All posts by pedro

YateBTS rogue station running at RSA Conference 2018

It doesn’t looks like an IMSI-Catch attack, much more it seems to be a miss configuration, someone playing around with YateBTS in his/her laptop plugged with a BladeRF, completely forgotten to disable or modify source to avoid the SMS welcome, so everyone who walks in the RSA conference close to this YateBTS station received a welcome SMS as showed above.



@s7ephen tweet about this message:

David Burgess (the man who started the OpenBTS project time ago with Harvind Samra) wrote his own note from YateBTS web page regarding this extrange rogue tower:

The ‘rogue GSM tower’ episode and Cambridge Analytica: why ethics matters to technology

Probably this RSA edition will be remembered for the attendees data leak (article from, but is also quite interesting this GSM station broadcasting welcome SMS.


DHS acknowledges unauthorized foreign Stingray use in Washington D.C.

Hi all,

Once again Washington D.C. But this is believed to be the first time the U.S. government has publicly acknowledged the devices in Washington, according to The Associated Press.

Looking forward to visiting Washington D.C. with my CellAnalysis laptop or even more, deploy probes all around the city to trace these mysterious devices.

The article has been covered by several media/news websites:

[npr] Feds Say They’ve Detected Apparent Rogue Spy Devices In D.C.

[foxnews] Homeland Security finds suspected phone surveillance devices in Washington

[scmagazine] DHS acknowledges unauthorized foreign Stingray use in Washington D.C.

[cnet] Homeland Security has detected phone spying devices in DC


Stay tuned for more fake station news and CellAnalysis new versions.


Canada: Toronto police admit they use Stingray


Quote from the article: “After denying use of the controversial technology, documents obtained by the Star show that the Toronto Police Service has used the cellphone data-capturing device known as an IMSI catcher, or Stingray, in five separate investigations.

This new article from rises new use cases from the Toronto Police.

Read the full article here.

IMSICatching attacks on 3G networks (part 1)

In June of this year I announced the participation of CellAnalysis in the project of Sysmocom Accelerate 3g5 program to detect the 3G IMSICatching attacks. This article describes the first steps studying the 3G attacks within the Osmocom infrastructure and the basic principles of detection that are being implemented in CellAnalysis 3G.

Lab infrastructure:

Following the steps in the Getting_Started_with_3G tutorial,  we setup the 3G network but we will modify the MSC node source code. We don’t need to add any subscriber in the HLR/AuC database, since we are not going to deliver a 3G service to our victims. The negotiation procedure of the mobile to register in our 3G network will always be rejected, in order to be able to downgrade to 2G, in the same way as we saw in 4G (4G / LTE IMSI Catchers). In this first article we will use the “Location Update Reject” attack, with the different causes of rejection forcing the mobile to register in the 2G network (the downgrade attack).


    1. femtocell nano3G (Sysmocom)


    1. Osmocom 3G network,  running on Ubuntu 14 (intel core i5 4200U 1,6GHz, 8Gb RAM)



    BladeRF x40
    YateBTS, 2G network running on Ubuntu 16 (intel atom 1.6GHz, 8GB RAM)

Once configured the 3G network following the Getting Started tutorial, it’s better to verify that the cell 3G is transmitting correctly in the UARFCN 9800 (default channel):
To implement our custom reject cause, we must modify the source code of the MSC to overwrite the registration reject cause in the “Location Update Request” response. Usually the reject cause should be “(2) IMSI unknown in HLR” since we have not provisioned any subscriber in our HLR or “(3) Illegal MS” if we only add the victim’s IMSI in the HLR Sqlite db but not the auth values. It’s needed to manipulate the source code of the MSC so that it always returns the cause value of our interest, according to whether we want to do a D.o.S or a 2G downgrade attack:

    · Disable the USIM entirely until power-off or USIM removal.
    · Attach requests disable the USIM for packets domain until power-off or USIM removal.
    · Periodic Location Update requests will trigger the UE to attempt GERAN instead.

Once we choose and implement our attack, switch-on the victim mobile (S2) and activate Tobias Engel xgoldmon to detect the attack. Check the following image, how the response to the registration request (the Location Update Reject) is correctly sent to our victim with our reject cause choosen (this example is #14, “Service option temporarily out of order“):

After the LocUp Reject, the victim mobile connects to the 2G network (YateBTS). See bellow how after the RRC message “Location Update Reject“, the mobile starts to use LAPDm and begins the authentication in the 2G network:

But, before switching to 2G network, the registration procedure has asked the victim mobile to identify, by requesting the IMSI. This is the 3G IMSICatching attack, see the “Identity Response” message (IMSI has been removed in the image):


CellAnalysis 3G uses active monitoring solutions (in this article xgoldmon), instead of the passive ones as SDR boards used in the 2G fake stations detection, to monitor 3G attacks.

Advantages using active monitoring;

  • ciphering algorithms (UEA) usage
  • authentication parameters and rates

But on the other hand, there is a big disadvantage:

  • one SIM card and device per operator in order to scan all the 3G fake stations

Of course a regulation compliance check is being carried out to determine wether the 3G radio parameters are used accordingly to each country frequency distribution regulation, as in the 2G detection.

CellAnalysis running on GPD Pocket

It all began when I read Simone’s article (@evilsocket) on the Pocket GPD,  I thought it would be a perfect device to pentest radio frecuency, Wifi, BT … and also in which to be able to camouflage CellAnalysis.

My preferred setup is to be used with a rtlsdr dongle and a 2G modem, so I will focus on this hardware.

I received the Windows 10 GPD version (as at the time of writing is the only one available) so first thing to do, is be free:

  • Update the BIOS which can support Ubuntu OS first:!MN52EChD!n_pgjceHp9hXC-EO51qtUkDncpVXoY_lc1Da0LtgsgM

  • And download the image of Ubuntu 17 already prepared by “nexus511” of his web:



After writing the image (use “dd” command, you don’t need any GUI or Windows software) to a USB disk, it was installed without any problem in the GPD (screen rotation, partition encrypted, …). Already in Ubuntu, the first thing was to update the apt packages (apt-get update) to install all the dependencies:

-The base software for a RF workstation; HW drivers for rtlsdr,  GNURadio, libosmocore, kalibrate-rtl and GR-GSM. A good reading  recommended is available on the GR-GSM wiki:

Although in my case I didn’t install the GNURadio and GR-OsmoSDR packages using apt, I prefer to download from the github;
git: //

– Now we only need to install:


– Following these steps, you will get the GPD Pocket running with RTLSDR and a 2G modem with cellanalysis, easy to hide and to carry 🙂

CellAnalysis at DefCon DemoLabs

This year I was lucky enough to go for the first time to the DefCon, which was held from July 27th to 30th at the Caesars Hotel in Las Vegas.

In the event, were held the DemoLabs, in which I had the great honor to participate demonstrating and showing the capabilities of CellAnalysis

It was a surprise to see the little use and how the spectrum was distributed in the USA:

In the DemoLab I showed how CellAnalysis can be installed in a RaspberryPi3, using two devices: a 2G modem as a primary device and a RTLSDR dongle as a secondary device: the primary will only scan for 2G cells continuously, while the secondary will scan the broadcast traffic for each detected cell.  This setup will allow very small detection times and can be packed in many ways:

US (Seattle and Milwaukee) Stingray-Detecting Device

Researchers at the University of Washington uses a sensor box, including a GPS module, a GSM cellular modem, a Raspberry Pi, a cellular hotspot, and an Android phone running SnoopSnitch, to collect 2G cells information and detect IMSI catchers, as you can read in the article.

They identified and mapped out 1,400 cell towers in Seattle, and 700 in Milwaukee, finding anomalies in the Seattle area.

More information can be found in the project web page and their  white-paper.

CellAnalysis 3G and Osmocom 3.5G

For a few years now I’ve focused on improving the unpublished version of CellAnalysis (currently 0.1.10), using it in security audits and trying to know the best way to protect the algorithms of the code in order to publish in the future the full version.

I recently decided to give a new direction to CellAnalysis to be able also to detect the fake 3G cells used to force the victims to use fake 2G stations (downgrade attacks). As initial tool I’m thinking in Xgoldmon, which will allow us to analyze the signaling of a mobile in an active way (we need a SIM card inside), although the goal that I have marked in the long term is to write a GNURadio tool that will allow to monitor broadcast traffic in 3G passively, without the need of a SIM card , using the standard SDR (BladeRF) boards.

On the other hand, I had the great luck to participate in the project to contribute to Osmocom 3G5 to cover the following objectives:

(Short term) Study how to implement in the Osmocom 3G network the following attacks:

3G IMSI Catching attacks, using RRC Connection Request/Reject (Initial UE identity – IMSI)

2G downgrade attacks, based on “Loc.Up.Req” reject codes and “RRC Connection Reject”

(Short term) Use Xgoldmon software adapting CellAnalysis algorithms in order to detect the two previous attacks.

(Long term) Write GNURadio scripts/blocks to decode 3G broadcast traffic, adapting CellAnalysis to detect previous attacks with SDR boards.

I would like to give special thanks to @sysmocom, Osmocom community and the “Accelerate 3g5 program” for their contributions  to this project.