Police have long used secretive tools to simulate cell towers and trick devices into connecting. Researchers at the EFF produced their own ‘Crocodile Hunter’ tool to sniff out these shady sites.

警察长期以来一直使用秘密工具来模拟手机信号塔并欺骗设备进行连接。 EFF的研究人员制作了自己的“鳄鱼猎人”工具来嗅探这些阴暗的地点。

By Max Eddy

通过 最大埃迪

Think your calls and texts are secure? Think again.

认为您的通话和短信安全吗？ 再想一想。

Nefarious devices have long masqueraded as cell towers in a bid to intercept data from mobile devices. But at this week’s (virtual) Black Hat, Cooper Quintin, Senior Staff Technologist at the Electronic Frontier Foundation, outlined a way to detect these bogus base stations, and offered suggestions on how to prevent their use altogether.

长期以来，邪恶的设备都被伪装成手机信号塔，以拦截来自移动设备的数据。 但是在本周的(虚拟)黑帽会议上 ，电子前沿基金会高级技术人员库珀·昆汀( Cooper Quintin )概述了检测这些虚假基站的方法，并提供了有关如何完全防止其使用的建议。

一切都旧了又新 (Everything Old Is New Again)

Phony cell towers have been a mainstay of Black Hat and security research for years. Traditionally, the attack worked like this: the bad guy sets up a mobile cell station, like a Femtocell, and then jams the 3G and LTE bands. This forces nearby phones to connect via 2G, which uses a broken encryption system. Once phones connect, the attacker can see anything moving to and from victims’ phones.

多年来，仿冒手机塔一直是Black Hat和安全研究的Struts。 传统上，这种攻击是这样进行的：坏人会像Femtocell一样建立一个移动蜂窝站，然后阻塞3G和LTE频段。 这迫使附近的电话通过2G连接，而2G使用了损坏的加密系统。 一旦电话连接成功，攻击者就可以看到任何东西往返于受害者的电话。

Police and other law enforcement agencies do the same with IMSI-catchers, which also simulate cell towers and trick devices into connecting. The use of these devices has long been controversial and shrouded in secrecy, but little was known about newer devices that targeted the 4G LTE bands. “We simply had no idea how they worked,” Quintin said today.

警察和其他执法机构对IMSI-catchers也做同样的事情，它们还模拟手机信号塔和欺骗设备进行连接。 长期以来，这些设备的使用一直存在争议，并且保密，但是对于针对4G LTE频段的新型设备知之甚少。 Quintin今天说：“我们根本不知道它们是如何工作的。”

This is important not only because 2G is increasingly obsolete, but because 4G offers numerous security improvements. LTE devices, for example, use better cryptography, and don’t blindly connect to nearby cell towers. Understanding how LTE IMSI catchers worked would shed light on unknown vulnerabilities that might exist in the system.

这很重要，不仅因为2G越来越过时，而且因为4G提供了许多安全性改进。 例如，LTE设备使用更好的加密技术，并且不会盲目连接到附近的基站。 了解LTE IMSI捕获器的工作方式将有助于发现系统中可能存在的未知漏洞。

In 2019, EFF Technology Fellow Yomna N tackled the problem, eventually producing a report that outlined the theoretical operation of a 4G IMSI catcher. In his presentation, Quintin showed how the first six steps of connecting a cellular device to a base station happened totally in the clear, and authentication didn’t happen until the seventh step.

EFF技术研究员Yomna N在2019年解决了这个问题，最终制作了一份报告 ，概述了4G IMSI捕集器的理论操作。 在他的演讲中，Quintin展示了将蜂窝设备连接到基站的前六个步骤是如何完全明了的，直到第七步才进行身份验证。

“This is where the dragons were,” he said. During these initial steps, all sorts of important information could be extracted from the target device by a cell site simulator. It could even trick victims’ phones into using a 2G connection, again opening up transmissions to the attacker.

他说：“这就是龙的所在地。” 在这些初始步骤中，小区站点模拟器可以从目标设​​备中提取各种重要信息。 它甚至可能欺骗受害者的电话使用2G连接，从而再次向攻击者开放传输。

Importantly, Quintin said that unless it’s able to pull of its 2G switch, the new cell site simulators probably aren’t able to intercept your data. But newer 4G IMSI catchers can track devices and surveil large crowds, like those found at protests.

重要的是，Quintin说，除非能够拉动其2G交换机，否则新的蜂窝基站模拟器可能无法拦截您的数据。 但是，较新的4G IMSI捕获器可以跟踪设备并监视大量人群，就像在抗议活动中发现的那样。

跟踪塔 (Tracking the Towers)

Security wonks have already released several tools for finding bogus cell towers. Some rely on software-defined radio technology, while others are simply smartphone apps. But while they’re useful, none are adequate for ferreting out newer cell site simulators, Quintin said.

安全专家已经发布了几种寻找伪造手机信号塔的工具。 一些依赖于软件定义的无线电技术，而另一些仅仅是智能手机应用程序。 Quintin说，尽管它们很有用，但还不足以找出更新的细胞部位模拟器。

So the EFF produced its own tool: Crocodile Hunter. Why the name? “Stingray” is the brand name for an IMSI catcher marketed to law enforcement. It’s also the animal that killed Steve Irwin, star of the TV program Crocodile Hunter.

因此，联邦军制作了自己的工具：鳄鱼猎人。 为什么叫名字？ “黄貂鱼”是销售给执法部门的IMSI捕手的商标名称。 这也是杀死电视节目《 鳄鱼猎人》(Crocodile Hunter)明星史蒂夫·欧文(Steve Irwin)的动物。

Crocodile Hunter uses a Raspberry Pi and about $500 worth of radio equipment. The setup gatherers data about all the surrounding cell sites, and then compares that information against an open-source database of known cell towers. Anything that’s a mismatch gets marked on a map with a skull.

鳄鱼猎人使用树莓派和价值约500美元的无线电设备。 设置收集器会收集有关所有周围细胞位置的数据，然后将该信息与已知细胞塔的开源数据库进行比较。 任何不匹配的内容都会在地图上标有头骨。

Quintin stressed, however, that just because something’s anomalous doesn’t mean it’s nefarious. Suspicious sites were found and examined. If it turned out to be attached to a tower or a building, that was probably legit. “If it’s not a building at all but an unmarked van, well, that’s more suspicious,” said Quintin.

Quintin强调，然而，仅仅因为某些异常并不意味着它是邪恶的。 发现并检查了可疑站点。 如果事实证明它是附属于塔楼或建筑物，则可能是合法的。 昆汀说：“如果它根本不是一栋建筑物，而是一辆无标记的货车，那就更可疑了。”

One thing Crocodile Hunter can’t do is communicate with the questionable cell towers, and for good reason-”EFF lawyers helpfully pointed out, that would be illegal,” explained Quintin.

鳄鱼猎人无法做的一件事就是与可疑的手机发射塔进行通信，这有充分的理由。

The problem is that Crocodile Hunter isn’t licensed by the FCC for such operations. That’s too bad, because it would give researchers a lot more information about the suspect cell sites.

问题在于，鳄鱼猎人未获得FCC许可进行此类操作。 这太糟糕了，因为它将为研究人员提供有关可疑细胞部位的更多信息。

一个更美好的未来 (A Better Future)

Work on Crocodile Hunter is ongoing, and Quintin hopes to improve its detection capabilities and bring down the cost of construction. The EFF has released all the information about Crocodile Hunter on GitHub, where any enterprising researcher can build their own version. The technology is currently being used in DC and New York, as well as in Latin America through the Fake Antenna Detection (FADe) project, Quintin said.

鳄鱼猎人的工作仍在进行中，昆汀希望提高其探测能力并降低建造成本。 EFF已在GitHub上发布了有关Crocodile Hunter的所有信息，任何有进取心的研究人员都可以在其中构建自己的版本。 Quintin说，该技术目前正在DC和纽约以及拉丁美洲的Fake Antenna Detection(FADe)项目中使用。

While detecting bogus cell towers is all well and good, Quintin has an eye on making it much harder for anyone to use IMSI catchers, or similar technologies, to surveil people. He called on Apple and Google to provide a toggle so users who don’t need to use 2G can simply switch it off in Android and iOS. “This would eliminate the worst abuses such as downgrading to 2G,” he said.

尽管检测伪造的细胞塔是一件好事，但Quintin致力于使任何人都难以使用IMSI捕集器或类似技术来监视人们。 他呼吁苹果和谷歌提供一个切换器，以便不需要使用2G的用户可以在Android和iOS中将其关闭。 他说：“这将消除最严重的滥用，例如降级到2G。”

Quintin also suggested that the pre-authentication messages for 4G (and, he noted, 5G) either be eliminated or encrypted. Manufacturers and standards groups, Quintin suggested, should also make customer privacy a greater priority.

Quintin还建议消除或加密4G(以及他指出的5G )的预身份验证消息。 Quintin建议，制造商和标准组织也应该将客户隐私放在首位。

“None of these are foolproof, and none of these will stop [cell site simulators] entirely, but we aren’t even doing the bare minimum,” said Quintin.

Quintin说：“这些都不是万无一失的，它们都不会完全停止[单元站点模拟器]，但我们甚至都没有做到最低限度。”

Still, the talk ended on an upbeat note: “With a little elbow grease, and a little bit of political effort, this problem of IMSI catchers could be solved.”

尽管如此，谈话还是以乐观的语气结束了：“有了一点肘油，加上一点点政治努力，就可以解决IMSI捕手的问题。”

Originally published at https://www.pcmag.com.

最初发布在 https://www.pcmag.com 。