Your Mobile Phone and Its Special Rouge Cell Tower

You are walking down the street and I am pretty sure that you are looking at your phone, either surfing or communicating with someone. However, if you see a cell tower near you, it can be that that is the place where your signal is flying to continue its way to the destination…but this is not always the case. It can happen that your cell phone signals are not reaching the appropriate cell tower at all, as they go to another cell tower, which is known as Rogue Cell Tower, Stingray, Cell Site Simulators, IMSI catchers, Triggerfish, Gossamer, etc.

Rouge cell towers are devices that can mimic real cell phone towers and intercept your mobile calls and data. This interference is achieved as these towers transmit stronger signals than the legitimate cell towers surrounding the area, to an area of interest. This way, your cell phone, which is designed to choose the cell tower from which it receives the strongest signal or maximum transmit power, chooses the rogue tower. This connection will provide the rouge tower with some information, such as: your location, information about all phones that happen to be nearby, contact numbers of mobile phones of incoming and outgoing calls, as well as intercepting the content of voice and text communications. This device will take care to send you malwares as well. In addition, this will go unnoticed, since the rouge tower will continue to transmit your signals to the legitimate tower, so you will still receive required service.

The system officially was designed to be used by security state government agencies for security purposes, such as identifying terrorism, preventing attackers from coordination, preventing possible activists during the protests, etc.

There have been a lot of controversies related to the usage of this device without submitting any requests to the court to obtain permission. This month, the US Justice Department has released a new federal policy that requires a warrant every time federal investigators decide to use them, although the police departments are excluded from this permission. In fact, many police departments in the US do not even report how and when they use this device, as they have signed a non-disclosure agreement with the manufactures to prevent them from releasing records about the systems or even discussing them.

However, a more concerning situation is becoming the usage of these devices by unidentified persons, especially by hackers, who constantly try to steal personal identification and passwords. Only in August 2015, 19 rogue towers have been identified throughout the U.S. All these were identified by mobile users who were asked to notify ESD America anytime that this event was altered on their mobile phones. The mobile users were using CryptoPhone 500, which is the first product world-wide that alters the user when a rouge towers is connected to their phone.

GSMK CryptoPhone 500 is an Android-based secure mobile phone developed by the German firm GSMK. It provides the users with a strong end-to-end encryption along with an Android operating system and the baseband firewall. It works in a way that notifies the users that the mobile phone has not been provided with the IDs of the neighboring towers for possible handover, or where the mobile network’s encryption has been turned off, and when the mobile phone has been switched form 3G and 4G to 2G network. Unfortunately, this mobile phone isn’t available for everyone. Currently, it is offered at a high price and it is only available for the enterprise customers using Android phones. Moreover, there is no official announcements which state that there are plans to expand it for common users.

This situation has become even more serious for the fact that until now, no one knows for sure the number of active rouge towers and how sophisticated they are. The danger is that they can increase if these devices are used by commercial business providers with the interest to increase their productivity, wanting to know their customers’ preferences, or wanting to know their competitors.

All this will result in more work to do for everyone who is responsible for managing business risk, information security, and IT. For the time being, since there is no specific standard on this issue, security responsible departments within organizations are advised to consider ISO 27001 Information Security Management Systems; more specifically, controls related to Mobile devices and teleworking (A.6.2), Authentication (A.9), Cryptography (A.10), Operation security and Change management (A.12), and additional controls. You can consider other standards as well, such as Cybersecurity, ISO 22301 Business Continuity. All these standards will help organizations to identify and evaluate these possible threats and take appropriate actions to avoid or mitigate them. This will help ensuring and maintaining the confidentiality, integrity, and availability of their data.

Rreze Halili is a Security Product Manager at PECB. She is in charge of developing and maintaining training courses related to Security. If you have any questions, please do not hesitate to contact her at: training@pecb.com.

For further information, please click here.