit And then leave and not stationary sitting in one place for months or years Then we can look for anomalies now that we have the base stations and we've mapped them out We look for things like base stations that move base stations that are in two places at once Base stations that are new and haven't been seen before or base stations that are only seen once and then never seen again Things that are changing parameters or missing parameters all of these things are suspicious And when we find a suspicious base station, we don't immediately assume it's a cell site simulator or an MC catcher That's why we have to go physically verify it and take a look at it with our own two eyes To see if this is a false positive or to see if this is the real thing So what have we found so far? One of our earliest tests was in Washington, DC Where we found a really interesting base station normally it would Give the mobile country code and mobile network code of three one zero and four one zero Which correspond to the United States and AT&T respectively There was another base station similarly giving the country code and network code of three one zero and four one zero But in one instance those base stations one of them suddenly started broadcasting a country code and network code of Three five zero and four nine zero Three five zero is the country code for Bermuda and four nine zero is a network code Which is not used by any network provider in Bermuda Which is you but which is used by Sprint or T-Mobile in the United States But notably not AT&T, which is who this base station belongs to it even had the same base station ID In an in the other case the base station suddenly started broadcasting the country code and network code of three oh eight and four five one Which belong respectively three oh eight to Saint Pierre and Micolon Which is a small island off the coast of Nova Scotia and four five one Which is not used by any network anywhere in the world So this is really interesting and why the heck is this happening? We have no idea. This is certainly not a result. We expected to see and Although it is suspicious. We're not really sure what's going on here So we kind of wrote that off as an anomaly and meant to investigate it later Later that summer in Oakland, California Later that summer in Oakland, California, there were a series of Black Lives Matter protests during which We ran Crocodile Hunter between June 3rd and July 15th and For most of that time. We saw what we would expect to see Base stations from T-Mobile AT&T Sprint and so on But in two instances what we found were Really strange base stations suddenly broadcasting and sorry in one instance what we found were three different base stations Suddenly broadcasting different country codes and network codes And these were all seen on June 19th Which was the date of a large protest in downtown Oakland Which marched from the port of Oakland one of the biggest shipping ports in the world to Oakland City Hall In one case the base station was broadcasting a country code of two one three Which is used by the country code of Andorra and six eight eight which is not used by any network in Andorra The in another case the country code was seven one zero which is used by the country of Nicaragua and seven three eight Which is not used by any mobile network provider in Nicaragua and in the third case it was Broadcasting the country code of three one nine and a network code of five nine Which isn't used by any country or network anywhere in the world So these are again very suspicious and we only saw them that one time despite doing scans for the four Three different scans over the course of a month and a half in the same area This is pretty similar to what we saw in DC and we still don't know what to make of it But we think it's very suspicious and we're hoping to collect more data Finally, what's with the name? well, there is a man Steve Irwin who used to run a show called the crocodile hunter and Unfortunately, he was killed by the animal the stingray while he was swimming in Australia We You may remember the stingray was the name of one of the original MC catchers So we named this crocodile hunter to pay our respects to Steve Irwin Thanks, Steve much love So what is our future work here? Well, we have ongoing tests in Latin America with the Fade project in Washington, DC in New York City and hopefully in your hometown and in countries around the world the The project is open source and we would love for you to download it take a look and run it yourself We would like to get more data. We think that this can only be improved with more data We want to see if those strange networks with strange country codes pop up again in other places and try to figure out what that means And we also want to improve prove our heuristics as we see what MC catchers look like in the wild Finally, how can we stop suicide simulators? Unfortunately, there's not much that we as individuals can do and Unfortunately 5g doesn't solve the problem. In fact, it leaves many of the same security problems that 4g has still open One thing we can do is end 2g support on iOS and Android 2g allows some of the worst abuses of MC catchers such as listening to the content of phone calls And if we stop 2g that would at least make the problem a little bit better We can also eliminate some of the vulnerabilities in 4g and there are some amazing Proposals for how to do that which I can't get into now, but we'll be linked to in the slides We can get more data about the threat that Southside Simulators pose and how to detect them which will help us Pressure our governments to pass stronger privacy like regulations and to pressure standards orgs carriers manufacturers To care more about user privacy and take this threat seriously None of these are foolproof solutions But we're not even doing the bare minimum yet, and I think that we could do better The final takeaways here We have a pretty good understanding of the vulnerabilities in 4g which commercial cell side simulators might exploit None of the previous MC catcher detector applications really do the job anymore But we've proven that the same principles which worked for previous cell side simulator detection apps Should work for the next generation of cell side simulators Finally the problems of CSS abuse can be solved But it's going to take a lot of work not only engineering work, but political work as well Thank you for your time. Again. I'm Cooper Quinton I'm with the EFF threat lab and I'm a senior security researcher there And you can find me on Twitter at Cooper Q or email Cooper Q at EFF org and Crocodile hunter can be found on our github page here as well Thanks, and I hope you enjoy the rest of the conference Bye-bye