[HN Gopher] Detecting Fake 4G Base Stations in Real Time (2020) ...
___________________________________________________________________
Detecting Fake 4G Base Stations in Real Time (2020) [pdf]
Author : walterbell
Score : 72 points
Date : 2022-07-26 12:56 UTC (10 hours ago)
(HTM) web link (i.blackhat.com)
(TXT) w3m dump (i.blackhat.com)
| tapatio wrote:
| Very cool. Do these techniques apply to 5G only base stations as
| well?
| ng55QPSK wrote:
| Tracking down 'strange' configuration will work in 5G the same
| way. It still could be, and the pdf covers this, 'strange'
| configurations can happen in early deployments in 5G also. It
| will be a false positive for checks like this.
| walterbell wrote:
| There are public databases of cell tower IDs, sometimes with
| geolocation. Do fake cellular base stations impersonate an
| existing tower or create a new ID?
| fosefx wrote:
| Link to the talk: https://www.youtube.com/watch?v=MlIKV5qAf2I (43
| min)
| dannyobrien wrote:
| A reminder that EFF projects like this are only possible with
| your continuing support: https://eff.org/support (disclosure:
| while I used to work at EFF when Cooper and Yomna were
| researching this I don't now, so I'm being COMPLETELY OBJECTIVE
| in this current call for donations).
| fiat_fandango wrote:
| Although I opted to graduate with a CS degree, I still really
| enjoy reading novel research like this since it piques the
| interest I had initially starting college as an EE/CE major.
|
| Can't wait to go to Defcon this year as well for work exactly
| like this!
| H8crilA wrote:
| Can someone explain how is this possible in the first place, i.e.
| how do those fakes pass authentication checks from the phone/sim
| card?
| blamazon wrote:
| FTA:
|
| > Even though the UE authenticates the tower there are still
| several messages that it sends, receives, and trusts before
| authentication happens or w/o authentication. This is the weak
| spot in which the vast majority of 4G attacks happen
|
| I'm a layman but here's my understanding. Imagine you're a
| police force and you know a criminal has a phone with IMEI of
| ABC123. You think the criminal might have a headquarters inside
| a warehouse but you want to be sure they're there before
| conducting a raid. Set up one of these, on arrival the target
| phone tells the fake tower what its IMEI is when within range,
| and you've got them.
| ng55QPSK wrote:
| The point here is: if the owner of the IMSI catcher has some
| preknowledge about the target phone.
|
| There is no way to avoid this.
| ng55QPSK wrote:
| as explained in the pdf: There is a part of the connection
| setup, that will happen before any mutual authentification: The
| telephone offers the IMEI/IMSI to get an initial connection.
| The network learns this number and it's the counterpart of a
| MAC address in Wifi networks.
| btreesOfSpring wrote:
| I don't know if other travelers have run into this but somewhat
| regularly when I arrive in a different major metropolitan area, I
| will get scam-spam calls within a day spoofed from that area code
| despite the fact that my phone number has nothing to do with that
| region and I haven't been in that specific location either ever
| or at least a longtime. It happens in both North America and
| Europe.
|
| I know fake base stations might not be the reason for scammers
| targeting my phone but would be curious if others have seen this
| and have their own hypothesis?
| chucksmash wrote:
| Interesting. Never saw the spam numbers transition either when
| travelling or when living in a new area long term.
|
| I only ever get spoofed number calls from the area code of my
| cell phone number. Works out pretty well because I only lived
| there in passing 12 years ago, so never wonder if I'm missing a
| real call by ignoring them.
|
| Could it be apps sharing location info?
| woodruffw wrote:
| I haven't personally experienced that, but I suspect the
| explanation is simpler: someone is probably re-selling your
| geocoded IP, which is then bucketed into a range of telephone
| area codes.
| btreesOfSpring wrote:
| This makes the most sense.
| jhloa2 wrote:
| Could it simply be that a lot of advertisers have enough data
| about you to link your phone ip to your phone number?
| btreesOfSpring wrote:
| Not sure why the calls would be scam calls though. It would
| be one thing if they were legitimate marketing spam calls
| originating from phone number traceable back to the business
| originating the conversation but these are clearly cases
| where the number is faked in the new area code/country::city
| code in order to incentivize picking up. (Is that the car
| rental company? Is the hotel reaching out for some reason?
| Etc...)
|
| I guess my paranoia here stems from this link in the OPs
| pdf[0].
|
| 0. https://venturebeat.com/2014/09/18/the-cell-tower-mystery-
| gr...
___________________________________________________________________
(page generated 2022-07-26 23:01 UTC)