Android security mystery – ‘fake’ cellphone towers found in U.S.

[There have been many comments to this story from people who are assuming that these ‘towers’ are physical installations. There’s no reason to assume this is the case: it’s far likelier that they are mobile installations of the kind used not only by law enforcement and government agencies, but also by scammers and other criminals. (David Harley)]

Seventeen mysterious cellphone towers have been found in America which look like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose, according to Popular Science.

The fake ‘towers’ – computers which wirelessly attack cellphones via the “baseband” chips built to allow them to communicate with their networks, can eavesdrop and even install spyware, ESD claims. They are a known technology – but the surprise is that they are in active use.

The towers were found by users of the CryptoPhone 500, one of several ultra-secure handsets that have come to market in the last couple of years, after an executive noticed his handset was “leaking” data regularly.

Its American manufacturer boasts that the handset has a “hardened” version of Android which removes 468 vulnerabilities from the OS.

Android Security: Towers throughout the US

Despite its secure OS, Les Goldsmith of the handset’s US manufacturer ESD found that his personal Android security handset’s firewall showed signs of attack “80 to 90” times per hour.

The leaks were traced to the mysterious towers. Despite having some of the functions of normal cellphone towers, Goldsmith says their function is rather different. He describes them as “interceptors” and says that various models can eavesdrop and even push spyware to devices. Normal cellphones cannot detect them – only specialized hardware such as ESD’s Android security handsets.

Who created the towers and maintains them is unknown, Goldsmith says.

Origin of towers ‘unknown’

“Interceptor use in the U.S. is much higher than people had anticipated,” Goldsmith says.  “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip.  We even found one at South Point Casino in Las Vegas.” [Editor’s note: Goldsmith has asked us to stress that the tower was actually in the vicinity of the casino, not within the casino itself.]

Their existence can only be seen on specialized devices, such as the custom Android security OS used by Cryptophone, which includes various security features – including “baseband attack detection.”

The handset, based on a Samsung Galaxy SIII, is described as offering, a “Hardened Android operating system” offering extra security. “Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures”, claims the site.

“What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith.  “Whose interceptor is it?  Who are they, that’s listening to calls around military bases?  The point is: we don’t really know whose they are.”

Baseband attacks are considered extremely difficult – the details of the chips are closely guarded. “Interceptors” are costly devices – and hacking baseband chips is thought to be technically advanced beyond the reach of “ordinary” hackers, ESD says. The devices vary in form, and are sold to government agencies and others, but are computers with specialized software designed to defeat the encryption of cellphone networks. The towers target the “Baseband” operating system of cellphones – a secondary OS which sits “between” iOS or Android, for instance, and the cellular network.

Goldsmith says that the devices cost “less than $100,000” and does not mention what level or type of device his team has detected. Most are still out of reach of average hackers, although freely advertised. One model is the VME Dominator, which is described as, “a real time GSM A5.1 cell phone interceptor. It cannot be detected. It allows interception of voice and text. It also allows voice manipulation, up or down channel blocking, text intercept and modification, calling & sending text on behalf of the user, and directional finding of a user during random monitoring of calls.”

What has come as a surprise is how many “interceptors” are in active use in the U.S., and that their purpose remains mysterious.

Author Rob Waugh, We Live Security

  • jim

    what the f where are the cops when you need one

    • BeeKaaay

      writing parking tickets and traffic tickets because the politicians use them as revenue devices instead of the heroes they are supposed to be.

      • Will ……

        heros!? Perhaps, but who else do you think is operating these? You think they’re not in major cities like nyc being operated by new yorks finest?

    • P. Nym

      Are you serious?

    • disqus_rok6W6Svu7

      Listening to your phone calls.

    • Timmoux

      Probably guarding the towers.

  • John Doe

    Obviously it’s the NSA or some such.

  • jutholmes

    They’re on military bases? Real hard problem, sherlock. They’re owned by the fucking US government. They’re probably all part of anti-terrorist activities. The NSA probably uses them.

  • Kyle Hamilton

    The devices are called “Stingray”, and they’re used by law enforcement. NSA/DHS maintain they have legal right to install malware on every device in US, regardless of who owns it, based on their secret selection criteria. The PATRIOT Act allows federal law enforcement to delegate access to these devices, and have done so to several states which now have court decisions on the books allowing them to be used to monitor absolutely everyone within their range without a warrant.

    We are living in the turnkey totalitarian surveillance nation-state.

    • robb32

      hard to hack a phone that isn’t on..or someone that doesn’t HAVE one

      • RamsE39_E38

        CMOS batteries, even when your phone is off it still sends out a GPS signal. Had to trace a phone once after a guy shot his wife in the face..

        • Sophia Keenesburg

          cmos battery last for how many hours … sending out GPS signals???

    • joe Knight

      Orwellian society, “BIG ROTHER IS WATCHING” and listening!

  • Nitelite

    The cops are the ones running these towers. This is what Stingray is.

    • http://dharley.wordpress.com/ David Harley

      Possible but unproven.

  • boomin

    Trigger Fish Look it up

  • Bruce Lawrence Bergman

    Hey, ESET: Search up “Stingray cell phone monitor” with special attention to the news:comp.dcom.telecom Usenet newsgroup.

    The Feds have been doing it for years as well as certain Police Departments with deep pockets for buying toys. And they are very careful to keep the name out of court documents to avoid FOIA actions, and the manufacturers have managed to keep all the details secret and the repair and operating manuals classified too.

    But then again, these aren’t being used against Choirboys, so don’t give away too many details. Just the fact they exist is enough to worry.

    • http://dharley.wordpress.com/ David Harley

      A lot of respondents seem to be assuming that these ‘towers’ are physical installations, but you’re correct in suggesting that they could be portable devices. (I’ve no insider knowledge of this issue, but I’d be surprised if they weren’t.) However, the use of fake base stations isn’t restricted to law enforcement or government agencies, or to the US.

  • Ed_Luva

    Man, this is a great story. Is anyone working on getting all locations of the domestically placed intercept towers? This new security literacy being required of the American people is pretty complex, but it’s like living in a spy novel. I’m in!

    • http://dharley.wordpress.com/ David Harley

      As several people have pointed out, these aren’t necessarily static installations.

      • simplulo

        Has anyone tried surveilling the surveillors?

  • tB

    So they sink tons of cash into the BS ‘War on Drugs’ but some assholes have the time & resources to build multiple towers in multiple places & got away with it & no one noticed multiple times? Something seems a bit off to me.No way this went down without someone getting paid off or knowing.. Where’s the NSA now? If they know so much how did they not catch or know of this, at least once.. or could it possibly be theirs?

  • http://www.ninzo.com/ Bob Dinitto

    They must belong to the NSA. Who else would have the authority and the secrecy to plant rogue cell towers all over the US? And who else would want to?

    • http://dharley.wordpress.com/ David Harley

      There’s no indication that they’re static installations, as far as I can see. Who else? How aboutr criminals? Mobile stations are certainly being used in various parts of the world by scammers.

      • Austin Smith

        Other than the picture used…might want to update it to alleviate the confusion that is where the indication is coming from.

        • http://dharley.wordpress.com/ David Harley

          Actually, that’s a good idea. I’ll pass that on, or maybe login and put a note to that effect when I have a moment.

          • http://dharley.wordpress.com/ David Harley

            Added a note. It will take some time for the amended version to propagate.

  • Steve

    Start to dismantle one of the towers. The owners will show up soon enuff.

  • wil

    cut power to the tower and wait and see who shows up. mystery solved

    • http://dharley.wordpress.com/ David Harley

      Not if they’re mobile installations, as seems probable.

  • Skyler Wroblewski

    I Live in Nevada and was in the Nevada National Guard. I find it interesting that the nevada guard only uses the South Point Casino for events. Also, the F-22 & the Predator drone were partly developed in Las Vegas (Area 51).

    I believe these towers are used to track potential espionage attempts.

    • danny king

      The double-think is strong in this one.

    • http://remixedcat.blogspot.com RemixedCat

      LV is also used to TONS of hacker “conventions” as well

  • MoonSnack

    This isn’t good..

  • DigitalSmoke

    are there any of these in los angeles? locations?

    • http://dharley.wordpress.com/ David Harley

      We’re not connected with ESD. We don’t have that information. In any case, these probably aren’t permanent installations.

  • Adrian Martin

    I’d like a more independent source, they are telling us of a threat and selling us a solution in the same breath.

  • Johnny

    Installing more towers

  • notmyaltacc

    Tell us where they are damnit.

    • http://dharley.wordpress.com/ David Harley

      Rob Waugh is in the UK. I’m afraid he’s not in a position to go hunting fake towers in the US.

  • Sixteanine

    Scary. Zzzzzz

  • RickRussellTX

    Mystery? Reveal where they are, and somebody will have city and county ownership records, construction permits, easement permits and electric bills inside of a business day.

    • http://dharley.wordpress.com/ David Harley

      These are probably not static installations. Hopefully, the company that flagged them will have notified a responsible agency rather than just issuing a press release.

  • Jim pin

    This piece reads like an infomercial at times.

  • skad0000

    “What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”

    “I’m not saying it’s the military, but, it’s the military”

    • http://dharley.wordpress.com/ David Harley

      You know this because…?

  • sam

    cut the power to these towers and question whoever shows up to fix them…one way to find out who they are

    • http://dharley.wordpress.com/ David Harley

      You’re assuming these are static installations. That isn’t necessarily the case.

      • fagtron

        ahhh commander Data, we’ve been looking for you, the captain needs you on the bridge

  • tom

    ‘merica land of the free home of the fake towers

  • Dumitru Alin

    apple owned i guess !

  • hans

    Dont these towers need to send their stolen information somewhere? Isn’t it easy to check where they send the information to?

  • http://mrkonc.com/ Konc

    Is there really any doubt that NSA is behind this?

    • http://dharley.wordpress.com/ David Harley

      Certainly there’s doubt as to who is behind it. Mobile kit of this sort is used all over the world by law enforcement, government agencies, and criminals.

  • bedrockq

    Lol…an advertisement disguised as a news story. People lap it up. The NSA is a big deal…..for people looking to exploit the fear generated by it!

    • http://dharley.wordpress.com/ David Harley

      The story does rather read like an ad for Cryptophone 500, but that doesn’t mean there’s no truth in it. I’m seeing a lot of assumptions about the NSA in the comments to this story, but no evidence either way.

  • Gary M.

    Rob Waugh calling these groups of equipment “towers” AND posting a picture of an actual tower is idiotic. You’ll have some bubble heads thinking that they are physical antenna arrays somewhere in the open. They are not, in fact.

    If there were actual physical towers it would not be a problem at all to track the builders and the users.

    • http://dharley.wordpress.com/ David Harley

      Idiotic is putting it a little harshly. But yes, some commenters have made that assumption.

      • Pablo Cervantes

        Idiotic is harsh? When the lead off sentence is “Seventeen mysterious cellphone towers have been found in America which look like ordinary towers,” I’d say a bit misleading…

        • http://dharley.wordpress.com/ David Harley

          Misleading, certainly.

  • American Patriot

    Monitor these fake sites with a service monitor configured for W- CDMA/GSM, then look at the uplink and downlink signals. Most W-CDMA sites have baseband signals that are 3.84 MHz, wide. A fake tower site must also conform to industry standards, or they are of no use. Uplink frequencies are in the low 800 band, and downlink frequencies are in the upper 800 MHz. band to nearly 1.0 GHz. You can ignore the 900 ISM band completely, this is NOT used for any cellular systems in this nation.
    UHF in the 400-500 MHz. range is also not used. 700/800 is comprised of trunked radio sytstems, so you see a lot of data channels squawking here.
    Keep looking, the answers are there, you simply need to know where to look, and what to look for.

  • Ilya Simkhovich

    i really started to hope that the government was listening to the ambient sounds in my living room almost TEN YEARS AGO. i think it’s funny if they have to listen to the movies i watch; i obsess and can watch something religiously when i get home from school and begin to relax so they would have ended up listening to “scarface”, “goodfellas”, “the stoned age” or the entire series of “the sopranos”, “seinfeld”, “oz” or “the simpsons” several times. what does it matter? the NSA doesn’t care about ANYTHING lower than a national security issue; they don’t care if you are talking about drug deals or even low level felonies that the FBI would love to know about because the FBI isn’t allowed to spy illegally to find felons. NONE of you, even bill gates, elon musk or whatever have ANY reason to worry about being spied on. even if they ARE recording the sound of your room through the mic, compressed and sent to the tower, you’re flattering yourselves to think that they care to hear you arguing with your spouse about which grocery store to go to or what stupid television you watch. get a life. just because they’re spying doesn’t mean you should feel paranoid. it’s not a crime to stare at someone on the street; it’s really not that bad for them to be watching you all the time. you 30 cameras watching you in a walmart… grow up.

  • Mike

    Turn the power off to one of them and wait to see who comes to repair it !!

    • http://dharley.wordpress.com/ David Harley

      They may well not be static installations. A mobile base station can be suitcase-sized.

  • Richard Gibbard

    Why were these things developed?

  • mick

    sounds like our government to me ! you need special permits to put up cell towers which means they know who put them up there just being paid for their silence !

    • http://dharley.wordpress.com/ David Harley

      Not if they’re mobile installations, as seems likely.

  • Jay Briwn

    Is it bad that i don’t want to even google Cryptophone 500 to read more about what it is, even if i don’t want to buy one? Why does everything you do even with no ill intents have to be monitored?

  • Steve Low

    These fake base station are just typical interceptors a.k.a stingray, most vendors are only interested to sell to law enforcement or large corporation which are willing to pay a lot for it.

    Alternatively you can easily buy 1 from China(although the chinese government just banned public sale of these fake base station equipment recently, you can still easily source for one). Or if you are technically savvy enough, you can build 1 using some old motorola phones by using an open source baseband called OsmocomBB.

    The “CryptoPhone 500″…while I do not have the details of the product, you do not need any ultra secret phone to detect such fake base stations. If you have ANY samsung galaxy S3 phone, just install this “IMSI Catcher Detector” android app (https://github.com/SecUpwN/Android-IMSI-Catcher-Detector)

  • Jmdintpa

    DUH your very own US Government is doing it. Do you people really think you live in some free society. we are about as free as the ordinary russian. our government tells us what to eat , when to sleep, what to wear and what to watch on tv and the radio. the fear of terror after 9/11 pretty much did the country in. we gave up all freedom for fear. we have become so afraid i guess we really dont deserve to be free. we elected the people who put into place these towers, we elected a government who made the homeland security, we continue to elect people who only care of power and money. we really deserve all this because we allowed it.

  • Richard Amodeo

    Being that they are located at or around military bases leads me to believe that they (the government) are trying to intercept any possible terrorist communications related to attacks and spying of military installations. That of course is just a guess but it makes sense because military installations contain things terrorist would be interested in.

  • citizenx

    A map with the locations of these towers should in the first sentence of this story.

    • http://dharley.wordpress.com/ David Harley

      No map. Quite possibly no static towers.

  • http://dharley.wordpress.com/ David Harley

    You do know that I didn’t write the article?

    • jason

      I was referring to the collective ‘you’ of this site. My question was rather rhetorical seeing how you mentioned the author is in UK, and the only mentioned source is a cryptophone employee. Nice ad!

  • Reasonable assumption

    Doesn’t anyone ever consider the fact that the people most interested in who is making calls around military bases would be someone like China or Russia, and NOT our own country?

    Just because its in our country, doesn’t mean that our government did it. There are plenty of nations with the capabilities to do that. And to be honest, our government can care less about what 99% of us are doing every day, you’re just not that interesting and/or important.

  • winter32842

    My money is on NSA and CIA.

  • transmitterguy

    I’m a transmitter engineer and have noticed equipment “popping up” on previously vacated towers, with no specific signage of what they are. We were told that some towers have had a private internet antennas installed for banking use. Maybe these other towers are listening to the banks data?

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.