BY KIM ZETTER
Rogue cell phone towers can track your phone and intercept your calls, and it’s only a matter of time before they’re as ubiquitous as GPS trackers. But at least now there’s a way to spot them.
A firewall developed by the German firm GSMK for its secure CryptoPhone lets people know when a rogue cell tower is connecting to their phone. It’s the first system available that can do this, though it’s currently only available for enterprise customers using Android phones.
GSMK’s CryptoPhone 500, a high-end phone that costs more than $3,000 and combines a Samsung Galaxy S3 handset with the CryptoPhone operating system, offers strong end-to-end encryption along with a specially hardened Android operating system that offers more security than other Android phones and thepatented baseband firewall that can alert customers when a rogue tower has connected to their phone or turned off the mobile network’s standard encryption.
The problem with rogue cell towers is widespread. The FCC is assembling a task force to address the illicit use of so-called IMSI catchers—the devices that pose as rogue cell towers. But the task force will only examine the use of the devices by hackers and criminals—and possibly foreign intelligence agencies—not their warrantless use by law enforcement agencies bent on deceiving judges about their deployment of the powerful surveillance technology.
IMSI catchers, stingrays or GSM interceptors as they’re also called, force a phone to connect to them by emitting a stronger signal than the legitimate towers around them. Once connected, pings from the phone can help the rogue tower identify a phone in the vicinity and track the phone’s location and movement while passing the phone signals on to a legitimate tower so the user still receives service. Some of the IMSI software and devices also intercept and decrypt calls and can be used to push malware to vulnerable phones, and they can also be used to locate air cards used with computers. The systems are designed to be portable so they can be operated from a van or on foot to track a phone as it moves. But some can be stationary and operate from, say, a military base or an embassy. The reach of a rogue tower can be up to a mile away, forcing thousands of phones in a region to connect to it without anyone knowing.
But GSMK’s CryptoPhone firewall aims to combat this by monitoring all connections to the phone’s baseband. It checks whether a particular cell tower lacks an ID like its neighboring towers—for example a name that identifies it as an AT&T or Verizon tower—whether it has a different signal strength, and whether the tower is operating as expected or trying to manipulate phones. It will also alert you when the mobile network’s encryption has been turned off or when the phone has suddenly switched from using a 3G or 4G to a 2G network—a less secure network that doesn’t authenticate cell towers and makes it easier to decrypt communication. IMSI catchers will often jam 3g and 4G signals to force a phone to use the less secure 2G network, and the CryptoPhone firewall will alert users when this occurs.
“At the same time, the firewall is monitoring every instruction coming into and out of the base station—and it’s showing you what baseband activity occurred but was not controlled by the operating system,” says Les Goldsmith, CEO of ESD America. For example, Goldsmith continues,”someone can send a message straight to your base station to operate the camera in your phone, and the firewall will show you that the camera has been actuated [even though] the user hasn’t pressed a button to do it.”
It also allows you to see if your phone made suspicious connections that are brief—say, a minute and half connection that occurred in the middle of the night when you were doing nothing on the phone and no applications were updating.
ESD America has asked its 6,500 customers to notify them via email or tweet with a screenshot whenever their phone produces an alert about possible rogue activity to help them verify it. And in August alone, users sent in alerts showing the location of 19 rogue tower sightings spread throughout the U.S. The reports came in from casino executives in Las Vegas as well as business executives in other states.
“If someone gets the alert on the CryptoPhone to say there is an intercept, it doesn’t mean their call is being listened to; but it means that they are one of the 1,000 or 10,000 people that are having their calls routed through the interceptor,” says Goldsmith. “It doesn’t mean that person is a target, but that they happen to be in a place where someone is a target.”
Unfortunately, the firewall isn’t available for every phone. It’s currently designed for use on customized phones with the rest of the CryptoPhone operating system, although the firewall can be installed separately without other parts of the operating system. But it takes two to three months to customize a phone with the CryptoPhone operating system—Goldsmith’s company has to replace the resident Android operating system with the modified CryptoPhone operating system. And the company will only do the installation for enterprise and government customers where multiple phones of the same type are being modified at once. Goldsmith says it would take too much work to do different phones individually.
He says he can envision a consumer-level app in the future that could be installed on phones by individuals. Although such an app wouldn’t have all of the same functionality as the robust firewall has, it would still be able to alert you to a rogue cell tower. There are currently no plans for an app, however.