Saturday, September 6, 2014

Trivia, Part 2

In Part 1 we touched on how modern communications are reliant on cell phone towers. Then, we ever-so-briefly considered efforts to camouflage these towers, and we saw how mobile cell phone towers can augment cell phone tower coverage in case of damage to a tower or to offer additional capacity when needed. Finally, we introduced the concept of "interceptors", phony cell phone towers that have been surreptitiously placed for some clandestine or illicit purpose.

We will continue by combining the concepts of a cell phone "tower" -- or perhaps "interceptor" is the better term to use here -- with the concepts of camouflage and mobility. However, before we proceed, we need to briefly review some terms used in discussing cell phones.

Most people have heard terms like "3G" and "4G" to describe cell phones and service. What exactly does this mean?

Initially, cell phones were analog devices. The radio frequency spectrum was divided into slices, called channels, and a cell phone would transmit on one channel, while simultaneously receiving on another. This ability to transmit and receive simultaneously is called "full duplexing", and allows for a normal conversation to occur. In contrast, radios tend to be "half duplex" systems, where one party talks while the other listens, and then they switch to where the one listens while the other talks.

Later, digital technology was incorporated, allowing compression and manipulation of the signals which, in turn, increase cell phone call capacity in a system. Even newer technologies in signal processing then allowed for dramatic leaps in data transfer rates, making it possible for cell phones to become handheld computers, and the cell network to work like a Wi-Fi. This was dubbed "3G" for third generation, making analog technology 1G and the first digital technology 2G. Later, anything more advanced than 3G was dubbed "4G", though many people are beginning to realize that most "4G" is, in fact, only an incremental improvement over 3G. Thus, "true" 4G refers to 4G LTE - fourth generation long-term evolution.

Current cell phones use something akin to an operating system. The most common are GSM (Global System for Mobile Communications) used by AT&T and T-Mobile, and IDEN (Integrated Digital Enhanced Network), introduced by Motorola and used by Nextel, which is GSM-based.

For a readable explanation of cell phone technology and how it has evolved, I suggest you begin with How Cell Phones Work.

With this background established, we should begin with the question of just how small and mobile can cell phone "towers" get? To get some idea, we consider excerpts from The tiny cube that could cut your cell phone bill from March 21, 2011:

NEW YORK (CNNMoney) -- As mobile data usage skyrockets, wireless companies are spending billions each year to maximize capacity, and consumers end up footing the cost in the form of higher cell phone bills.

But a cube that fits in the palm of your hand could help solve that problem.

It's called lightRadio, a Rubik's cube-sized device made by Alcatel-Lucent (ALU) that takes all of the components of a cell phone tower and compresses them down into a 2.3-inch block. Unlike today's cell towers and antennas, which are large, inefficient and expensive to maintain, lightRadio is tiny, capacious and power-sipping.


When conceiving of lightRadio, Alcatel-Lucent's engineers stripped out all the heavy power equipment that controls modern cell towers, and moved them to centralized stations. That allows the lightRadio cubes to be made small enough to be deployed virtually anywhere and practically inconspicuously: Atop bus station awnings, on the side of buildings or on lamp posts.

Their small size and centralized operation lets wireless companies control the cubes virtually. That makes the antennas up to 30% more efficient than current cell towers. Live data about who is using the cubes can be assessed, and the antennas' directional beams can be shifted to maximize their potential. For instance, radios may be pointed in one direction as people are coming to work in the morning and another direction as they're leaving work at the end of the day.

The lightRadio units also contain multi-generational antennas that can relay 2G, 3G and 4G network signals all from the same cube. That cuts down on interference and doubles the number of bits that can be sent through the air.

Today's cell towers, by contrast, send power in all different directions, most of which is lost, since it doesn't reach anyone's particular devices. They're inefficient in other ways as well: Roughly half of the power from cell towers' base stations is lost before it makes its way up to the antennas at the top of the tower. And they have separate antennas for 2G, 3G and 4G networks, causing interference problems.


Each 1.5-Watt lightRadio cube powers about a two-block radius, so in urban areas, they can be deployed throughout the city and stacked like Lego blocks in stadiums or other areas that need extra capacity. In rural areas, they can be deployed atop existing cell towers in arrays.

Since that article was written, these kinds of devices have been deployed to provide cell phone coverage in "dead zones" such as under bridges, inside buildings, and so on.

However, this was intended for the legitimate purpose of providing better cell phone coverage. While this kind of technology could be misused, there are also devices that were intended for surreptitious use. One such device is called an "IMSI Catcher". A brief excerpt from the introduction to IMSI-Catch Me If You Can: IMSI-Catcher-Catchers describes what this is (numbers in [brackets] refer to footnotes in the paper):

IMSI Catchers are MITM (man in the middle) devices for cellular networks [20]. Originally developed to steal IMSI (International Mobile Subscriber Identity) numbers from nearby phones (hence the name), later versions offered call- and message interception. Today, IMSI Catchers can also be used to track handsets, intercept mobile two-factor authentication schemes (mTAN), geo-targeted spam [24], send operator messages that reconfigure the phone (e.g. installing a permanent MITM by setting a new APN, http-proxy, or attack the management interface [32]), or attack SIM cards with encrypted SMS [26] that are filtered by most operators by now.

A company called Gamma Group markets an IMSI Catcher which a person can wear under a coat, kind of like a bullet-proof vest. Here are excerpts from The body-worn "IMSI catcher" for all your covert phone snooping needs, dated September 1, 2013:

"The unit is optimized for short-range covert operation, designed to allow users to get close to Target(s) to maximize the chances of only catching the Target(s') identities and minimal unwanted collateral," one of the marketing pamphlets boasts. "The solution can be used as a standalone device or integrated into wider data-gathering and geo-tracking systems."

At just 41 x 33 x 18 centimeters, the device is small enough to fit under a shirt. It needs from one to 90 seconds to capture the international mobile subscriber identity (IMSI) or international mobile equipment identity (IMEI) of the person being tracked. It works on all GSM-based networks regardless of country and is fully operational even when functioning in a moving vehicle. The same brochure advertises several other varieties of IMSI catchers, including some that work in a totable briefcase and one that receives signals from a covert vehicle roof bar antenna. The James Bond spying tools are sold to government agencies and law enforcement organizations.


Other devices available from GammaGroup help snoops physically track and tap a target once his IMSI is known. One device helps spies physically locate a target by locking into his mobile phone signal. It can also intercept the target's SMS messages and "take control of target phones for the purpose of denying GSM service." The devices can even "create a bubble or exclusion zone to deny GSM network coverage without alerting cell phones."

In other words, these devices can identify your cell phone, find where your cell phone is, and then jam it without your cell phone alerting you to the process. Also, your cell phone communications can be monitored, and even spoofed: it is possible your cell phone can receive fake messages, and fake messages can be sent out with your cell phone's signature.

And all it takes to make this happen is to get a small computer-controlled device, which would fit comfortably in a brief case or overcoat, within a reasonably short distance from you - not necessarily close enough for you to notice.

Stick around for Part 3.

No comments:

Post a Comment