All posts by pedro

CellAnalysis at DefCon DemoLabs

This year I was lucky enough to go for the first time to the DefCon, which was held from July 27th to 30th at the Caesars Hotel in Las Vegas.

In the event, were held the DemoLabs, in which I had the great honor to participate demonstrating and showing the capabilities of CellAnalysis

It was a surprise to see the little use and how the spectrum was distributed in the USA:

In the DemoLab I showed how CellAnalysis can be installed in a RaspberryPi3, using two devices: a 2G modem as a primary device and a RTLSDR dongle as a secondary device: the primary will only scan for 2G cells continuously, while the secondary will scan the broadcast traffic for each detected cell.  This setup will allow very small detection times and can be packed in many ways:

US (Seattle and Milwaukee) Stingray-Detecting Device

Researchers at the University of Washington uses a sensor box, including a GPS module, a GSM cellular modem, a Raspberry Pi, a cellular hotspot, and an Android phone running SnoopSnitch, to collect 2G cells information and detect IMSI catchers, as you can read in the wired.com article.

They identified and mapped out 1,400 cell towers in Seattle, and 700 in Milwaukee, finding anomalies in the Seattle area.

More information can be found in the project web page and their  white-paper.

CellAnalysis 3G and Osmocom 3.5G

For a few years now I’ve focused on improving the unpublished version of CellAnalysis (currently 0.1.10), using it in security audits and trying to know the best way to protect the algorithms of the code in order to publish in the future the full version.

I recently decided to give a new direction to CellAnalysis to be able also to detect the fake 3G cells used to force the victims to use fake 2G stations (downgrade attacks). As initial tool I’m thinking in Xgoldmon, which will allow us to analyze the signaling of a mobile in an active way (we need a SIM card inside), although the goal that I have marked in the long term is to write a GNURadio tool that will allow to monitor broadcast traffic in 3G passively, without the need of a SIM card , using the standard SDR (BladeRF) boards.

On the other hand, I had the great luck to participate in the project to contribute to Osmocom 3G5 to cover the following objectives:

(Short term) Study how to implement in the Osmocom 3G network the following attacks:

3G IMSI Catching attacks, using RRC Connection Request/Reject (Initial UE identity – IMSI)

2G downgrade attacks, based on “Loc.Up.Req” reject codes and “RRC Connection Reject”

(Short term) Use Xgoldmon software adapting CellAnalysis algorithms in order to detect the two previous attacks.

(Long term) Write GNURadio scripts/blocks to decode 3G broadcast traffic, adapting CellAnalysis to detect previous attacks with SDR boards.

I would like to give special thanks to @sysmocom, Osmocom community and the “Accelerate 3g5 program” for their contributions  to this project.

4G/LTE IMSI Catchers

Two papers in a short period of time describe how to implement easy IMSI Catchers in 4G, using OpenLTE, srsLTE or gr-LTE:

– “Easy 4G/LTE IMSI Catchers for Non-Programmers“, Stig F. Mjølsnes and Ruxandra F. Olimid (Norwegian University of Science and Technology, Trondheim)

– “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems“, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert

Although these 4G stations aren’t functional, also can be use to downgrade our mobile to a 2G or 3G fake station using “TAU Reject” code “LTE services not allowed”.

CellAnalysis at BlackHat Arsenal


For the 30th and 31st of March, Black Hat Asia was held in Singapore, where I taught together with Simón Roses the course “Attacking 2G/3G mobile networks, smartphones and apps” and was able to present the Arsenal “CellAnalysis“.

After reviewing some news about fake stations, such as the last one in China to distribute bank malware and other recent attacks, we verify the operation of the application with the different software defined radio boards and compatible phones, analyzing advantages and disadvantages of each one of them to detect the most common attacks. We also presented results of exercises performed in audits in Madrid and Barcelona, analyzing the large amount of information that can be extracted from the files generated by the tool, such as behavior patterns or temporary identities entropy of each 2G/GSM station, in order to detect abnormal behaviors.

In the following days I will update CellAnalysis download link with Singapore version. A real experience been able to share the project in Singapore.

Real example of BTS rogue, fake BTS or IMSI catcher

Is far from the intention of this project focusing on creating attacks or disclosure of the methods to achieve, but it is clear that when you want to detect attacks, You should study them to understand and get ahead or warn them.

By way of introduction I have prepared this short article for those who want to know what a false station (also called BTS or Fake IMSI Catcher). In the DefCon security event 18, Chris Paget we illustrated in his talk entitled “PRACTICAL CELLPHONE SPYING”, how to steal the identity of subscribers to a GSM network by creating a false cell using a USRP as hardware for transmitting and receiving terminals to a Linux computer and OpenBTS and Asterisk to set the cell and allow calls to victims.

This is the video of the talk:

A year later (2011) our compatriots Jose Perez David Stang and exposed at Blackhat DC security conference 2011 how to apply the same attack but networks GPRS / EDGE, afectanto even UMTS / HSPA:

https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdf