The aim of FakeBTS.com project is to detect fake BTS stations and prevent attacks, using a Linux computer and hardware that allows us to scan the frequencies of GSM / GPRS.
And what is a fake cell or fake BTS? Just as someone can create a wireless network with the same name as our original and try to “sniff” our internet traffic (AP rogue), you can create a tiny GSM / GPRS network so our mobile phones will connect to this enemy cell. From this moment, all our communications using mobile phone are in the hands of our attacker; Internet traffic, calls and short messages (SMS). The false cell is also known as; Fake BTS, BTS rogue o IMSI catcher (the purpose of such device is different, but it is also an intrusion ).

How can I realize that my phone is being attacked? Unfortunately our phone (even a Samsung Galaxy S7, iPhone 7, or latest model that you want) will not notice the difference between this fake network and a real network; we can make calls and browse the internet with our smartphone that we never will realize that we are being hacked.
Ok, but What do I need or what skills do I need to move forward? The aim of this project is to create a platform on a Linux system where you can monitor these attacks, so you will only need some knowledge on Linux OS .
If you are still interested, download it to test fake BTS detection.
Hey, I read on their on fakebts, what kind of hardware do I need to test this project?
Hello Lars,
You have many options, from low cost devices until professional SDR boards:
– Osmocom BB compatible phones
– or any RTL-SDR USB devices (search on google, there are many shops)
– Any SDR device, like HackRF, BladeRF or Ettus USRP.
I’m looking forward to hear about your experience using CellAnalysis.
Pedro
Hi Pedro! I’m using your rtl-sdr script in a project- it’s saved me a lot of time. Thanks!
Dear Sir ,
I am Yus from Indonesia , do you have AAS product using IMSI IMEI cather method , and range 3 Km and using one antenna multi band for GSM – CDMA – LTE .
I need the product and thanks for your attention.
Regards
Yus
Mass Surveillance.
Mass surveillance are documented whit our cell phones.
Thousands of volunteers have with their mobile phone uploaded their results to different cell tower (base station) databases.
The hack that is picked up whit our Mobil phones is,
“man in the middle attack, umts (GSM)”
The explanation is that GSM base stations is pretending to be an official GSM station and emits a Cell ID.
The voluntary collection of which base stations our cell phones have used, is collected whit app’s like
http://wiki.opencellid.org/wiki/Data_sources
In the EU it is a human right to have telecommunications secrecy.
That means that your phone calls must be encrypted.
(it is very likely also human rights in many other countries)
Article 8 – Right to respect for private and family life.
Listening to your conversation, is a violation of privacy
Article 5 – liberty and security.
Liberty i violated by the size of the hacking and the size of a hidden GSM network
A dropped emergency call is a hazard to your security.
Article 6 – fair trial,
The reason is dropped phone calls, people listing in on conversations whit your lawyer.
The right to have a private talk whit your lawyer
Article 10 – expression.
Whit out telecommunications secrecy, every on is listing to your conversations.
Dropped phone calls is the same as Censoring
Several other rights is also violated.
———————————————————
You will need to compare whit official database for your area.
Voluntarily collect databases.:
http://opencellid.org/
http://www.cellmapper.net/map
https://wigle.net/ (blue dots are GSM base stations)
http://opensignal.com/
http://www.cellumap.com/
http://openbmap.org/
Mozilla location services.
There are many other databases.
Official cell tower database.:
Denmark.: Mastedatabasen.dk
Norway.: finnsenderen.no
Schweiz.: Funksender.ch
Poland.: Beta.btsearch.pl
Great Britain.: http://www.sitefinder.ofcom.org.uk/search
France.: http://www.cartoradio.fr/cartoradio/web/
Belgium.: http://zendmasten.be/
Brussel.: http://geoportal.ibgebim.be/webgis/antenne_emettrice_gsm.phtml?langtype=2060
Austria.: http://www.senderkataster.at/
Germany http://emf3.bundesnetzagentur.de/karte/Default.aspx
Netherlands.: http://www.antenneregister.nl/Html5Viewer_Antenneregister/Index.html?viewer=antenneregister
USA.: http://www.antennasearch.com/
What you see in the above databases are layers of registered GSM base stations / antennas.
A quick look will tell you that it is a mobile GSM network and installed GSM network.
it is small teams.
So you think that is not that bad,
It is a mobile network and layers of registration, THINK AGAIN,
it is much worse, than you think and see.
Install the App AIMSICD and download the OCID database,
You will see a difference a HUGE difference.
The databases are validated because there is products made on them and they work.
http://opencellid.org/, ENAikoon https://www.enaikoon.com/en/home/
https://location.services.mozilla.com/ Firefox phones https://www.mozilla.org/en-US/firefox/os/
Exsampel of closed databases.:
Google location.
IPhone.
Windows.
Symbian.
http://navizon.com/
https://unwiredlabs.com/
A small Conclusion.:
Someday the closed database’s will be sized by government official.
Because of what you see in the voluntarily collect databases.
When that happens and it will,
We all lose our freedom and will be violated.
Those closed database’s also contains information on were the GSM base station were logged.
So what do that mean,
Well they can look at the closed databases and see
How often you went to the local pusher,
How often you shopped and were,
How often you visit friends,
And much more.
Pleas.
Provide permalinks is there are things you don’t understand,
the official database for your area and I will have a look.
Or ask a questions.
Example when comparing databases.:
London. compare pictures, there is a huge difference.
For the USA opencellid.org, wiggle.net, opensignal.com, etc.. in conjunction whit http://www.antennasearch.com/
Take a look at Chicago http://opencellid.org/ and compare whit the official antenna/Base station database http://www.antennasearch.com/
There are 2,441,277 GSM antennas/stations in the U.S more than 10% has been registered in Chicago, Pleas look at the pictures after the picture who says the government doesn’t listen to people.
You want to know if your cell phone under surveillance.
Android
http://www.android.pk/blog/tutorials/how-to-enable-third-party-apps-installation-on-android-phones/
https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector/wik
IPhone.
Try using the app Opensignal or similar.
Compare whit the official database for your area.
Discovering the hidden GSM network.
How can you discover that there is a hidden GSM network.
You need to compile the Android open source Project. https://source.android.com/ whit the function getneighboringcellinfo
Install an app that plots GSM antennas.
compare whit the official database.
The function getneighboringcellinfo is deprevated in android and have been since android 2.3
Today it is the function neighboringcellinfo and there are no apps suporting the function.
when you look at opencellid.org and see the diffrence from the official database.
Those diffrence are all phone connections there are hijacked whit a GSM base station
The reason is that opencellid.org is a new data base. and the phones that did the collecting dont have the function getneighboringcellinfo.
The Hack
The rouge GSM base stations pretends to be and official GSM station to the Cell phone.
And to the official Cell tower it pretends to be the phone.
There is a hand made drawing.
screen shoot films from the cell phones perspectiv
It is from a Cell phone were the connection is hijacked.
(I know it is boring, pleas download and watch in high speed)
https://1drv.ms/v/s!Ar3SzXWX8b_5gWot4evkmqwM8GA0
Here is another https://1drv.ms/v/s!Ar3SzXWX8b_5gQbSxqpBMVeWxJ5f
My phone, I am sitting in a train from Herning to Copenhagen, Denmark 220km it is an unofficial network and it is the “man in the middle attack, UMTS (GSM), seen from my phone.
The official database to compare whit is https://www.mastedatabasen.dk/VisKort/PageMap.aspx
I have over 24hours of film. Over 400mb logs and a small piece of a Trace.
——————————————–
If you look at the article http://www.usatoday.com/story/news/2015/02/22/cellphone-911-lack-location-data/23570499/
First thing is the cellphone don’t transmit a signal, containing information about its location it is done through signal triangulation.
“The technology of locating is based on measuring power levels and antenna patterns and uses the concept that a powered mobile phone always communicates wirelessly with one of the closest base stations (Cell tower), so knowledge of the location of the base station implies the cell phone is nearby.
Advanced systems determine the sector in which the mobile phone is located and roughly estimate also the distance to the base station. Further approximation can be done by interpolating signals between adjacent antenna towers. Qualified services may achieve a precision of down to 50 meters in urban areas where mobile traffic and density of antenna towers (base stations) is sufficiently high.[citation needed] Rural and desolate areas may see miles between base stations and therefore determine locations less precisely. (It is a lot more precise than 50m)
GSM localization uses multilateration to determine the location of GSM mobile phones, or dedicated trackers, usually with the intent to locate the user.” (Pretty simpel 🙂 )
From the article. (I just use it as an example)
“In California, more than half of cellphone calls did not transmit location to 911 from 2011 to 2013, and it’s getting worse. Last year, about 12.4 million, or 63%, of California’s cellphone calls to 911 didn’t share location. Among the worst places: Silicon Valley. In December 2012, precise location was shared in 10%-37% of the area’s emergency calls, depending on the wireless carrier.
In Colorado, 58% of the 5.8 million cellphone-to-911 calls last year transmitted coordinates, according to data obtained from the Colorado 911 Resource Center.
In Texas, two-thirds of cellphone calls in a sample of calls from major cities – including Austin and Houston – reached 911 without an instant fix on location from 2010 through 2013.
In the Virginia suburbs outside Washington, Fairfax County reported 25% of cellphone calls included precise location data in 2014, and Loudoun County said 29% of mobile calls did over the last six months of 2014.”
When 911 tries do a location fix, through signal triangulation, and it doesn’t fit the caller’s description of where he or she is, chances are big (100%) that it is a base station (Rough Cell Tower).
The rough cell tower pretends to be a official Cell tower to the cell phone and to the tower it pretends to be a Cell Phone.
so if and when 911 tries to make a fix on location, based on radio signal, it is a fix on the rough cell tower it is because it to the official cell tower send the phone data, (Misdirected emergency services) and when a huge part of the unofficial GSM network (rough cell towers) is mobile, in cars, bags etc., then the signal is jumping. (No fix on cell phone)
The 911 databases for the cell phone fix, all holds a clue to Rouge base stations.
911 location fix on the ip is also a problem, mentioned in the article.
Doing a location on the IP can also be a problem,
Pleas look at drawing of the hack the ip can be in a be anywhere, would also cause Misdirected emergency services.
Here is a strange one, the iplocation algorithm looks through different network hops, google get the location right every time, but Bing locates the rough base station.
Google and Bing also have databases that can help discover the true picture of the problem.
A example on genocide could be that and why is should be addressed in the UN.
In Colorado 0,01% of the 58% 5.8 mio cellphone-to-911 could be a death caused by the time lost in miss directed help etc.
Just those 0.01% is a possible genocide
The reason is it is done by hacking phones, it is done intentionally.
33 people per year that is using as low a Number as possible.
It is more likely 0,1 making it 330 people a year for one state.
If The UN takes honor it will be the numbers They will be looking Into.
It is all deaths were the phone connection is hijacked that group are to blame for.
Not 0,01 or 0.1.
And the 330 human lives is just for one state
Imagine the number of deaths through the hole of US, because of Hacking cell phones.
And it is just not only the US, It is all countries in the world there are deaths because of this group.
The article don’t say any ting about deaths caused by a lost/dropped 911 call.
So the death toll is a lot higher.
The next thing is the RF microwave radiation emitted from a rough cell tower.
RF microwave radiation pushes (vibrates), fat, sucker and water molecules, that can cause Cell changes, we know it as cancer.
• http://www.cancer.gov/about-cancer/understanding/statistics
• In 2014, an estimated 15,780 children and adolescents ages 0 to 19 were diagnosed with cancer and 1,960 died of the disease.
Another thing about RF microwave radiation is that it causes DNA changes, and it is not positive thing, health problems and early death.
Then there is cancer deaths and much more.
People are looking for answers about the calls from the air planes that hit the world trade center. http://www.911myths.com/html/mobiles_at_altitude.html
There is Rough gsm base stations in the plains, transmitting the signal to the ground at higher levels than a cell phone can do. A clue to this is in the databases. you will find GSM base stations on the air plane strips.
I am wondering why no one, is puzzled about,
Why is it possible to hear fragments of conversations
in a ordinary GSM scanner and the channel jumping is uneven
It is because of the Hack Mitm, umts (GSM) It is that hack that is picked up by the ordinary GSM scanner
There is no encryption on the hack
All official GSM stations encrypt data and voice
It should not be possible to hear anything because of the encryptions
All you hear in an ordinary GSM scanner is Hacking
———————————————————————
A few newspaper articles on the subject.:
http://www.ibtimes.co.uk/fake-stingray-mobile-base-stations-discovered-spying-millions-londoners-1505368
http://www.theguardian.com/uk/2011/oct/30/metropolitan-police-mobile-phone-surveillance
http://www.thelocal.no/20150309/norway-police-broke-law-with-fake-mobile-receivers
http://www.aftenposten.no/nyheter/iriks/Secret-surveillance-of-Norways-leaders-detected-7825278.html
http://www.networkworld.com/article/2198955/smartphones/fake-gsm-base-station-trick-targets-iphones.html
A bit info about the hack.:
https://en.wikipedia.org/wiki/IMSI-catcher
https://www.sba-research.org/wp-content/uploads/publications/DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf
https://cosec.bit.uni-bonn.de/fileadmin/user_upload/teaching/10ws/10ws-sem-mobsec/talks/dammann.pdf
https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf
https://www.twelvesec.com/using-gsm-tester-intercept-calls-sms-pt1/
http://www.wired.com/2010/07/intercepting-cell-phone-calls/ (stupid tracking algorithms makes that point less.)
http://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/
http://mobilesociety.typepad.com/mobile_life/2013/10/im-now-also-disabling-2g-for-data-i-need-a-3g4g-only-switch.html (stupid you can’t protect your phone against mitm, umts)
http://www.theregister.co.uk/2010/08/02/gsm_cracking/
http://www.fiercewireless.com/tech/story/local-law-enforcement-deploying-fake-base-stations-tracking-eavesdropping/2014-03-16
Radiation.:
http://www.psrast.org/mobileng/hylandbasestation.pdf
http://www.tetrawatch.net/papers/hyland_2005.pdf
http://www.iss.it/binary/elet/cont/3.1203942327.pdf
More to come.
Thanks
swampii
https://www.facebook.com/profile.php?id=100008987765887
Hello swampii,
Thank you for sharing your opinion. Regarding your article, let me answer just to the main point of your long discussion;
I don’t trust CellId’s at all, neither any CellId database with locations. This parameter is just a configuration, a label that anyone can modify at any time in a fake station impersonating a real ones o configuring a new one.
In the other hand, telecom mobile networks are changing their infrastructure every day, so if you compare CellId’s from the same area from a day to another, probably the wont be the same in some percentage, just because the network vegetative growth.
This is just my opinion,
Pedro
Hola Pedro,
soy Monica
Estoy intentando implementar el cellAnalysis y tengo algunos problemas (lo menciono en mi trabajo fin de master)
Tengo un dongle rtsdr (el del curso de Raul Siles)
Monto todo pero cuando ejecuto el script me pide el archivo GP_RTL_Dec=”gsm_receive64-rtl.py” y dice que no lo encuentra
Me pasa lo mismo con gsm_receive_rtl_3.7_console.py y con gsm_receive_hackrf_3.7.py
Si me voy al paquete que baja de airprobe el enlace que esta en tu pagina web no estan
Lo que he hecho ha sido cambiar la ruta de ese a gsm_receive.py
Una vez que todo parece correcto ejecuto el script de CellAnalysis y me dice que todas las dependencias de rtlsdr se cumplen y sigue con la ejecución pero cuando se pone a buscar celdas no las encuentra, termina de buscarlas y salta un error de not Cell found. Is your Usrp/RTL on)
Script finish
¿ que puedo hacer?
Muchas gracias por tu ayuda
Hola Monica,
Me alegra saber que estas implementando CellAnalysis 🙂
Lo que pasa es que esos ficheros no son parte del airprobe estandard, los metí en mi versión que puedes encontrar en mi repositorio de airprobe: https://github.com/pcabreracamara/airprobe
Si editas los ficheros verás que son cambios bastante sencillos; eliminé los componentes gráficos (WXGUI) y adapté las variables de ClockRate y SampleRate al RTL-SDR (al margen de ser compatible con GnuRadio v3.7).
Cualquier cosa, estaré encantado de ayudarte.
Un saludo,
Pedro
Hola Pedro,
Queria preguntar si usando un falso BTS es posible interceptar pagos realizados con la technologia NFC or ApplePay?
Gracias!!
Sevim
Hola Sevim,
La tecnología NFC usa la banda de 13.56 Mhz y el estandard de comunicaciones no tiene nada que ver con la telefonía móvil. No se puede usar una celda falsa para realizar un ataque MITM a un dispositivo NFC, si es lo que estabas pensando.
Sin embargo, con la celda falsa sí se puede intentar interceptar las peticiones que el dispositivo móvil o el datáfono (PoS, TPV) envíen por esta red tras leer la información del método de pago, cualquiera que sea una tarjeta de crédito NFC, ApplePay, etc.
Un saludo,
Pedro