This morning's NSA article from WaPo contains some slides mentioning USRP equipment[1]. It's hard to say without more context whether it's referring to the GSM equipment from Ettus...anyone care to speculate? The USRP series doesn't exactly seem like carrier-grade equipment, but perhaps the NSA has a good reason to use it. Maybe baseband exploitation, as coderman has previously mentioned? Simply getting cell tower database dumps from the telcos would suffice for location info, so I would guess this has a different purpose.
[1] http://apps.washingtonpost.com/g/page/national/nsa-signal-surveillance-success-stories/647/#document/p3/a135606 On 12/10/2013 05:56 AM, Matej Kovacic wrote: > Hi, > >> Can/do IMSI systems spoof tower id: is there anything in GSM to make >> towers self-verifying? I'm guessing no, in which the above would be very >> poor. > No, the problem is, that mobile phone authenticates to mobile network, > but the opposite is not true. Since mobile network does not authenticate > itself to mobile phone, IMSI Catcher attacks are possible. > > There has been also demonstration of "home-made" IMSI Catcher based on > Osmocom platform last year at the CCC conference. > > The video of the presentation "Further hacks on the Calypso platform" by > Sylvain Munaut is here: > http://media.ccc.de/browse/congress/2012/29c3-5226-en-further_hacks_calypso_h264.html > > So, it is very easy to set up fake cell with any cell ID. > >> Also of note is API for signal strength, so a mapping of known towers to >> expected strength at location XYZ could be used to detect systems used >> to home in on phones, which usually max out on signal and tell your > > This would not work, because cells are not static (new cell emerge, > covered area changes, etc.) and opencellid database is not regularly > updated. There could also be femtocells used, etc... > > > Regards, > > M. > -- http://disman.tl OpenPGP key: http://disman.tl/pgp.asc Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9
