Welcome

The aim of FakeBTS.com project is to detect fake BTS stations and prevent attacks, using a Linux computer and hardware that allows us to scan the frequencies of GSM / GPRS.

And what is a fake cell or fake BTS? Just as someone can create a wireless network with the same name as our original and try to “sniff” our internet traffic (AP rogue), you can create a tiny GSM / GPRS network so our mobile phones will connect to this enemy cell. From this moment, all our communications using mobile phone are in the hands of our attacker; Internet traffic, calls and short messages (SMS). The false cell is also known as; Fake BTS, BTS rogue o IMSI catcher (the purpose of such device is different, but it is also an intrusion ).

IMSI catcher
IMSI catcher

How can I realize that my phone is being attacked? Unfortunately our phone (even a Samsung Galaxy S7, iPhone 7, or latest model that you want) will not notice the difference between this fake network and a real network; we can make calls and browse the internet with our smartphone that we never will realize that we are being hacked.

Ok, but What do I need or what skills do I need to move forward? The aim of this project is to create a platform on a Linux system where you can monitor these attacks, so you will only need some knowledge on Linux OS .

If you are still interested, download it to test fake BTS detection.

10 thoughts on “Welcome”

  1. Dear Sir ,

    I am Yus from Indonesia , do you have AAS product using IMSI IMEI cather method , and range 3 Km and using one antenna multi band for GSM – CDMA – LTE .

    I need the product and thanks for your attention.

    Regards

    Yus

  2. Mass Surveillance.

    Mass surveillance are documented whit our cell phones.
    Thousands of volunteers have with their mobile phone uploaded their results to different cell tower (base station) databases.

    The hack that is picked up whit our Mobil phones is,
    “man in the middle attack, umts (GSM)”
    The explanation is that GSM base stations is pretending to be an official GSM station and emits a Cell ID.

    The voluntary collection of which base stations our cell phones have used, is collected whit app’s like
    http://wiki.opencellid.org/wiki/Data_sources

    In the EU it is a human right to have telecommunications secrecy.
    That means that your phone calls must be encrypted.
    (it is very likely also human rights in many other countries)

    Article 8 – Right to respect for private and family life.
    Listening to your conversation, is a violation of privacy

    Article 5 – liberty and security.
    Liberty i violated by the size of the hacking and the size of a hidden GSM network
    A dropped emergency call is a hazard to your security.

    Article 6 – fair trial,
    The reason is dropped phone calls, people listing in on conversations whit your lawyer.
    The right to have a private talk whit your lawyer

    Article 10 – expression.
    Whit out telecommunications secrecy, every on is listing to your conversations.
    Dropped phone calls is the same as Censoring

    Several other rights is also violated.

    ———————————————————

    You will need to compare whit official database for your area.

    Voluntarily collect databases.:
    http://opencellid.org/
    http://www.cellmapper.net/map
    https://wigle.net/ (blue dots are GSM base stations)
    http://opensignal.com/
    http://www.cellumap.com/
    http://openbmap.org/
    Mozilla location services.
    There are many other databases.

    Official cell tower database.:
    Denmark.: Mastedatabasen.dk
    Norway.: finnsenderen.no
    Schweiz.: Funksender.ch
    Poland.: Beta.btsearch.pl
    Great Britain.: http://www.sitefinder.ofcom.org.uk/search
    France.: http://www.cartoradio.fr/cartoradio/web/
    Belgium.: http://zendmasten.be/
    Brussel.: http://geoportal.ibgebim.be/webgis/antenne_emettrice_gsm.phtml?langtype=2060
    Austria.: http://www.senderkataster.at/
    Germany http://emf3.bundesnetzagentur.de/karte/Default.aspx
    Netherlands.: http://www.antenneregister.nl/Html5Viewer_Antenneregister/Index.html?viewer=antenneregister
    USA.: http://www.antennasearch.com/

    What you see in the above databases are layers of registered GSM base stations / antennas.
    A quick look will tell you that it is a mobile GSM network and installed GSM network.
    it is small teams.

    So you think that is not that bad,
    It is a mobile network and layers of registration, THINK AGAIN,
    it is much worse, than you think and see.
    Install the App AIMSICD and download the OCID database,
    You will see a difference a HUGE difference.

    The databases are validated because there is products made on them and they work.
    http://opencellid.org/, ENAikoon https://www.enaikoon.com/en/home/
    https://location.services.mozilla.com/ Firefox phones https://www.mozilla.org/en-US/firefox/os/

    Exsampel of closed databases.:
    Google location.
    IPhone.
    Windows.
    Symbian.
    http://navizon.com/
    https://unwiredlabs.com/

    A small Conclusion.:
    Someday the closed database’s will be sized by government official.
    Because of what you see in the voluntarily collect databases.
    When that happens and it will,
    We all lose our freedom and will be violated.
    Those closed database’s also contains information on were the GSM base station were logged.
    So what do that mean,
    Well they can look at the closed databases and see
    How often you went to the local pusher,
    How often you shopped and were,
    How often you visit friends,
    And much more.

    Pleas.
    Provide permalinks is there are things you don’t understand,
    the official database for your area and I will have a look.
    Or ask a questions.

    Example when comparing databases.:
    London. compare pictures, there is a huge difference.
    For the USA opencellid.org, wiggle.net, opensignal.com, etc.. in conjunction whit http://www.antennasearch.com/

    Take a look at Chicago http://opencellid.org/ and compare whit the official antenna/Base station database http://www.antennasearch.com/
    There are 2,441,277 GSM antennas/stations in the U.S more than 10% has been registered in Chicago, Pleas look at the pictures after the picture who says the government doesn’t listen to people.

    You want to know if your cell phone under surveillance.
    Android
    http://www.android.pk/blog/tutorials/how-to-enable-third-party-apps-installation-on-android-phones/
    https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector/wik

    IPhone.
    Try using the app Opensignal or similar.
    Compare whit the official database for your area.

    Discovering the hidden GSM network.
    How can you discover that there is a hidden GSM network.
    You need to compile the Android open source Project. https://source.android.com/ whit the function getneighboringcellinfo
    Install an app that plots GSM antennas.
    compare whit the official database.

    The function getneighboringcellinfo is deprevated in android and have been since android 2.3
    Today it is the function neighboringcellinfo and there are no apps suporting the function.

    when you look at opencellid.org and see the diffrence from the official database.
    Those diffrence are all phone connections there are hijacked whit a GSM base station
    The reason is that opencellid.org is a new data base. and the phones that did the collecting dont have the function getneighboringcellinfo.

    The Hack
    The rouge GSM base stations pretends to be and official GSM station to the Cell phone.
    And to the official Cell tower it pretends to be the phone.
    There is a hand made drawing.

    screen shoot films from the cell phones perspectiv
    It is from a Cell phone were the connection is hijacked.
    (I know it is boring, pleas download and watch in high speed)
    https://1drv.ms/v/s!Ar3SzXWX8b_5gWot4evkmqwM8GA0
    Here is another https://1drv.ms/v/s!Ar3SzXWX8b_5gQbSxqpBMVeWxJ5f
    My phone, I am sitting in a train from Herning to Copenhagen, Denmark 220km it is an unofficial network and it is the “man in the middle attack, UMTS (GSM), seen from my phone.
    The official database to compare whit is https://www.mastedatabasen.dk/VisKort/PageMap.aspx
    I have over 24hours of film. Over 400mb logs and a small piece of a Trace.

    ——————————————–

    If you look at the article http://www.usatoday.com/story/news/2015/02/22/cellphone-911-lack-location-data/23570499/

    First thing is the cellphone don’t transmit a signal, containing information about its location it is done through signal triangulation.

    “The technology of locating is based on measuring power levels and antenna patterns and uses the concept that a powered mobile phone always communicates wirelessly with one of the closest base stations (Cell tower), so knowledge of the location of the base station implies the cell phone is nearby.

    Advanced systems determine the sector in which the mobile phone is located and roughly estimate also the distance to the base station. Further approximation can be done by interpolating signals between adjacent antenna towers. Qualified services may achieve a precision of down to 50 meters in urban areas where mobile traffic and density of antenna towers (base stations) is sufficiently high.[citation needed] Rural and desolate areas may see miles between base stations and therefore determine locations less precisely. (It is a lot more precise than 50m)

    GSM localization uses multilateration to determine the location of GSM mobile phones, or dedicated trackers, usually with the intent to locate the user.” (Pretty simpel 🙂 )

    From the article. (I just use it as an example)
    “In California, more than half of cellphone calls did not transmit location to 911 from 2011 to 2013, and it’s getting worse. Last year, about 12.4 million, or 63%, of California’s cellphone calls to 911 didn’t share location. Among the worst places: Silicon Valley. In December 2012, precise location was shared in 10%-37% of the area’s emergency calls, depending on the wireless carrier.

    In Colorado, 58% of the 5.8 million cellphone-to-911 calls last year transmitted coordinates, according to data obtained from the Colorado 911 Resource Center.

    In Texas, two-thirds of cellphone calls in a sample of calls from major cities – including Austin and Houston – reached 911 without an instant fix on location from 2010 through 2013.

    In the Virginia suburbs outside Washington, Fairfax County reported 25% of cellphone calls included precise location data in 2014, and Loudoun County said 29% of mobile calls did over the last six months of 2014.”

    When 911 tries do a location fix, through signal triangulation, and it doesn’t fit the caller’s description of where he or she is, chances are big (100%) that it is a base station (Rough Cell Tower).
    The rough cell tower pretends to be a official Cell tower to the cell phone and to the tower it pretends to be a Cell Phone.
    so if and when 911 tries to make a fix on location, based on radio signal, it is a fix on the rough cell tower it is because it to the official cell tower send the phone data, (Misdirected emergency services) and when a huge part of the unofficial GSM network (rough cell towers) is mobile, in cars, bags etc., then the signal is jumping. (No fix on cell phone)
    The 911 databases for the cell phone fix, all holds a clue to Rouge base stations.

    911 location fix on the ip is also a problem, mentioned in the article.
    Doing a location on the IP can also be a problem,
    Pleas look at drawing of the hack the ip can be in a be anywhere, would also cause Misdirected emergency services.
    Here is a strange one, the iplocation algorithm looks through different network hops, google get the location right every time, but Bing locates the rough base station.
    Google and Bing also have databases that can help discover the true picture of the problem.

    A example on genocide could be that and why is should be addressed in the UN.
    In Colorado 0,01% of the 58% 5.8 mio cellphone-to-911 could be a death caused by the time lost in miss directed help etc.
    Just those 0.01% is a possible genocide
    The reason is it is done by hacking phones, it is done intentionally.
    33 people per year that is using as low a Number as possible.
    It is more likely 0,1 making it 330 people a year for one state.

    If The UN takes honor it will be the numbers They will be looking Into.
    It is all deaths were the phone connection is hijacked that group are to blame for.
    Not 0,01 or 0.1.
    And the 330 human lives is just for one state
    Imagine the number of deaths through the hole of US, because of Hacking cell phones.
    And it is just not only the US, It is all countries in the world there are deaths because of this group.

    The article don’t say any ting about deaths caused by a lost/dropped 911 call.
    So the death toll is a lot higher.

    The next thing is the RF microwave radiation emitted from a rough cell tower.
    RF microwave radiation pushes (vibrates), fat, sucker and water molecules, that can cause Cell changes, we know it as cancer.
    http://www.cancer.gov/about-cancer/understanding/statistics
    • In 2014, an estimated 15,780 children and adolescents ages 0 to 19 were diagnosed with cancer and 1,960 died of the disease.
    Another thing about RF microwave radiation is that it causes DNA changes, and it is not positive thing, health problems and early death.

    Then there is cancer deaths and much more.

    People are looking for answers about the calls from the air planes that hit the world trade center. http://www.911myths.com/html/mobiles_at_altitude.html
    There is Rough gsm base stations in the plains, transmitting the signal to the ground at higher levels than a cell phone can do. A clue to this is in the databases. you will find GSM base stations on the air plane strips.

    I am wondering why no one, is puzzled about,
    Why is it possible to hear fragments of conversations
    in a ordinary GSM scanner and the channel jumping is uneven
    It is because of the Hack Mitm, umts (GSM) It is that hack that is picked up by the ordinary GSM scanner
    There is no encryption on the hack
    All official GSM stations encrypt data and voice
    It should not be possible to hear anything because of the encryptions
    All you hear in an ordinary GSM scanner is Hacking

    ———————————————————————

    A few newspaper articles on the subject.:
    http://www.ibtimes.co.uk/fake-stingray-mobile-base-stations-discovered-spying-millions-londoners-1505368
    http://www.theguardian.com/uk/2011/oct/30/metropolitan-police-mobile-phone-surveillance
    http://www.thelocal.no/20150309/norway-police-broke-law-with-fake-mobile-receivers
    http://www.aftenposten.no/nyheter/iriks/Secret-surveillance-of-Norways-leaders-detected-7825278.html
    http://www.networkworld.com/article/2198955/smartphones/fake-gsm-base-station-trick-targets-iphones.html

    A bit info about the hack.:
    https://en.wikipedia.org/wiki/IMSI-catcher
    https://www.sba-research.org/wp-content/uploads/publications/DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf
    https://cosec.bit.uni-bonn.de/fileadmin/user_upload/teaching/10ws/10ws-sem-mobsec/talks/dammann.pdf
    https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-wp.pdf
    https://www.twelvesec.com/using-gsm-tester-intercept-calls-sms-pt1/
    http://www.wired.com/2010/07/intercepting-cell-phone-calls/ (stupid tracking algorithms makes that point less.)
    http://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/
    http://mobilesociety.typepad.com/mobile_life/2013/10/im-now-also-disabling-2g-for-data-i-need-a-3g4g-only-switch.html (stupid you can’t protect your phone against mitm, umts)
    http://www.theregister.co.uk/2010/08/02/gsm_cracking/
    http://www.fiercewireless.com/tech/story/local-law-enforcement-deploying-fake-base-stations-tracking-eavesdropping/2014-03-16

    Radiation.:
    http://www.psrast.org/mobileng/hylandbasestation.pdf
    http://www.tetrawatch.net/papers/hyland_2005.pdf
    http://www.iss.it/binary/elet/cont/3.1203942327.pdf

    More to come.

    Thanks
    swampii
    https://www.facebook.com/profile.php?id=100008987765887

    1. Hello swampii,

      Thank you for sharing your opinion. Regarding your article, let me answer just to the main point of your long discussion;

      I don’t trust CellId’s at all, neither any CellId database with locations. This parameter is just a configuration, a label that anyone can modify at any time in a fake station impersonating a real ones o configuring a new one.

      In the other hand, telecom mobile networks are changing their infrastructure every day, so if you compare CellId’s from the same area from a day to another, probably the wont be the same in some percentage, just because the network vegetative growth.

      This is just my opinion,
      Pedro

  3. Hola Pedro,
    soy Monica

    Estoy intentando implementar el cellAnalysis y tengo algunos problemas (lo menciono en mi trabajo fin de master)

    Tengo un dongle rtsdr (el del curso de Raul Siles)

    Monto todo pero cuando ejecuto el script me pide el archivo GP_RTL_Dec=”gsm_receive64-rtl.py” y dice que no lo encuentra

    Me pasa lo mismo con gsm_receive_rtl_3.7_console.py y con gsm_receive_hackrf_3.7.py

    Si me voy al paquete que baja de airprobe el enlace que esta en tu pagina web no estan
    Lo que he hecho ha sido cambiar la ruta de ese a gsm_receive.py

    Una vez que todo parece correcto ejecuto el script de CellAnalysis y me dice que todas las dependencias de rtlsdr se cumplen y sigue con la ejecución pero cuando se pone a buscar celdas no las encuentra, termina de buscarlas y salta un error de not Cell found. Is your Usrp/RTL on)

    Script finish

    ¿ que puedo hacer?

    Muchas gracias por tu ayuda

    1. Hola Monica,

      Me alegra saber que estas implementando CellAnalysis 🙂

      Lo que pasa es que esos ficheros no son parte del airprobe estandard, los metí en mi versión que puedes encontrar en mi repositorio de airprobe: https://github.com/pcabreracamara/airprobe

      Si editas los ficheros verás que son cambios bastante sencillos; eliminé los componentes gráficos (WXGUI) y adapté las variables de ClockRate y SampleRate al RTL-SDR (al margen de ser compatible con GnuRadio v3.7).

      Cualquier cosa, estaré encantado de ayudarte.

      Un saludo,
      Pedro

  4. Hola Pedro,

    Queria preguntar si usando un falso BTS es posible interceptar pagos realizados con la technologia NFC or ApplePay?

    Gracias!!
    Sevim

    1. Hola Sevim,

      La tecnología NFC usa la banda de 13.56 Mhz y el estandard de comunicaciones no tiene nada que ver con la telefonía móvil. No se puede usar una celda falsa para realizar un ataque MITM a un dispositivo NFC, si es lo que estabas pensando.

      Sin embargo, con la celda falsa sí se puede intentar interceptar las peticiones que el dispositivo móvil o el datáfono (PoS, TPV) envíen por esta red tras leer la información del método de pago, cualquiera que sea una tarjeta de crédito NFC, ApplePay, etc.

      Un saludo,
      Pedro

Leave a Reply

Your email address will not be published. Required fields are marked *