8

There are multiple forms of evidence that people can spoof cell towers and monitor cells. This Forbes article reports a proof of concept that works for 2G technology. This article from The Register reports a more nuanced expert's view that:

False base stations are always possible on GSM. It does not surprise me. Of course, encryption can be turned off by the operator, or by the State such as China or India. It does not happen on 3G or LTE if you are using mutual authentication.

So there appear to be vulnerabilities in some mobile technology that allow phone interception up to and including listening in on calls.

Mobile technology has included encryption of voice calls since GSM so people usually assume that calls are not readily interceptable.

Are modern mobile phone technologies also vulnerable? Can governments or others create spoof base stations that allow interception of all calls?

matt_black
  • 56,186
  • 16
  • 175
  • 373
William
  • 292
  • 1
  • 10
  • I don't think anything Hollywood ever says can be considered a notable claim. – jwodder Jan 09 '16 at 19:31
  • @jwodder Well they can trace phone calls to some extent but I get your point. – William Jan 09 '16 at 19:34
  • 2
    I'm voting to close this question as off-topic because hollywood movies don't constitute notability of a claim – matt_black Jan 09 '16 at 20:24
  • 3
    There are multiple problems with this question. It is a claim based on a movie, which we don't really [allow](http://meta.skeptics.stackexchange.com/questions/1148/random-claims-from-fantasy-stories-and-movies) per se. Consequently, it becomes a vague claim. There are claims that the NSA and GCHQ spy on people -- in fact, there's plenty of evidence of that -- is that what you are skeptical about? – Sklivvz Jan 09 '16 at 21:47
  • 1
    Thanks, William, for your effort to improve the question. Unfortunately, the question still isn't notable. You haven't found anyone claiming that "the government" (Do you mean the US Government in particular?) is monitoring audio calls. The question is also vague in that the US Government certainly taps phones with warrants, and brings the results up as evidence in court cases. You presumably mean to ask if they Government taps phone calls made by all of the population. – Oddthinking Jan 10 '16 at 04:11
  • 1
    @Oddthinking I'm not done editing. I'm trying to make sure it isn't a duplicate question already. – William Jan 10 '16 at 04:17
  • @Oddthinking Very different question(although has similarities) although I'm not sure if it is quit there yet in being acceptable. – William Jan 10 '16 at 04:24
  • I've attempted a major edit to demonstrate notability and focus the question a little. I hope I haven't missed the original intent of the question. – matt_black Jan 10 '16 at 12:04
  • 2
    The answer to the question as it currently reads is, "Yes, absolutely." Several devices exist to do just that and are in use by some law enforcement agencies. [Stingray](https://en.wikipedia.org/wiki/Stingray_phone_tracker) is probably the most common of them. – reirab Jan 10 '16 at 19:59
  • @matt_black You did a great job. You are welcome to leave the Forbes article out. If it is acceptable question then I like it. – William Jan 11 '16 at 03:22
  • There are more such devices like Triggerfish, Gossamer, Kingfish, Harpoon, Hailstorm which can work in combination with the Sting Ray to intercept phone data discussed here-http://arstechnica.com/tech-policy/2013/09/meet-the-machines-that-steal-your-phones-data/1/ and malware such as AirHopper to steal data using radio signals-http://www.wired.com/2014/11/airhopper-hack/. – pericles316 Jan 11 '16 at 14:22
  • See https://www.youtube.com/watch?v=DU8hg4FTm0g for a practical demonstration. The problem is that phones have little opportunity to enforce 3G or higher, if the 3G band is unavailable (jammed by the attacker), your phone will drop down to 2G. Also, your phone follows the instructions the tower gives it, so if the tower tells it to turn off encryption, it will. – SQB Jan 11 '16 at 15:16
  • Short answer: yes – NuWin Jan 14 '16 at 03:13
  • Take a look at SDR or Software defined Radio. – Dudey Apr 13 '16 at 20:07
  • @Wally It appears the encryption prevents major security issues. Technically you can scrabble the encrypted signal to force a nonencrypted version but the phone theoretically could detect that. P.S. you spelled wall-e wrong in your name. – William Apr 13 '16 at 22:12

3 Answers3

6

The basic idea of GSM is that a mobile phone scans for base stations and that are applicable and then syncs with the base station that has the strongest signal.

In 2010 the relevant equipment cost 1,500$.

The server can tell the phone to disable encryption.

With intact encryption, GSM encryption can by cracked by open source software:

Cracking A5/1. When GSM uses A5/1 encryption, the secret key can be extracted from recorded traffic. Given two encrypted known plaintext messages, the Kraken utility that runs on a PC finds the secret key with around 90% probability within seconds in a set of rainbow tables. Our current table set took 2 months to compute and contains 40 tables for a total of 2TB. Further details on cracking A5/1 using rainbow tables are provided in this white paper: Attacking Phone Privacy.

Christian
  • 33,271
  • 15
  • 112
  • 266
1

Well, I don't know if this article strictly answers your question, but you could start here:

A Secret Catalogue of Government Gear for Spying on Your Cellphone

A few of the devices can house a “target list” of as many as 10,000 unique phone identifiers. Most can be used to geolocate people, but the documents indicate that some have more advanced capabilities, like eavesdropping on calls and spying on SMS messages. Two systems, apparently designed for use on captured phones, are touted as having the ability to extract media files, address books, and notes, and one can retrieve deleted text messages.

Benjol
  • 1,175
  • 1
  • 12
  • 20
1

The problem with other answers here so far is that the OP explicitly states that he is aware that tracking can be done on 2G technology, but is wondering about 3G and 4G technology.

GSM and LTE encryption works using symmetric or asymmetric encryption methodologies. This means that there are three ways to obtain the key needed for snooping

  1. Obtain the public key or shared secret from the phone
  2. Obtain the private key or shared secret from the phone company
  3. Brute force encryption algorithms

While GSM encryption may have been cracked, more modern ciphers are now in use so method 2 has been re-secured. Using a rolling key (Perfect Forward Secrecy) could also help to secure this communication channel such that cracking the protocol in hours could still be useless if you have moved on to a new key. This means method 2) is fairly secure until some algorithmic weakness is discovered or brute forcing capabilities provide for faster cracking.

As for method 1) in order to attack via this means, one would need to hack the UICC (Most people call it a SIM card, but this is not technically correct - a UICC can house multiple SIMs). These are stored with some pretty strong encryption making cracking impractical with current knowledge and technology and if their is suspicion of cracking, the cell companies can re-key the SIM rendering that work moot.

The final method is obtaining the keys from the cell phone company and using that private key to snoop a conversation. This can be done on 4G technology using a device known as a "Hailstorm". Cities like Oakland and others are having to upgrade their old stingray units to Hailstorm units in order to cope with the end of the 2G networks.

Ars Technica has a pretty good overview and survey of the history of Stingray/Hailstorm and related technology. Thus, the long-story-short here is that the Hailstorm has the private keys used by major cell phone companies and can intercept traffic using method 3) using this device for even LTE/4G traffic.

Community
  • 1
James Shewey
  • 161
  • 4