Monday, August 29, 2011

Using Signal to Detect Rogue Cellular Base Stations (Part Two)

Can Signal be used as a rogue base station detector?

For starters, this answer is subjected to the reliability and updating rate of the information source where Signal obtains the geographical location from.

Provided that the previous condition is met, we can distinguish three different cases:
  1. If the attacker uses a non-existing cell identifier, the application will not provide any geographical information of it, and thus we will assume that the serving cell is false.
  2. If the attacker uses an existing cell identifier, belonging to a tower that is located far away from the place where the attacker is located, then Signal will report that we are in a location that does not match our real position. This fact will indicate that the serving cell is not legitimate.
  3. If the attacker configures his base station pretending to be one of the neighbor cells and achieves that the terminal registers to his base station (by emitting a signal that is perceived by the victim's terminal as much "better"), then Signal will not show any clue about the legitimacy of the cell. We must say that, in this situation, it is much more difficult for the attacker to force the terminal to register to his base station, due to the fact that the victim's terminal probably can see two radio signals with the same cell identifier (we don't know the terminal behavior in this case). To overcome this obstacle, the attacker could choose the identifier of an existing nearby cell, for which the terminal is not perceiving power at all.
Our conclusion is that this application can help detecting whether the service that our terminal is receiving is legitimate or not, and it makes much more difficult for the attacker to maintain his attack undetected. However, it cannot be considered a 100% reliable method.

Even so, we think that the use of the tower geographical location provides a very good way to help detecting rogue base station attacks, and it should be combined with other techniques as, for example, the GPS information of the terminal, the analysis of other parameters of the radio signal or the detection of some functionalities that a false network will not tipically implement.

Network traffic analysis

For each one of the performed tests we have obtained the corresponding traffic capture using Wireshark. We have done so because, if there is an information source from which one can extract the geographical location of a mobile base station, of course we want to know it.

After analyzing some of the captures, we reach the conclusion that the source of such information was Google (what a surprise!). Also, we could realize that the answer/response has this appearence:

In the previous picture you can see that the request is qualified by the cell identifier (MCC, MNC, LAC and CI), and that the answer comes in "longitude/lattitude" format.
The "User-Agent" field reflects that we are using "wget" (instead of "Signal" as it would reflect any capture of the application traffic). This is because instead of using Signal we have written a little software tool to access this information, as explained below. tool

This application is a shell script that, taking the cell identifier as input data, performs the correctly-formatted request to Google, using wget. Once the answer from Google comes, it shows the longitude and latitude on the console and, optionally, it starts a web browser showing the geographical location of the tower in Google maps.

The use instructions of the tool are shown here:
$ ./ --help --MCC= --MNC= --LAC= --CI= [-s | --show_in_browser] [-h | --help]
Description: this script asks Google for a particular
Cellular Base Station Location and shows the Google's answer.
(Based on the traffic analysis of Signal Cydia application
from PlanetBeing)
MCC: Mobile Country Code of the carrier owning the Base Station
MNC: Mobile Network Code of the carrier owning the Base Staion
LAC: Location Area Code of the Base Station
CI: Cell Identificator of the Base Station
-h | --help
Shows this help.
-s | --show_in_browser
If you specify this options the script will launch
your browser with the obtained coordinates.
You can configure your browser location in a
configuration variable inside the script.

An example of use is shown below:
tad3@ubuntu:~/tadbsl$ ./ --MCC=302 --MNC=720 --LAC=65010 --CI=48626
LOCATION: 49.1560525 , -123.1586519

This tool is available at our lab.

NOTE: We first published this article, in Spanish, in this post of the blog “Seguridad Apple”


Anonymous said...

> the victim's terminal probably can see two radio signals with the same cell identifier (we don't know the terminal behavior in this case).

Testing some terminals for this could be a subject for the next post - do you think so? :)

Jose Pico said...

It would certainly be interesting, but being time a limited resource, we'll see...

Post a Comment