At the RSA Conference in San Francisco today, the network penetration testing and monitoring tool company Pwnie Express will demonstrate its newest creation: a sensor that detects rogue cellular network transceivers, including "Stingray" devices and other hardware used by law enforcement to surreptitiously monitor and track cell phones and users.

In an exclusive demonstration for Ars, Pwnie Express CTO Dave Porcello and Director of Research and Development Rick Farina showed off the company's new cell network threat detection capabilities, which integrate into Pwnie's Pulse security auditing service. The capability will give companies the ability to monitor cellular networks around them and detect anomalies caused by rogue cellular base stations, IMSI catchers, and devices used to extend cellular coverage into areas where it may not be authorized.

Of all the potential security threats to companies and individuals that have emerged over the past few years, perhaps the hardest to crack is rogue cellular base stations. Whether they're used to attack the privacy of a cell phone user's communications or as a backdoor out of places where cell phone usage is restricted, configuring unauthorized cell "towers" has become increasingly simple. It doesn't necessarily even require law enforcement-grade hardware. Anyone with a HackRF card or other software-defined radio kit and open-source software can turn a laptop computer into a cellular network transceiver—or even a cellular jammer.

Call baiting

"The real thing that scares people the most is that we have no visibility into these things," Porcello said. "Nobody knows how many of them are out there." But they definitely are out there. Last September, ESD America—which manufactures the CryptoPhone secure cell phone—reported that more than a dozen rogue cell "towers" had been discovered in Washington DC. It's not clear if all of these were being operated by law enforcement.

Way back in 2010 at the Washington DC Shmoocon security conference, Chris Paget (now known as Kristin Paget) demonstrated that he could capture the cell phone data of attendees using a rig that cost about $1,500. "He just bought a commodity [software-defined radio] card and loaded OpenBTS (an open-source GSM cellular base station software package) on his laptop," Porcello said. "He made a point of using a very small antenna so he only hijacked about half of the audience in the auditorium. I'm sure that this sort of thing was being done before that, but I think that was the first public demonstration."

At the same time, law enforcement use of such systems grew. Using the same principle as malicious cellular base stations, authorities could capture cellular phones' International Mobile Subscriber Identity (IMSI) as a way to identify a targeted phone and execute a "man in the middle" attack against it, acting as an intermediary between the phone and a legitimate cell tower in order to intercept and record conversations. These devices, called "IMSI catchers" or "stingrays," have been controversially used by local law enforcement across the US, often under non-disclosure agreements.

Another threat faced by companies in highly regulated industries is the unauthorized use of microcells or femtocells—small base stations often sold by cell carriers to extend cellular network coverage in places where towers might not have coverage. If a company is trying to prevent personal cell phone usage within a facility through passive means, for example, an employee might plug a femtocell base station in at their desk to make outbound calls that aren't through the company's call logging system. This also introduces the potential threat of cellular jamming by someone seeking to block service for malicious reasons.

While all this has been recognized as a threat for some time, there's been one major obstacle in the way of companies protecting themselves against cellular network attacks. Until now, using hardware that could detect such networks would break federal law. There are already some tools available to detect IMSI catchers such as SnoopSnitch, an Android application that can warn a phone user of suspicious cell tower signals that might indicate an IMSI catcher or rogue base station. But other tools available to detect the full spectrum of potential cellular threats are largely restricted to government customers, and many carry six-digit price tags.

"It's actually real easy to make something that can do this but can only be used by government or law enforcement," said Farina. "But so many people have these problems and no way to solve them. If you've got a good sized company, you're absolutely a target for somebody setting up a small base station and grabbing your data, pretty cheaply."

Setting a watchman

Pwnie's cellular threat detection capability is based on FCC-certified cellular transceiver hardware, and it will be integrated into the company's Pwn Pro network sensor line (the corporate version of the Pwn Plug). A 4G cellular transceiver is integrated directly into the device.

"What we're focusing on is the malicious use of cellular—a handful of specific things we can detect passively now," said Porcello. "And there will be a lot more by the time we ship." He added that the rule sets used for identifying some of the potentially malicious behaviors "are pretty rudimentary at this point," and additional work will be required to tune out false positive alerts.

But the rules are good enough now to detect rogue and malicious cellular base stations and IMSI catchers and interceptors with some reliability. "Based on our testing so far, we have some good data to zero out false positives," Farina said. "We're looking for a couple of things right now that we think are reasonable to infer."





The cellular threat detection system looks at a number of factors to determine whether a cellular base station is of concern:

Unauthorized or unknown cell providers. The Mobile Network Code (MNC) and Mobile Country Code (MCC) of the base station and the frequency range they provide service on could be indicators of someone running a rogue base station. They could be from unknown carriers, carriers not authorized to operate in a certain area, or an operator that is "suddenly offering something that shouldn't be available," Farina said.

Anomalous or suspicious base stations. Signal strength variation could indicate a base station has moved or changed its transmitting power. "The standard deviation of power from base stations is relatively sane," said Farina. "We can flag when a base station's signal changes wildly." This will be extended to detect changes in existing cell service, Porcello said, "such as going down to 2G service, for example." New stations suddenly popping up could also set off an alarm, possibly indicating a femtocell or other unauthorized cellular base station.

IMSI catcher/interceptor identification. This is based on whether a base station is advertising itself as a major carrier but provides only 2G service—the surest sign someone is trying to intercept cell data.

Rogue or malicious cellular base stations based on open source software. One of the rule sets in the current capability can detect Yate default base station configurations, indicating someone is configuring a cellular base station as a gateway for phone calls or for malicious purposes.

Reach out and punch someone

Cellular base stations aren't the only mobile network-based attack vector faced by many companies. Cheap and readily available GSM-based devices have found their way into a number of criminal activities. "You're seeing all sorts of rogue devices moving to GSM," Porcello said. "Hackers and criminals are taking advantage of this like crazy because they know you can't legally monitor them."

Porcello cited credit card and ATM skimmers as an example. "The credit card skimmer of choice now is a GSM-connected skimmer. You don't have to be near it and never have to collect it; it can just dump all the credit card numbers by SMS message back to a throwaway phone number."

Eventually, Porcello said, the FCC will have to give companies a way of spotting these sorts of devices without breaking the law. "The FCC is going to have to create some exceptions for companies to monitor this traffic because their workforces are moving to 4G LTE," he said. And with more and more business taking place over cellular broadband, cellular network attacks could become increasingly costly.