Friday, August 26, 2011

Using Signal to Detect Rogue Cellular Base Stations (Part One)

Some days ago Chema Alonso informed us that an application was able to show the geographical location of the tower that was providing service to an iPhone, as well as that of adjacent towers. The application also showed some technical data about these towers. Chema's question was whether this application could be used to detect a rogue base station attack or not. To be able to answer that question, we performed some tests. Some of them are explained in this article, as well as the conclusions and other things that we have obtained along the way.

The application is called Signal (available on Cydia) and has been written by PlanetBeing. The purpose of the authors is to create a map of nearby towers, measure their power and provide technical data about them.

Test I: testing the application with and without Internet access

Testing Lab

To perform the tests, we set up the laboratory shown in the picture:

The main objective of this set up was to be able to analyze the traffic generated by the application so that we could obtain preliminary conclusions before deciding what tests would follow.

Installation and first execution

After jaiblreaking our iPhone and installing Cydia, we configured the device in the following way:
  • We disabled 3G service to only accept GSM (this way it would be easier to provide service using our rogue base station)
  • The first time the application is launched, it asks if we want to use localization services. We answered "no" because we wanted to limit the available resources for the software to calculate its location, i.e., no GPS in the game.

Afterwards, we could see the application showing a map with the location of the towers nearby our position (somewhere in Valencia area), and a number that represents the perceived power in dBm. We checked that the geographical location really showed our position:

Running the application without Internet access

Since we suspected that the application obtained the geographical location of the towers from the Internet, we disabled all data services of the iPhone, including GPRS and WiFi.
In these conditions, as soon as the application started, we could see that the serving cell was detected and data and parameters belonging to it were reported. Also, the geographical location of a set of nearby towers was shown in the map, but with a different format, as we can see in the following picture:

The legend of color codes in the application reads as follows:
  • Blue: Visible towers
  • Red: Connected tower
  • Gray: Unlocatable tower
  • Yellow: Previously seen tower
It seemed to us that Signal kept some kind of cache where it stored information about previously seen towers. As the application has the ability to “Reset tower data”, we checked that when we chose this option, all geographical information was lost, and it didn't come back after several runs of the application.

Running the application with Internet access

After enabling WiFi, we started again the application and at that moment it detected again where the towers were in our geographical area.

Conclusions obtained in Testing Phase I

From the tests performed we can infer that:
  • Signal obtains the geographical information about cellular base sations from the Internet
  • The application holds a cache where it stores geographical information of the towers that he has previously seen; this cache can be erased by using the “Reset tower data” option

Test II: using a rogue base station

Testing Lab

For this second phase of tests, we modified our lab to provide GSM service using our rogue base station. The following schema illustrates this set up:

Testing with a non-existent cell identifier

To perform this test we configured our rogue base station for emitting with a non-existent cell identifier, and then we turned on the iPhone inside the cage (remember that the iPhone was connected to the Internet inside the cage through our WiFi infrastructure, as shown in the previous picture).

When the Signal application started, it detected the servicing tower and correctly reported our false cell identificator, but it could not locate that cell geographically.

Testing with a different cell identifier

In this test we used a cell identifier belonging to a cell that is located somewhere in the Madrid area (we were performing our tests in Valencia area) and, sure enough, the application located us in Madrid, next to that tower, as we can see in the following picture:

Conclusions obtained in Testing Phase II

From these tests we can infer that:
  • The identifying information about servicing tower is obtained from the radio signal
  • The geographical information, that Signal obtains from the Internet, depends uniquely on the cell identifier (MCC|MNC|LAC|CI) where:
    • MCC: Mobile Country Code
    • MNC: Mobile Network Code
    • LAC: Location Area Code
    • CI: Cell Identifier

NOTE: We first published this article, in Spanish, in this post of the blog “Seguridad Apple”

No comments:

Post a Comment