The Poisoned Handshake: Using Fake Cell Towers to Manipulate Cell Phone Networks

When you are on the move, your cell phone automatically detects the signal from the nearest tower. Tower signals may overlap but the strength of their signals will not be uniform and there are occasional dead spots where you can lose a signal completely. Cell phones are designed to seek out the strongest signal. This automatic shifting from one tower to another is referred to as the ‘handover procedure’.  Establishing a new connection is termed a ‘handshake’. Signal strength measurements are sent to the network to initiate this procedure and these communications are encoded to protect them from being intercepted.

But imagine if a nefarious actor could intercept these communications and pose as a fake tower. It would be the same as putting a black hole in the middle of the cell phone grid, and that’s only the beginning. And don’t think that just because 5G networks don’t rely on traditional cell towers that they are immune from such attacks. In fact, it’s just the opposite. Because 5G networks have a shorter range, more masts are necessary. More masts mean more handshakes mean an increased vulnerability to the handover attack.

This vulnerability was recently disclosed by researchers Evangelos Bitsikas and Christina Pöpper, though it was not the first time it has been investigated. It appears that, although the handover message is encrypted, the handover message itself is not analyzed but accepted more or less at face value. That is, any request for another tower with a stronger signal is assumed to be valid. This attack vector would be most effective if the fake tower was placed in weak spots in the coverage grid. In these instances, the automatic handover to the nearest stronger signal would send the information to the attacker’s fake tower. Worse yet, the fake tower, with its stronger signal, could be configured to emulate the real tower and, thus, all traffic would be sent to it.

But so what? What can an attacker do with a handover request? Simply attracting cell phones to a fake tower would bring down parts of a grid, if that was the attacker’s goal. This would be done by, in effect, ignoring the request for a handover. If multiple fake towers were used, the result could be a major disruption in cell phone service. Such a methodology would more likely be used by a nation-state than individual hackers. It could also be used as a distraction to allow other types of cyber attacks to take place.

Another use of the handover vulnerability would be through a man-in-the-middle (MITM) attack. That is, these fake towers can intercept communications destined for one tower or the response coming back from that same tower. In the man-in-the-middle scenario, the fake tower can control the signal that is sent back to the user to begin an attack through that user.  

It is not a simple matter to emulate a base station, but the possibility exists. In fact, there are tutorials online to show you how to do this. The vulnerability that exists in the handover procedure is mainly due to the acceptance of all handover requests as valid. The vulnerability is enhanced by the fact that the user’s device is not designed to inform the user whether or not a base station is real or fake.

Once a user hands over requests to a false base station, a number of possible exploit vectors arise. Here is a diagram from a report on detecting false base stations that was published earlier this year.

To summarize the chart above, once a false base station is established, these are the possible attack vectors that can be exploited.

Identify Users – It is possible that those who control the false base station and receive cell phone communications can identify the user behind the communication. This is done either passively, by analyzing the communication, or actively, by directly contacting the user through, for example, an SMS message.

Denial of Service (DoS) – Once the false base station gets the communication, they can simply not pass the signal on and all communications from the user’s device become impossible. This is the ‘black hole effect’. They may even block communications from legitimate base stations by raising the strength of their signal above that of the legitimate station. Cars now use these base stations to present information to drivers. Disrupting this communication could cause even greater problems.

User Spoofing- Those controlling the false base station may attempt to impersonate the user and send spam or phishing SMS messages in their name. They could also target the user with similar attacks. According to the report, multiple users could be targeted through messaging to “create (an) artificial emergency which can be exploited by malicious parties for hiding their agenda”. In other words, nefarious actors could inform users of some emergency situation to create panic which the attackers could exploit to distract from another more serious attack that they may have planned.

The researchers found that different devices, with their differing handshake architecture, can vary in their vulnerability to handover attacks. Here is a chart showing four such devices and their vulnerability to both MITM and DoS attacks.

Although MITM attacks may be the ones to most affect individual users with fake SMS messages, spam, and the potential to quickly drain battery life, these are not the most dangerous attacks overall. I would expect malicious nation-states to position themselves in grids to destabilize them if the situation called for it.

Solutions to fake tower attacks are being intensively sought after. For the moment, no user device solution has been found. However, AI algorithms are being used to pick up inconsistencies in the network which could point to the existence of a fake tower. In such a case, the legitimate base station would simply refuse to make a handover to this ‘tower’. It would be like putting the fake station behind a firewall.

If you think such cell tower spoofing is simply a concept, think again. In 2019, intelligence officials concluded that surveillance devices, known as ‘StingRays’, had been placed near the White House and at other locations around Washington. These international mobile subscriber identity-catchers or IMSI-catchers were used to “mimic regular cell towers to fool cellphones into giving them their locations and identity information.”  These devices, tied to Israel, were used to capture the contents of calls and data use, presumably from people working for the president. Because they were connected to Israel, which was, at the time, friendly with the Trump administration, nothing serious came of it.

Here is a picture of the Stingray which is now considered obsolete.

It has been replaced by the Nyxcell V800.

Because of the high price for these devices, I would not expect them to be used by individuals. Currently, they are used by law enforcement and governments. But they could easily fall into the wrong hands. After all, China had developed such technology as far back as 2017. Does anyone believe they wouldn’t try to use it to spy on the U.S. government?

Chinese criminals used this attack vector to infect phones with malware that later stole banking information. The only reason this vector has not received much attention is because it was used only in China. So far, we have not seen this attack take root in the U.S., but it would be foolish to think it won’t. In fact, it is probably only a matter of time before criminals realize how powerful this vector is and begin to target corporate and government networks. This would be a potent way to begin a ransomware attack, for example. Companies need to be aware of this and inform users to be careful of any links that arrive via SMS messaging. Unless you have special architecture in place which overrides bad user behavior, your company can be compromised by one person’s bad judgment.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s