Suspicious tower sniffing

Discussion in 'Wireless Internet' started by miso, Nov 19, 2014.

  1. miso

    miso Guest

    RSSI lat long cellid LAC mnc mcc
    -97 35.793002 -115.319457 242674663 24595 310 260
    -67 35.777788 -115.330649 6913 154 310 260
    -90 35.762719 -115.341747 242674663 24595 310 260
    -94 35.746597 -115.353559 242674663 24595 310 260
    -92 35.728712 -115.360608 242674666 24595 310 260
    -87 35.71133 -115.366699 242674666 24595 310 260

    This is from the Blackberry app signal tracker. Now I suppose the hot
    reading could be a tower. The location is near the Gold Strike Casino.
     
    miso, Nov 19, 2014
    #1
    1. Advertisements

  2. miso

    David Howard Guest

    Looking up a few of those terms, I learn:
    MCC = Mobile Country Code (3 digits, e.g., 310 = USA)
    MNC = Mobile Network Code (2 to 3 digits, e.g., 26 or 026 = T-Mobile)
    LAC = Location Area Code (0 to 65535 on GSM)
     
    David Howard, Nov 19, 2014
    #2
    1. Advertisements

  3. miso

    David Howard Guest

    This database can look up where a tower is located that you find
    on your cellphone with freeware such as WiGLE
    http://www.cell2gps.com/

    For example:
    MCC = 310 = USA mobile country code
    MNC = 260 = T-Mobile mobile network code
    LAC = 328 = location area code
    CellID = 29021

    Finding this on your phone, using WiGLE freeware for example, you realize
    you're connected to a cell tower at Moffett Field at
    GSM CellTower 310-260-328-29021 location is (37.408436,-122.065147) Accuracy:1300 mX
     
    David Howard, Nov 19, 2014
    #3
  4. miso

    miso Guest

    Unfortunately this is on that web page:
    "This CellTower Locator sends query to Google location server, and returns
    the location. If the data are not included in their databases, no results
    will be returned."

    It is that same crappy Google database.

    I've yet to find a database that is actually accurate. Some towers show up
    in the FCC database, but most do not. The FCC establishes a region for the
    carrier, and within that region the carrier can do whatever they want,
    subject to approval by the local authority (county, city,etc.)

    Probably every tower has a piece of paperwork registered with some
    government entity, but it might be the planning department or the city
    council minutes. That is, the data is not centralized.

    I am told (but don't know first hand) that every CDMA tower can report its
    lat/lon. This is not found in GSM.
     
    miso, Nov 19, 2014
    #4
  5. Nope. CDMA carriers Verizon and Sprint stopped sending BSLAT/BSLON
    many years ago. This is what arrives today:
    <http://802.11junk.com/jeffl/crud/CDMA-data.jpg>
    <http://802.11junk.com/jeffl/crud/Droid-X2-02.jpg>
    Worse, the CDMA vendors are sending garbage for locations, and some
    (Samsung) phones are trying to interpret the garbage as useful data:
    <http://stackoverflow.com/questions/...eeps-returning-the-integer-max-value-unknown>
    <https://code.google.com/p/android/issues/detail?id=53518>
    <https://code.google.com/p/android/issues/detail?id=29819>
     
    Jeff Liebermann, Nov 20, 2014
    #5
  6. miso

    miso Guest

    Good info. But I don't think GSM ever reported a location, right or wrong.

    Do you know roughly when the FCC stopped requiring tower ID for cellular?

    This week's "Security Now" touched on the dirt boxes. It mentioned that the
    towers themselves have some monitoring capability. I will wait for the
    transcript to be uploaded, then post it. But it had to do with a case where
    some guy was using a cellphone jammer to create a "zone of safety" around
    him while driving.
    The current douche-baggery of the texting while driving crowd is driving
    like they stole the car to get to the traffic light so that they have more
    time to check SMS, Farcebook or whatever while the light is red. Most
    drivers try to not catch red lights, but these asses value their instagram
    viewing over broken bones.

    I'm getting very close to being that old man that yells to get off his
    grass.
     
    miso, Nov 20, 2014
    #6
  7. miso

    miso Guest

    miso, Nov 20, 2014
    #7
  8. Dunno. I only do CDMA.
    I don't think the FCC ever required transmitting a specific tower ID
    or location. What they do require is the SID (system ID) which was
    administered by the FCC until about 2003, when it was taken over by
    private organizations:
    <https://apps.fcc.gov/edocs_public/attachmatch/DA-03-3017A1.pdf>
    <http://www.fcc.gov/encyclopedia/cellular-system-identification-number-sid-administrators>
    <http://en.wikipedia.org/wiki/System_identification_number>
    For international cellular, it's regulated by IFAST:
    You're only considered "old" when you've lost your optimism and given
    up hope that things will change.
     
    Jeff Liebermann, Nov 20, 2014
    #8
  9. miso

    Abe Swanson Guest

    miso wrote, on Thu, 20 Nov 2014 02:25:30 -0800:
    Is that what they used to isolate the Baltimore prison to prevent the
    inmates from using cellphones from the inside to organize crime outside?
    http://gcn.com/articles/2013/09/05/prison-cell-phones.aspx
     
    Abe Swanson, Nov 20, 2014
    #9
  10. miso

    Abe Swanson Guest

    miso wrote, on Thu, 20 Nov 2014 02:30:16 -0800:
    What I don't understand is why he jammed the cellphones in Florida,
    where it's NOT illegal to talk on a cellphone why driving, and,
    more importantly, why he didn't just use the fake cell phone tower.

    Wouldn't a fake cell phone tower have worked BETTER than a jammer
    because it wouldn't have given him away?
     
    Abe Swanson, Nov 20, 2014
    #10
  11. miso

    Abe Swanson Guest

    Abe Swanson wrote, on Thu, 20 Nov 2014 19:15:03 +0000:
    I'm trying to find the specs on the jammer he used because I don't
    understand why use a jammer when a fake cell phone tower might be better.

    This TRJ-89 jammer is able to block cell service only within a 5 mile
    radius, according to Antenna Systems and Solutions Co., 931 Albion Avenue,
    Schaumburg, Illinois 60193, Phone: 847-584-1000, Fax: 847-584-9951
    http://www.antennasystems.com/category/jammers.html

    A 28 page power point presentation on the jammer specs is here.
    http://www.antennasystems.com/Sales Presentation.ppt
     
    Abe Swanson, Nov 20, 2014
    #11
  12. miso

    miso Guest


    I think it is easier just to jam than to create a fake tower, though you are
    correct that both techniques would screw things up for the cellular users,
    presuming you don't relay the cellular traffic. Chris/Kristen Paget went so
    far as to set up Asterisk so that calls did go through.

    I don't think there is a fake CDMA tower scheme in the wild. Thus you could
    interfere with GMS but not CDMA.
     
    miso, Nov 21, 2014
    #12
  13. miso

    miso Guest

    This is news to me, so thanks for the link.

    They describe the system as being something like a femto cell, so the
    cellular companies have to set up and bless this scheme.

    Look at this as a man in the middle attack. They read the IMSI and if you
    are on the white list (allowed numbers), you can use the cellular system.

    I guess the prisoners need to build yagi antennas to get to the real
    network.
     
    miso, Nov 21, 2014
    #13
  14. Jamming is easy. Spoofing requires far more hardware and expertise:
    <www.ebay.com/sch/i.html?_nkw=cdma+base+station+emulator>
    Most of the cellular test equipment can do much the same thing. This
    one should do for emulating CDMA (not GSM) systems:
    <http://literature.cdn.keysight.com/litweb/pdf/5989-0513EN.pdf>
    Some YouTube videos of a similar test set in action:
    <https://www.youtube.com/playlist?list=PLAC6FCC5EA06843FA>
     
    Jeff Liebermann, Nov 21, 2014
    #14
  15. I didn't understand the article, but they said this:
    "Jamming the phones is illegal and impractical, Smith said.
    “I’m inside the unit, and sometimes I need to make a call.â€
    Technology to detect them is not always effective, and once
    they are identified it can require a confrontation with an
    inmate to confiscate it."

    So, it's not a jammer for sure.
    And, it's not a triangulator either.

    It looks like they are *all* the carriers at once, and, as you
    said, the from Tecore Networks Intelligent Network Access Controller
    (iNAC) system only allows whitelisted IMSI-based calls to be passed
    through.

    Some people are complaining though, that they drive by the prison
    in Baltimore, and they can't make phone calls:
    http://articles.baltimoresun.com/20...s-20140208_1_cell-phone-city-jail-tavon-white
     
    Robert Bryant, Nov 22, 2014
    #15
  16. miso

    miso Guest

    Service monitors were never blocked, even in the analog days.
     
    miso, Nov 22, 2014
    #16
  17. miso

    miso Guest

    Another good article. These people drove by the facility and the prison
    system was stronger than the real cellular. Because they weren't on the
    white list, they couldn't use the service.

    Since the carriers are all on different bands, there is nothing stopping the
    facility from being on all systems, well presuming you have the money.

    This setup isn't really all that different from set ups at say convention
    centers or in the subway. The only difference is the white list feature.
     
    miso, Nov 22, 2014
    #17
  18. Sorta. The theory was that everyone that bought the software/firmware
    was a legitimate. However, when it became obvious that many customers
    were various "agencies", that didn't want to be identified, tracking
    the buyers was quickly dropped. For monitoring cell phone calls,
    service monitors had call progress tracking and various forms of
    filtering, that made it easy.

    Speaking of analog, remember this incident?
    <http://www.cnn.com/ALLPOLITICS/1997/01/13/tape/index.shtml>
    A perfect recording of an intercepted Newt Gingrich cell phone
    conversation, discussing his ethics problems, was provided to
    congressional "ethics" investigators. Allegedly, it was done with a
    scanner, which was even then impossible without considerable added
    hardware. Mostly likely, it was done with a service monitor.
    Incidentally, the Martins were eventually fined $500 for their
    recordings.

    <http://jacksonville.com/tu-online/stories/042697/_tape_pr.html>
    <http://www.pbs.org/newshour/bb/politics-jan-june97-cellular_01-14/>
     
    Jeff Liebermann, Nov 22, 2014
    #18
  19. miso

    miso Guest

    Jeff Liebermann wrote:

    If Newt wasn't mobile, it could have been done with a scanner. But you would
    need a good ear to figure out the person was worthy of scanning.

    The cost of the service monitors was a bit steep for the average hobbyist.
    ;-)
     
    miso, Nov 23, 2014
    #19
  20. Nope. Even analog cell phones (AMPS) would hop frequencies every few
    seconds. Listening to AMPS on a scanner was impossible unless you
    could decode the control tones (no data, just tones) and switch the
    scanner to the next channel. Since each carrier was originally
    granted 333 channel pairs, programming a scanner for 333 channels was
    problematic.

    In 1997, it's also possible that it was a TDMA or GSM phone, which are
    even less likely to be successfully intercepted by a common scanner.
    Not for US government agencies. However, it probably was NOT done
    using a service monitor or scanner.

    I've never heard the recording, but I read somewhere that both sides
    were crystal clear, with no dropouts, switching clicks, or fades.
    That's not easy to do.

    The problem is full duplex. In order to record both sides of the
    conversation, one would need two scanners. One scanner to listen to
    the handset on the handset frequency, and the other to listen to the
    base station on a different frequency. That's because the handset
    transmit audio is NOT repeated by the base station[1]. So, if you
    want to hear the handset transmit audio, you have to listen on the
    handset frequency. Finding a location where one can hear both the
    handset and the base station is also rather problematic.

    Kinda makes me wonder where the recording really came from.


    [1] With AMPS, if it did repeat the audio, there would be about a 100
    msec delay, where the echo would drive users nuts. This is different
    from the roughly 250 msec processing delay of digital handsets. What
    you actually hear in the earphone on a cell phone handset is
    side-tone, produced locally in the handset with zero delay.
     
    Jeff Liebermann, Nov 23, 2014
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.