On 9/2/14, Cathal Garvey <cathalgarvey@cathalgarvey.me> wrote:

... Also, that nameless towers are assumed to be government intercepts. I can imagine (though I don't know much, if I'm honest) situations in which backup towers brought in for events (concerts, public gatherings, etc.) might be contracted from third parties and present apparently aberrant nomenclature, if any. These backup cells might be brought into otherwise quiet areas for normal maintenance, or to back up faulty towers, etc.;

a legitimate roaming association when out of normal coverage areas is different from what could be called an "intercept attack". that is to say, actively placing an intercept channel in front of a station when that station is able to associate with legitimate carrier towers is an active attack against carrier networks, while a roaming association when out of range of carrier is a desired function and not malicious. to complicate matters, a number of years back i reported on active MitM attacks on 4G networks by interfering with existing associations to force a roaming hand-off to attacker endpoint. thus a determination of what is "normal" perspective to carrier towers requires a span of time combined with local observation. (snapshots not sufficient) also, the new broadband back-haul'ed femtocells that some carriers are distributing may or may not appear as an impersonating interceptor, exhibiting the usual properties of a rogue tower while actually being carrier provisioned capacity.

... on the other hand, why would the US feds need to roll out a nationwide cell tower network to spy on everyone when..they already have one? :)

this is an interesting question. presumably there are two reasons: a) that the usual intercepts require judicial approval and logistic delays, and b) manipulating the local link and signaling channel affords deep "enabling" of the target via means not cleared to transit untrusted networks. fun questions, encourage more research! :P