This morning's NSA article from WaPo contains some slides mentioning USRP equipment[1]. It's hard to say without more context whether it's referring to the GSM equipment from Ettus...anyone care to speculate? The USRP series doesn't exactly seem like carrier-grade equipment, but perhaps the NSA has a good reason to use it. Maybe baseband exploitation, as coderman has previously mentioned? Simply getting cell tower database dumps from the telcos would suffice for location info, so I would guess this has a different purpose. [1] http://apps.washingtonpost.com/g/page/national/nsa-signal-surveillance-succe... On 12/10/2013 05:56 AM, Matej Kovacic wrote:
Hi,
Can/do IMSI systems spoof tower id: is there anything in GSM to make towers self-verifying? I'm guessing no, in which the above would be very poor. No, the problem is, that mobile phone authenticates to mobile network, but the opposite is not true. Since mobile network does not authenticate itself to mobile phone, IMSI Catcher attacks are possible.
There has been also demonstration of "home-made" IMSI Catcher based on Osmocom platform last year at the CCC conference.
The video of the presentation "Further hacks on the Calypso platform" by Sylvain Munaut is here: http://media.ccc.de/browse/congress/2012/29c3-5226-en-further_hacks_calypso_...
So, it is very easy to set up fake cell with any cell ID.
Also of note is API for signal strength, so a mapping of known towers to expected strength at location XYZ could be used to detect systems used to home in on phones, which usually max out on signal and tell your
This would not work, because cells are not static (new cell emerge, covered area changes, etc.) and opencellid database is not regularly updated. There could also be femtocells used, etc...
Regards,
M.
-- http://disman.tl OpenPGP key: http://disman.tl/pgp.asc Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9