by Norman Shamas
This piece will be a brief walk through some of the essential parts of cellular networks. It isn’t meant to be a comprehensive review of the technical attributes of cellular protocols or how to capture and analyze radio traffic. My goal is to provide a high level understanding of cellular infrastructure and some of the security and privacy implications.
Why focus on cellular communication?
Communication technologies have been moving away from stationary workstations to mobile platforms. Mobile phones have become mobile computers and are becoming the primary or only way that a majority of people access the internet (this is especially true for communities with less economic resources).1 My focus on cellular and mobile security and privacy is firmly rooted in creating resources for marginalized communities whose needs have been ignored by the majority of security and privacy resources and conversations.2
Even though phone calls are going by the wayside, this move towards mobile means that cellular infrastructure for mobile messaging and mobile internet access is likely going to continue to grow in importance.
While there have been a lot of resources helping explain network infrastructure and how the internet works, there hasn’t been much focus on cellular networks. One of the problems for this is that cellular traffic is much less accessible and often requires new hardware and a knowledge of how radio waves work. Increased work on this topic and availability of open source tools has drastically reduced the cost and necessary knowledge to get started with this research.3
Cellular network standards
Even though we talk about cellular networks and protocols as if they are monolithic, there are actually a number of different standards that are used. You will typically hear references to the standards in a mobile network operator’s (e.g., Verizon, T-Mobile) marketing materials; oftentimes, referred to by generation (e.g., 2G, 3G, 4G). Nowadays, the different standards represent increased speeds for data connections for the average user.
For 2G and 3G networks, there were competing standards. If you live in the US: Do you remember when some phones had SIM cards and others didn’t? Or when Verizon and Sprint had separate versions of the same handsets from other operators? One of the reasons for the difference in hardware was the differences in the standards within 2G and 3G (including the frequencies they communicate on). Below is a rundown of some of the most used standards within each generation.4
2G: GSM and CDMA
2G networks were the first cellular networks to include data: in the form of text messages and multimedia messages.5 It also introduced encryption, but the encryption is very weak and has been broken.6
- GSM is an older standard than CDMA, but is much more common throughout the world. It was created by a consortium and is not locked to a single chip manufacturer. Requires a SIM card and handsets are interoperable with all other GSM networks (through the SIM card). It is used by AT&T and T-Mobile in the US.
- CDMA is a standard developed by Qualcomm. Handsets are approved and allowed by the operator and they do not require SIM cards. In the US, it is used by Verizon and Sprint (likely chosen because when the networks were created CDMA was a faster and better standard).
3G: UMTS (evolution of GSM) and EV-DO (evolution of CDMA)
The major feature change for 3G networks was the introduction of mobile internet access. 3G also included better security, including stronger encryption and network authentication. While there have been theoretical vulnerabilities found in the encryption protocol, there hasn’t been a practical attack on 3G encryption.7 However, 3G cellular communications are subject to vulnerabilities in SS7, a network protocol for mobile signaling, that would allow an attacker to circumvent encryption.
Within the 4G network, GSM and CDMA networks evolved to use the same standard. It marked a shift away from using SS7 to using only IP (Internet Protocol).8
4G networks are encrypted with a symmetric key algorithm (i.e., both parties have the same key) and use authentication of devices and networks. It takes into account and mitigates the theoretical weaknesses in 3G’s encryption standard.
As presented in July at the Black Hat conference, 3G and 4G cellular networks are still susceptible to activity monitoring and location tracking. As of yet, there is no evidence that an external party can analyze content (i.e., calls and SMS) of the 4G network.
Cellular Network Essentials9
Base Transceiver Station (BTS): Sends and receives radio transmissions. These are the most visible portions of the cellular infrastructure and include the towers and antennas.
Antennas: Cellular antennas are the primary device for receiving and transmitting radio waves. In less dense areas they are typically attached to towers and can be easy to spot (though they can also be ‘disguised’ to be less apparent). However, in more dense areas, they are often on top of buildings and not immediately locatable. For some examples of cellular antennas in the wild, see Appendix 1.
Antennas do not need to be owned by the mobile network operators. In areas of low connectivity, mobile network operators will recommend subscribers purchase a range extender, a radio antenna (for 4G LTE)10 that is then owned by the subscriber.11
Base Station Controller (BSC): Controls a number of BTSes. Usually, a BSC controls a large number of BTS, but in smaller networks the BTS and BSC could be the same physical infrastructure.
Mobile Switching Center (MSC): Connects the radio transmissions to the phone company or internet infrastructure and controls routing. There could be multiple MSCs for one BTS.
Visitor Location Register (VLR) / Home Location Register (HLR): Databases of cellular subscribers. The VLR records all the devices that connect to its associated BTS (there is only one VLR for each BTS) and the HLR is the core database of all subscribers for the mobile operator. Records for VLR/HLR use the international mobile subscriber identity (IMSI) as the unique identifier for each record and current known location of the subscriber.
International mobile subscriber identity (IMSI): A unique identifier for each subscriber. If the device has a SIM card, the IMSI is related to that SIM card.
Typical Data Flow
- Person initiates a call from a phone connected to a BTS
- Data is sent from the phone to the BTS (or BTS/BSC) and is recorded in the VLR
- The BSC routes the data from the BTS to a MSC
- The MSC routes data to:
- The HLR
- The phone network
- The phone network routes the data to an exit MSC for the recipient
- The MSC routes the data to a BSC
- The BSC routes the data to the BTS closest to the recipient
- The recipient receives a phone call
With SMS, there is typically an additional piece of infrastructure: an SMS center (SMSC). The SMSC is in charge of routing SMS to its destination and operates as a store and forward data center. When an SMS is received, it is stored in a queue/database and is sent when the recipient is available (indicated by a flag for a status update). Each SMS will typically have an expiration time, after which point it won’t attempt to resend. However, SMS is an unreliable communication protocol that is designed with each message to be independent.12 With this unreliable nature, if status messages get lost, it can lead to duplicated or missing SMS messages.
Cellular networks are designed to optimize connectivity. Your phone will automatically adjust based on performance by connecting to the antenna and BTS closest and with the strongest signal.
Cell phone makers provide users with some basic information on cellular networks. iOS provides the most information and displays signal strength, operator, and standard used in the upper left corner.13 Android, on the other hand, only provides signal strength. Users can get information on mobile operators and standards through the preference menus. Android even gives users the semblance of control by allowing them to select a preferred standard to connect to, but your phone will still follow interoperability and best connectivity standards.14 The ability to select a preferred network is likely more related to battery life, because constantly changing the BTS drains the battery.
Network usability (and security) rely heavily on available infrastructure. Mobile network operators will roll out the latest and greatest infrastructure in areas that will have the highest impact on their users—meaning less dense areas will suffer from worse connectivity and have fewer options in terms of what standards can be used. Additionally, mobile networks need to have global interoperability. As long as there are 2G and 3G networks still around (and being rolled out), operators will have to retain legacy infrastructure and systems to interact with those networks.
How do IMSI-Catchers (“Stingrays”) Work?
While law enforcement using cellular data is nothing new, the traditional routes typically require legal permission to do so. However, newer tactics and devices are being used to collect cellular data without warrants through devices known as IMSI-catchers (one of the devices is called “Stingray”, which is commonly how these devices are known).
At their core, IMSI-catchers are a method of surveillance to collect information on who is in a particular location. They take advantage of mobile network standards designed to provide the best signal, ‘legacy’ infrastructure for interoperability, and lack of security in early standards. However, they can also be used to intercept and surveil communication content, not just metadata.
IMSI-catchers typically work by downgrading the cellular signal to 2G and forcing the devices to connect to a fake base station created by the IMSI-catcher15 on a different frequency.16 Typically, this means that the device will jam legitimate cellular networks17 and will even use different radio frequencies. As collateral damage to this attack, 911 calls (and other legitimate calls) can be dropped.18
There are a few ways to recognize IMSI-catchers as an average user. The fact that cellular service is disrupted can be noted–in particular, the drop to 2G will disrupt mobile data at a minimum.19 There are also some digital artifacts, the majority of which are not available through Android and iOS APIs, that can also indicate use of IMSI-catchers.
Security and Privacy
Much like the internet, cellular networks were not designed with security in mind. IMSI-catchers are able to work because the concept of a fake BTS was not part of early cellular standards, as shown by the lack of network authentication early on. Encryption, as noted above, was weak and could easily be disabled in 2G networks. SS7, the communication protocol for phone networks, used obscurity instead of protocol hardening.20
Part of the security model of cellular networks is the use of unique identifiers for each subscriber (IMSI) and device (IMEI, international mobile equipment identity). The National Institute of Standards and Technology (NIST), one of the bodies that creates and maintains information security standards, has supported SMS (or voice) as a secure form of two-factor authentication (2FA) on the basis that “the verifier SHALL verify that the pre-registered telephone number being used is associated with a physical device.”21 This means that Google Voice, and other voice over IP services cannot be used as a second factor of authentication. However, even NIST has recognized the concerns with SMS and is deprecating it as a secure option for 2FA.22
Mobile network security’s reliance on unique identifiers for subscribers and devices, in conjunction with the need to track where a device is located for performance, makes cellular communication a privacy nightmare.23 Not only is the base station that someone is connected to recorded and continually updated in multiple databases (VLR and HLR), but a user’s exact location can be fairly accurately determined by looking at the positioning with respect to other BTS. This calculation, known as triangulation or trilateration, calculates the distance a device is located from different towers, based on signal strength, to pinpoint where the person is.
Where do we go from here?
At the moment, cellular infrastructure is a mess that provides no real security promises and no semblance of privacy. While privacy will likely never be achieved, better security can be advocated for.
One of the biggest security issues for cellular communication is the ease with which a BTS operator is able to remove encryption and other security features for interoperability. For those familiar with webpage security, this is similar to the downgrade attacks against HTTPS that led to HSTS (HTTP Strict Transport Security). This means there is hope that cellular communication standards can similarly adapt to ensure LTE is used.
At a minimum, Android and iOS can be changed to have a mode for LTE only (with the user’s consent and recognition that this will cause performance degradation). For situations where LTE-only is not possible, cellular devices could provide greater information about whether a fake base station is being used and give options to disconnect or reject known bad BTSes.24
The biggest barrier to any cellular network security improvement is infrastructure. As long as there are networks covered only by 2G networks, operators will support 2G.
Privacy can also be advocated for by giving users control of the baseband processor. Right now, when a phone is in airplane mode, it does not actually turn off the baseband processor, but stops it from trying to continually connect to a BTS. This is meant to save battery life. Providing users a way to turn off the baseband processor (in the past this was done by removing the battery) can provide people with some control over their privacy when carrying their mobile phones that act as much more than just a cellular communication device.
Appendix 1: Examples of cellular antennas
Example 1: Antenna Tower
Example 2: Antenna Array (this is from the top of a building)
Example 3: Hidden Antenna Array
Appendix 2: Getting Technical
Legal Note: In the US, the FCC regulates the radio frequency bands that can be used for different services. Part of this includes ensuring that operators have licenses and don’t interfere with other services. If you are operating your own unlicensed cellular network, you could be subject to fines from the FCC or other regulatory bodies, especially if you use high-powered antennae.
Analyzing live cellular traffic is likely illegal in most places (it is one of the controversial aspects of IMSI-Catchers). Check with a lawyer who specializes in this area and can advise you on what options are legal before starting into this area of research.
If you’re interested in diving more into cellular networks at a technical level, you will need to purchase hardware for a compatible software-defined radio (SDR). There are two components to a working SDR: 1) the physical antenna and 2) the software that allows typical radio manipulation (e,g, amplifiers, filters, modulators, etc).
- RTL-SDR (RTL2823U): The RTL-SDR is a cheap, read-only antenna and tuner (~$20). Because it is read-only, it cannot be used as a fully functioning BTS.
- LimeSDR: The LimeSDR is a new open source SDR board designed to be cheap and hackable. Lime Microsystems, the company that develops the LimeSDR, has a new product called LimeNET that can essentially be a BTS in a box based off of LimeSDR.
- Ettus USRP: The Ettus USRP series (B200 & B210) are some of the leading SDRs available in the field.
- GQRX (Linux/Mac): This is great general purpose SDR software.
- SDR# (Windows): The go-to general purpose SDR software for Windows.
- OpenBTS: Open source software designed to run a 2G GSM BTS
- OpenLTE: Open source software designed to run a 4G LTE BTS
If you don’t know where to start, I highly recommend getting a copy of “Getting Started with OpenBTS” (digital copy available for free from their website). The book guides you through setup, testing, and running a BTS with OpenBTS.
Happy Cellular Hacking!
- Countries with less developed internet infrastructure are going straight to mobile infrastructure and connectivity. Kenya, for example, has been a leader in mobile technologies, including developing M-Pesa, a mobile money application to allow users to send and receive money through SMS. ↩
- An example of this is when Open Whisper Systems, the organization that develops Signal, stopped supporting SMS encryption (when it was called TextSecure on the Android) out of security and privacy concerns with cellular infrastructure despite its need and use by communities in different African countries. Another group of developers ended up forking the TextSecure codebase to create Silence and continue providing an option for SMS encryption. ↩
- Specialized knowledge is still needed, especially for research focused on the cellular standards, as opposed to general cellular infrastructure. For those interested in capturing and analyzing cellular (and other wireless) traffic, see the recommended resources and hardware at the end. ↩
- Throughout the lifetime of the cellular generation, the standards were updated and new standards were developed. To prevent this from being a list of standards and what they mean, I am focusing on the major ones for each generation. ↩
- Full mobile data was added with the support of General Packet Radio Service (GPRS) standard. While GPRS is not part of the strict GSM standard, it was added and is considered part of the 2.5G standard. Because mobile phones are not always clear about the protocols used for users, connecting to GPRS can be considered 2G by the phone and explains why there can still be a ‘2G’ connection with mobile data. ↩
- If you are familiar with wireless network authentication protocols, 2G can be thought of as WEP. It is encrypted, but done weakly with tools easily available to decrypt it. ↩
- I am not sure whether there has been private research done that contradicts this. ↩
- The recent incident of redirecting SMS messages to break two-factor authentication exploited a flaw in SS7. Even given this practical exploitation of SS7, it will likely stay due to needs with interoperability. ↩
- By necessity, this is not a completely thorough diagram or overview of cellular networks. The system diagrams will vary between different generations and standards. This is primarily aimed at providing a basic idea of key parts of the infrastructure to talk about security and privacy concerns with cellular networks. It is based on the GSM network infrastructure, which has the most research publicly available and what I have the most experience with. ↩
- Private range extenders are made possible through 4G LTE’s switch to IP instead of SS7. ↩
- For example, here is a link to purchase a range extender for Verizon’s network https://www.verizonwireless.com/accessories/magnetic-mount-antenna-for-lte/ ↩
- This is similar to UDP, which provides no delivery or transmission guarantee. ↩
- On my iOS device, the standard used is replaced why the wifi signal strength when I am connected to wifi. ↩
- Modern smartphones have two processors: one for the software and one that manages the cellular aspect, known as the baseband processor. While I have not studied the hardware architecture and how much the software controls the baseband processor, Android’s ability to give a preference with cellular network connectivity implies that the software can control the baseband process to some degree. ↩
- This is a classic man-in-the-middle attack. Most modern cellular phones will have antennas that can receive and transmit a number of different frequency ranges to allow access to all the different protocols and different networks globally. Cellular devices will automatically try and connect to the strongest cellular network available, regardless of the frequency range. Using IMSI-catchers, when they jam the legitimate cellular frequencies, the phone device will connect to the IMSI-catcher because it is the strongest signal present within the frequencies supported by the device’s antenna. ↩
- The FCC regulates what radio frequencies different devices can operate on, including cellular networks, for performance and availability reasons. For information on the frequency ranges for cellular networks in the US, see the FCC page on cellular service. ↩
- This can be thought of as a denial of service attack against the other networks. ↩
- https://www.wired.com/2015/03/feds-admit-stingrays-can-disrupt-cell-service-bystanders/ ↩
- Someone created a short document on Pastebin about IMSI-catchers and some of the ways to recognize their use for activists. https://pastebin.com/gbecbEXL ↩
- Issues with SS7 were discovered in 2014 and were not fixed before an attack on a German bank. https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls ↩
- https://pages.nist.gov/800-63-3/sp800-63b.html ↩
- See this note from the most recent version of the NIST standard on digital identity management, from 2017. “Note: Out-of-band authentication using the PSTN (SMS or voice) is discouraged and is being considered for removal in future editions of this guideline.” https://pages.nist.gov/800-63-3/sp800-63b.html ↩
- The baseband processor is regularly sending signals to update the cellular network where a specific device is located. ↩
- This is accomplished for the internet by having browsers reject known malicious certificates and identify specific certificate authorities as secure/legitimate. ↩