Category Archives: attacks

Israel accused of planting mysterious spy devices near the White House

This past Thursday, September 12, published the confirmation of mobile phone surveillance devices of Israeli origin, according to the FBI and other agencies, in the White House:

You may not remember it anymore, but last year the Washington Post published a story about IMSI-Catchers devices near the White House.

Something that Senator Ron Wyden confirmed in a letter sent to the Department of Homeland Security, in which he admitted that “he observed anomalous activity in the [Washington DC area] that seems to be consistent with the behavior of the IMSI-Catchers,” as could be read in

IMSICatching attacks on 4G networks (part 2)

Some time ago I wrote about IMSI-Catching attacks on 3G and on another previous article the different studies regarding these attacks in 4G networks, but I finally found enough time to write about these attacks in 4G and of course, detection.


When looking for SDR solutions to implement our 4G network, we currently have 3 options for our laboratory; OpenLTE, OpenAirInterface and srsLTE. In this case, I created a laboratory using the USRP B200 with srsLTE:

The EPC (srsepc) has a modified version of the code to allow client devices to send their “Attach” request, being identified with their IMSI, as we can see in the following image :

Once we have obtained the IMSI of our victim, as we saw in the previous article about these attacks in 3G, we could continue modifying the 4G SDR based network code to degrade the 4G service completely forcing the mobile to look for another cell in the 3G frequencies or 2G. Or just do nothing else and collect more IMSI identities from new victims, a typical fast and effective IMSI Catch attack.


How could we detect these intrusions?  I continue using the active approach, instead of the 2G passive sniffing. Using 4G modems and capturing the signaling we are able to analyze all these situations and in the same hand, we can monitor our mobile operator security parameters, but this requires using a valid SIM card in the modem. Xgoldmon or SCAT (Signaling Collection and Analysis Tool) are also valid candidates.

CellAnalysis 3G & 4G will be released soon, so stay tuned.

YateBTS rogue station running at RSA Conference 2018

It doesn’t looks like an IMSI-Catch attack, much more it seems to be a miss configuration, someone playing around with YateBTS in his/her laptop plugged with a BladeRF, completely forgotten to disable or modify source to avoid the SMS welcome, so everyone who walks in the RSA conference close to this YateBTS station received a welcome SMS as showed above.



@s7ephen tweet about this message:

David Burgess (the man who started the OpenBTS project time ago with Harvind Samra) wrote his own note from YateBTS web page regarding this extrange rogue tower:

The ‘rogue GSM tower’ episode and Cambridge Analytica: why ethics matters to technology

Probably this RSA edition will be remembered for the attendees data leak (article from, but is also quite interesting this GSM station broadcasting welcome SMS.


Canada: Toronto police admit they use Stingray


Quote from the article: “After denying use of the controversial technology, documents obtained by the Star show that the Toronto Police Service has used the cellphone data-capturing device known as an IMSI catcher, or Stingray, in five separate investigations.

This new article from rises new use cases from the Toronto Police.

Read the full article here.

US (Seattle and Milwaukee) Stingray-Detecting Device

Researchers at the University of Washington uses a sensor box, including a GPS module, a GSM cellular modem, a Raspberry Pi, a cellular hotspot, and an Android phone running SnoopSnitch, to collect 2G cells information and detect IMSI catchers, as you can read in the article.

They identified and mapped out 1,400 cell towers in Seattle, and 700 in Milwaukee, finding anomalies in the Seattle area.

More information can be found in the project web page and their  white-paper.

4G/LTE IMSI Catchers

Two papers in a short period of time describe how to implement easy IMSI Catchers in 4G, using OpenLTE, srsLTE or gr-LTE:

– “Easy 4G/LTE IMSI Catchers for Non-Programmers“, Stig F. Mjølsnes and Ruxandra F. Olimid (Norwegian University of Science and Technology, Trondheim)

– “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems“, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert

Although these 4G stations aren’t functional, also can be use to downgrade our mobile to a 2G or 3G fake station using “TAU Reject” code “LTE services not allowed”.

Real example of BTS rogue, fake BTS or IMSI catcher

Is far from the intention of this project focusing on creating attacks or disclosure of the methods to achieve, but it is clear that when you want to detect attacks, You should study them to understand and get ahead or warn them.

By way of introduction I have prepared this short article for those who want to know what a false station (also called BTS or Fake IMSI Catcher). In the DefCon security event 18, Chris Paget we illustrated in his talk entitled “PRACTICAL CELLPHONE SPYING”, how to steal the identity of subscribers to a GSM network by creating a false cell using a USRP as hardware for transmitting and receiving terminals to a Linux computer and OpenBTS and Asterisk to set the cell and allow calls to victims.

This is the video of the talk:

A year later (2011) our compatriots Jose Perez David Stang and exposed at Blackhat DC security conference 2011 how to apply the same attack but networks GPRS / EDGE, afectanto even UMTS / HSPA: