Dozens of fake cell phone towers discovered eavesdropping on Android devices

If you're taking a late-summer roadtrip, chances are your phone will be intercepted by a fake cell phone tower.

At least that's what Les Goldsmith, CEO of ESD America and developer of the CryptoPhone 500, claims.

According to Goldsmith, his team -- using the custom-developed CryptoPhone, which provides a hardened version of Android with a wealth of unique security features and patches a number of flaws present in the stock Android OS -- discovered dozens of fake cell phone 'towers' not belonging to any carriers which intercepted the device's signal, allowing the tower's owner to intercept any calls or communications and even 'remotely push spyware to the device.'

On a road trip taken from Florida to North Carolina by one of ESD America's customers, Goldsmith says, the device encountered 8 different interceptors. This may not be shocking, except for the fact that baseband interceptors are very costly to produce and difficult to create, meaning that only the truly committed or those with many resources have the ability to make them. The team discovered one such interceptor at a casino in Las Vegas, but many were found on top of military bases and government facilities.

An ECHELON facility, part of an NSA program which functions similarly to the fake towers

On one such excursion by ESD America's mobile security team, their phone was intercepted by a fake tower, and forced down from 4G to 2G -- a protocol which is much easier to exploit. Many higher-end interceptors, however, have the ability to "spoof" the signal so that the phone still displays a 4G connection despite being forced to 2G and exploited.

The fake towers may very well be operated by the government, Goldsmith says, but he also entertains the possibility that they could've been planted by a foreign government such as China to snoop on military communications. Regardless of the source or the intent, regular citizens are falling victim to the interceptors and running the risk of having their phone calls and even text messages intercepted by unknown parties.

Source: PopSci via ESET Blog |Top image via Shutterstock - SIM card on smartphone, bottom image via HAL Archives

Report a problem with article
Previous Story

September could be a tide-turner for the Xbox One

Next Story

Windows 9 teased by Microsoft China; confirms name in the process

45 Comments

Please Login or Sign Up to post a comment.

Ignorance is bliss. Reading the comments regarding this article holds that to be a fact. I am amazed at all the comments regarding such an illegal and intrusive act upon our right to privacy. Posting a selfie on the net is one thing, but my phone conversation to anyone I choose, or text messages are my private communications. Regardless that they are via bandwidth airwaves this doesn't give anyone the right to tap them. Everyone here is either in dis-belief the article is true, or assuming this ESD is advertising their products or any thing else of the likes. But no one is upset, angry, or even commenting about what, who, how, and when the people as a whole are going to do about it. Apparently it is ok, at least with most of the people commenting here. Very few show any concern and even few who do have no comment or seem to show reaction that would indicate an action base to stop this atrocity, this absolute violation of the Constitution. The current Obama regime running this country is another leg of the millipede that intends to stomp out this country as we know it.

And who have they told about these "so called" fake towers anybody of consequence or are they just trying to sell their own devices

The exploit is in the baseband, not Android. The baseband for most Android phones is a propriatary RTOS made by Qualcomm. Qualcomm chips are used in virtually all 3G+ devices worldwide (iPhones, Windows Phones, etc). So Qualcomm needs to fix it, it isn't fixable at the OS level.

I have pay-as-you-to phone... It does not have roaming... I went to France... I would occasionally check the phone number. The phone would check for signal. I got back to USA, I got a lot of SPAM calls.

Seems like a lot of fluff with no real evidence to back up the claims. They claim they found one of these in Vegas, but didn't provide proof (specs, images, etc). If these exist, I bet most/all belong to the government.

Melfster said,
Most terrorist use android phones. It make sense because NSA to target android phones.

Source? Is there a terrorist only poll going on out there? Do you have to prove you have killed someone or destroyed something to be able to vote?

Ignorant misleading title. This would affect ANY cellphone, including Apple and Microsoft. The fact that it is an Android phone that detects the fake towers does not mean that this issue only affects Android.

I think they should have said that only android has the ability to detect these fake cell towers. well, at least no one with an iphone or winphone was able to detect them.

Besides the fact that Android is nothing but a bit "kick me" sign, the more important issue is: Has someone told the FCC where these fake towers are and shown them how to search for others?

If you think this would only affect Android phones then you should take that sign and stick it on your own back.

Deyirn said,
android is such a depressing os, no wonder such thing is happening

Yup. Android made these fake towers come to life. Stupid Android!

Deyirn said,
android is such a depressing os, no wonder such thing is happening
That explains why Android phone is more popular than Windows phone.

Krome said,
That explains why Android phone is more popular than Windows phone.

its all about making earth a sadder place to be living on

I use my Razer Edge Pro as my phone. I think the last cell phone I had was Virgin Mobile Wildcard and that was years ago. The nice thing is, no need of a carrier. Wifi is pretty much "everywhere", that whenever I make calls it's usually when I've settled down somewhere... restaurant, bank, my destination etc... Never a need to have it on while in the car either. I found that it lasts all day. Plus I can game on it (plug in at McDonalds or wherever and enjoy).

Aside the price, I found it was the best option for me personally :)

Tha Bloo Monkee said,

lol, he fell for the headline.

i cant waste time reading the whole thing, its not even that interesting

Funny, despite all the "Snowden leaks" and almost daily overzealous law enforcement revelations that we still get so many knee jerk deniers. The first hint at just how rampant this is and instantly many go to putting their hands over their ears and begin with the "la la la la la". Also worth considering is that this has all the earmarks of routine misdirection.

Hahaiah said,
Funny, despite all the "Snowden leaks" and almost daily overzealous law enforcement revelations that we still get so many knee jerk deniers. The first hint at just how rampant this is and instantly many go to putting their hands over their ears and begin with the "la la la la la". Also worth considering is that this has all the earmarks of routine misdirection.

It hasn't occurred to you that this is someone who is mentioning this and their "findings" to market their phone? I mean, why not tell the FCC first before announcing it to the internet?

20legend said,
'remotely push spyware to the device.' - even without having install from 'unknown sources' selected ?

Yes.
A few years ago, at defcon they demo'd a emulated cell tower using non-commercial radio systems. The GSM spec allows connection to cell towers on radios that you can get at home, but aren't used anymore by the service providers. That doesn't matter to your phone of course. It'll just connect to any ANP that has the correct network ID being broadcast and is the strongest signal.

From there, your SIM card in the phone is actually a little computer running a form of java. The cell tower can push java applets to your SIM card and the java applet runs on the SIM card, not your phone. However, the SIM card has direct access to your phones hardware. So even though you're encrypting everything, as it passes via your CPU the SIM card has clear view of what's on the CPU. It also, as a result as low level access to the OS too, meaning it can read your emails for example, or set up a new routing path for your network before it even gets to the OS.
But the real big problem is once you're on one of these fake cell towers, they have complete control over your phone and anything that comes or goes from it. Voice calls, text messages, etc are all seen in plain text by the cell power. Your best bet is to use a 3rd party service such as Skype (lol, no exploits there right...) to make your calls and text people.

If your phone supports it, enable 3g or better only. '2G' GSM is where this is being exploited.

sagum said,

Yes.
A few years ago, at defcon they demo'd a emulated cell tower using non-commercial radio systems. The GSM spec allows connection to cell towers on radios that you can get at home, but aren't used anymore by the service providers. That doesn't matter to your phone of course. It'll just connect to any ANP that has the correct network ID being broadcast and is the strongest signal.

From there, your SIM card in the phone is actually a little computer running a form of java. The cell tower can push java applets to your SIM card and the java applet runs on the SIM card, not your phone. However, the SIM card has direct access to your phones hardware. So even though you're encrypting everything, as it passes via your CPU the SIM card has clear view of what's on the CPU. It also, as a result as low level access to the OS too, meaning it can read your emails for example, or set up a new routing path for your network before it even gets to the OS.
But the real big problem is once you're on one of these fake cell towers, they have complete control over your phone and anything that comes or goes from it. Voice calls, text messages, etc are all seen in plain text by the cell power. Your best bet is to use a 3rd party service such as Skype (lol, no exploits there right...) to make your calls and text people.

If your phone supports it, enable 3g or better only. '2G' GSM is where this is being exploited.

So we should probably call this what it is, a GSM exploit.

MikeChipshop said,
Sooooo... i'm guessing Mr Goldsmith has something to see that will address this issue, right?

Yeah, he will sell you a phone :p

Well, damn, the bad side of being too open with your software I guess, or maybe Google isn't doing enough with security in this case.

George P said,
Well, damn, the bad side of being too open with your software I guess, or maybe Google isn't doing enough with security in this case.

The words Google and security DO NOT ever belong in the same sentence, unless you're talking the lack of!!

And yet, who's actually in the news because of a data breach? That's right Apple, they are much worse when it comes to security, but you knew that and choose to spout nonsense about Google because that's what all the cool kids are doing now

Anibal P said,
And yet, who's actually in the news because of a data breach? That's right Apple, they are much worse when it comes to security, but you knew that and choose to spout nonsense about Google because that's what all the cool kids are doing now

I'm wondering who you're replying to in this case, me or cork1958? If it's me then I'm well aware of how poor Apple is with security but it's also pretty well documented that Android has it's own share of security issues, specially around malware and so on. I wouldn't call this nonsense, it's an issue for them to take care of, otherwise you wouldn't see spinoff/forked products like the OnePlus phone which is sold around the idea of better security out of the box.

George P said,
Well, damn, the bad side of being too open with your software I guess, or maybe Google isn't doing enough with security in this case.

Considering its a GSM exploit and not something specific to Android, I don't know that we should just point fingers at Google.

I dont think the article is saying that the towers are "eavesdropping on Android devices", it said a custom android device (CryptoPhone 500) was able to detect them.

mrbester said,
I'm so glad the mobile view doesn't have post edit capability. Or a way to get to desktop view

I thought that was added? (edit) you may have to clear cache, also go landscape, I'm led to believe more options show in landscape.

Eavesdropping and forcing 2G would be related to your baseband processor, not your user-facing smartphone OS.
It does matter if you use Android, iOS, WP, WebOS, Symbian or whatever.

There are also aliens out there that can see you naked. It just happens to be, i sell a product that can block that. $$$
What a coincidence.