00:00:09.743-->00:00:15.949
[applause] >> Alright, ooo wow,
you guys can hear me really
well, can't you? Alright, my

00:00:15.949-->00:00:21.555
name is, uh, Eric Escobar, I'm a
Security Engineer for Barracuda
Networks. Uh and today I'm going

00:00:21.555-->00:00:28.095
to be talking to you guys about
Discovering and Triangulating
Rogue Cell Towers. Uh, so a bit

00:00:28.095-->00:00:33.901
about me, oh that's loud. Uh, I
started out as a civil engineer
and when I say started out, I

00:00:33.901-->00:00:39.606
went through, got my Bachelors,
my Masters and now I have a PE,
I'm a licensed Civil Engineer.

00:00:39.606-->00:00:44.311
Um, my parents love that, but I
told them I was going to go into
computers, so that that didn't

00:00:44.311-->00:00:49.349
go over so well. Um, I've always
loved computers, uh, I've always
nerded out on all things

00:00:49.349-->00:00:54.288
wireless, even before that I was
a licensed hand radio operator.
Um and I also love to automate

00:00:54.288-->00:00:59.526
things. So my chicken coop is
automated, opens, closes, feeds
them, does the whole thing. Uh

00:00:59.526-->00:01:04.131
and my sprinklers are run by a
cron Job, so that's the level of
nerd that we're talking.

00:01:09.269-->00:01:14.741
[applause] Uh and so three years
ago is when I started working at
barracuda Networks. Um, I was

00:01:14.741-->00:01:20.347
previously about exactly three
years ago pumping water in the
middle of a field, um as a civil

00:01:20.347-->00:01:25.719
engineer doing some well
maintenance and then I got a
lucky break from my great boss

00:01:25.719-->00:01:29.122
and he said, hey, you know what,
I think you have a good mind for
this, uh, if you want to try

00:01:29.122-->00:01:33.493
this security space, then, um,
you know, we'd love to have you
and so I took them up on it and

00:01:33.493-->00:01:39.666
then we headed over to DefCon
and since then I've been in in
all things wireless. Um, so the

00:01:39.666-->00:01:45.372
first year somebody asked me,
are you the Fox? And I said, uh,
no, no I'm not the Fox, what are

00:01:45.372-->00:01:48.575
you talking about? And they
said, hey, I'm doing the
wireless CTF. And I said

00:01:48.575-->00:01:52.913
wireless CTF, I could totally
get involved with that. The next
year, we came back thinking,

00:01:52.913-->00:01:56.883
we're just going to go look for
the Fox and we ended up winning
the wireless CTF. Um, so that

00:01:56.883-->00:02:01.388
was really great. And so this
year, hopefully, uh, when I'm
done with this talk, we will

00:02:01.388-->00:02:07.995
have won second year in a row.
So that will be pretty awesome
too. Um, let's see. Alright, so

00:02:07.995-->00:02:11.798
a bit about what I do at
barracuda Networks. I'm a
security engineer like I said,

00:02:11.798-->00:02:17.804
so I do incident response with
my team, uh, pen testing, we do
red team Fridays where we bring

00:02:17.804-->00:02:21.875
in pizza and red team our
network, which is pretty
awesome. Uh, I've even been

00:02:21.875-->00:02:26.380
lucky enough to do some social
engineering campaigns, phishing
campaigns, uh and if any of you

00:02:26.380-->00:02:31.718
are bug crowd researchers when
it was just barracuda doing it,
you probably talked to me at

00:02:31.718-->00:02:36.823
some point in time. Um, I also
do infrastructure scanning and
I've done a little bit of IPAM

00:02:36.823-->00:02:41.828
work and multi-factor
authentication for barracuda.
Alright, so today what we're

00:02:43.864-->00:02:49.269
going to cover is uh what is a
rogue cell tower, why you should
care about rogue cell towers,

00:02:49.269-->00:02:54.141
how to detect rogue cell tower,
how to find one after you've
detected it and how you can

00:02:54.141-->00:03:00.781
build a detector at home. And
then once you've detected one,
what the heck do you do with it.

00:03:00.781-->00:03:04.918
Alright, so first up, what is a
rogue cell tower? Well, it's
something that's purchased by

00:03:04.918-->00:03:09.156
companies, governments or other
hackers and it has the ability
to trick your phone into

00:03:09.156-->00:03:12.993
thinking that it's a real cell
phone tower. So it's kind of
like an evil twin attack if

00:03:12.993-->00:03:17.798
you're familiar with wireless at
all. Uh, these are known as IMSI
Captures, Interceptors, cell

00:03:17.798-->00:03:22.102
site simulators, sting rays and
there's probably a few other
things, but really, they're

00:03:22.102-->00:03:26.139
pretty much called cell site
simulators or IMSI catchers,
cause sting rays, they're

00:03:26.139-->00:03:31.111
popular known by is a corporate
term or it's, uh, the name of
the actual company that makes

00:03:31.111-->00:03:35.315
them. Uh and rogue cell towers
have the ability to collect
information about you.

00:03:35.315-->00:03:39.286
Indirectly, just through
metadata and metadata can tell
you a lot of things about you.

00:03:39.286-->00:03:44.491
Uh, call length, numbers that
you've dialed, uh and those
kinds of things. In some

00:03:44.491-->00:03:49.362
conditions, they can even
downgrade, uh, your connection,
um, and so they can listen to

00:03:49.362-->00:03:55.802
your messages, your calls and
they can even get some data.
Alright, so how are they used

00:03:55.802-->00:04:01.141
today? I'm not going to go over
this a whole lot. But pretty
much, the ACLU has identified 66

00:04:01.141-->00:04:06.213
agencies and 24 states that own
stingrays. Um, these have been
used to monitor demonstration in

00:04:06.213-->00:04:11.251
the United States. Such as in,
uh, Chicago and the political
protests. Last year there was,

00:04:11.251-->00:04:15.856
uh, Freddy Martinez, he talked
at the Crypto Village and he did
a great talk on Freedom of

00:04:15.856-->00:04:19.459
Information Act Requests and
dealing with IMSI Catchers and
how to prove that they're

00:04:19.459-->00:04:25.532
actually being used. And then
and it's also possible to make
IMSI Catcher at home. Um, Chris

00:04:25.532-->00:04:32.339
back in DefCon 18, uh, he made
an actual IMSI Catcher and
showed it off and that was way

00:04:32.339-->00:04:36.843
more technical than I probably
ever hope to do in any time
soon, but it's a really cool

00:04:36.843-->00:04:41.815
trick--or not trick--it's a
really cool hack and, uh, from
there basically we're going to

00:04:41.815-->00:04:47.888
see if we can detect what he
did. So if you want to know more
about cell site simulator of if

00:04:47.888-->00:04:52.359
this is the first time that
you've heard that, uh go check
EFF and the ACLU, they have

00:04:52.359-->00:04:56.863
these two, um, great links and
they're awesome for just getting
a lot more information and it

00:04:56.863-->00:05:02.869
goes far more in depth than I
could do in even a full
presentation about that. Um and

00:05:02.869-->00:05:06.406
so abroad they're also used,
there's not a whole lot of great
data on this, but we know that

00:05:06.406-->00:05:10.944
there have been, you know,
sightings of these in Ireland,
the UK, China, Germany, Norway,

00:05:10.944-->00:05:15.816
South Africa. Um, Chinese
spammers are also also caught
using this to send spam phishing

00:05:15.816-->00:05:19.920
messages. And they're used by
governments and corporations
alike. And I think corporate

00:05:19.920-->00:05:24.157
espionage is also where they're
used. In terms of, there's a lot
of other data that they probably

00:05:24.157-->00:05:28.695
want from their competitors and
if somebody doesn't have a way
to detect cell site simulator,

00:05:28.695-->00:05:34.634
you'd be giving up corporate
secrets without even knowing it.
So let's talk about what the

00:05:34.634-->00:05:41.007
IMSI in IMSI Catcher. So IMSI
stands for International Mobile
Subscriber Identity. Uh, it uses

00:05:41.007-->00:05:45.712
a means of identifying a device
on the cell network. It's
typically 15 digits long, um and

00:05:45.712-->00:05:50.350
it contains information about
your device. So there's the MTC,
which is the Mobile Country

00:05:50.350-->00:05:55.488
Code, the MNC which is the
Network Code and there's the
Mobile Subscription Identity

00:05:55.488-->00:06:00.427
Identification Number or MSIN.
Um, so all of the country codes,
the MCC, are available on

00:06:02.462-->00:06:05.832
Wikipedia, so if you want to
look one up, maybe you make one
of the devices, you know and

00:06:05.832-->00:06:09.769
say, he, that doesn't look like
the United States country code,
and if you're in the United

00:06:09.769-->00:06:13.807
States, you know, what should
mine be? Um, and you see
something come up, you can take

00:06:13.807-->00:06:17.277
a look at these, they're all on
Wikipedia. Same thing with MNC.
All of these are available,

00:06:17.277-->00:06:20.580
there's a bit list of them. So
if you're ever curious, you can
just head over there and check

00:06:20.580-->00:06:25.585
it out. Uh, so basically to
summarize all that, an IMSI is a
unique identifier to your

00:06:28.121-->00:06:32.225
device. So that's you, that's
like your MAC address of your
laptop, that that's what can

00:06:32.225-->00:06:37.897
identify your device. And so if
you swap you know your SIM card
into different phones, then

00:06:37.897-->00:06:43.169
that's something that can still
identify that SIM card itself.
And so here's what a sample IMSI

00:06:43.169-->00:06:50.110
would look like. So you can see
it has the MCUU, which is 310
for the USA, has MNC for AT&T

00:06:50.110-->00:06:55.115
and that's 026 and then the
unique identifier, which isSO
your MSIN. So why should you

00:06:57.217-->00:07:01.921
care about this? Well, if
somebody were to drive up, uh
and have an IMSI catcher, you

00:07:01.921-->00:07:06.760
know maybe you're sitting there
and you're having coffee at a
coffee shop. Um, you're one big

00:07:06.760-->00:07:11.631
fish in that or you're one fish
in that big net. So what could
happen is if they're driving up

00:07:11.631-->00:07:15.368
and say their say somebody's
looking for someone in the area
and they think that they're

00:07:15.368-->00:07:20.006
there. They grab all of the
information, because your phone,
it just goes for the strongest

00:07:20.006-->00:07:25.345
signal strength and so if they,
if it happens to be that IMSI
Catcher, then that's you and it

00:07:25.345-->00:07:28.214
doesn't matter if it's the
government , it doesn't matter
if it's a hacker, these things

00:07:28.214-->00:07:32.519
are easy to build for less than
you know a couple grand. Um and
to get all that personal

00:07:32.519-->00:07:38.091
information, it could be well
worth it. And also there was a
talk of LTE downgrade to GSN

00:07:38.091-->00:07:43.963
this year and so that's another
thing that you, uh, cell tower,
um, controls when you know some

00:07:43.963-->00:07:47.500
of the options that are sent to
the mobile device and so if they
want to downgrade you. You can

00:07:47.500-->00:07:52.505
totally do that. I saw a couple
of times, when I was upstairs in
the wireless village, that, uh,

00:07:52.505-->00:07:58.678
what had happened is it
downgraded from LTE to 2G and
you knew something bad was going

00:07:58.678-->00:08:05.218
on. Um. Uh, so that that's just
one way is you're just a small
fish in a big net and they catch

00:08:05.218-->00:08:10.223
anybody that's around you.
Alright, so why should you care
about this. Well, I think if you

00:08:12.525-->00:08:15.895
don't know by now, there's a
couple reasons why you should.
Um, your phone will connect

00:08:15.895-->00:08:19.766
automatically to cell site
simulators. It doesn't matter,
you know, it's not like

00:08:19.766-->00:08:25.338
connecting to an access point
with your cell phone. What will
happen is, uh, your phone will

00:08:25.338-->00:08:28.508
just pick the thing that has the
strongest signal, doesn't ask
you, doesn't say, hey, this one

00:08:28.508-->00:08:32.579
looks kind of fishy. It just
says, this one gives me the best
signal, let's go from there. Um

00:08:32.579-->00:08:37.217
and these conceal your personal
information. Hackers can track
where you go, who you're talking

00:08:37.217-->00:08:41.388
to and they can grab all sorts
of data about you. Uh, your
digital life can be sniffed out

00:08:41.388-->00:08:45.992
of the air by anyone. And I
mean, it's real, the hardware is
always coming down in cost. Um

00:08:45.992-->00:08:49.662
and your company could be
leaking trade secrets. I mean,
just think about two-factor

00:08:49.662-->00:08:54.334
authentication. If it's sent
over SMS and they can intercept
that. Um, ya know, then they can

00:08:54.334-->00:08:58.004
have that second factor if
they've already got your
password. Uh, not to mention, a

00:08:58.004-->00:09:01.341
lot of people think that text
messages are um you know,
they're, they're extremely

00:09:01.341-->00:09:04.778
private and if you don't believe
so, just ask somebody, hey, can
I flip through your text

00:09:04.778-->00:09:09.783
messages real quick? They won't
let you. Alright, so why build a
detector, so there's some

00:09:11.885-->00:09:16.256
Android phones that have apps
that you know that you can do
this, but I've found that you

00:09:16.256-->00:09:20.627
need to have a specific model
and you need to have it root to
work. Um and I wanted something

00:09:20.627-->00:09:25.231
cheaper, I didn't want to have a
phone dedicated only to just
watching, uh, cell towers. Um

00:09:25.231-->00:09:29.602
and I also wanted a device that
was really cheap. I mean, I just
want something that's somewhere

00:09:29.602-->00:09:33.339
around 50 dollars so that it's
easy to make and it's not like,
oh, well you can totally detect

00:09:33.339-->00:09:37.410
them for a couple grand. Um, and
I also wanted to be able to set
it and forget it and I wanted to

00:09:37.410-->00:09:41.080
be alerted to any anomalies. I
didn't want it to have to be
something where I got suspicious

00:09:41.080-->00:09:45.084
all of a sudden. I had to go
turn it on and figure out how to
rig it all up. Um, I wanted to

00:09:45.084-->00:09:49.656
be and I wanted the ability to
network them together. So if I
wanted 3, if I wanted 5, if I

00:09:49.656-->00:09:53.593
wanted 100. I wanted the ability
to just plug it into the network
and have them all talk to each

00:09:53.593-->00:09:58.598
other. So how do you actually
detect rogue cell tower? Well,
every cell tower or a base

00:10:03.203-->00:10:07.240
transceiver station – BTS –
beacons out information about
itself. And this is available to

00:10:07.240-->00:10:12.178
your phone, um, but you know has
stuff like the the radio
frequency channel number that

00:10:12.178-->00:10:17.650
it's on. We talked about the
MCC, the MNC, the cell ID, the
location area code, so that's

00:10:17.650-->00:10:22.021
specific to where you actually
are. Um, the transmit power and
some neighboring cells.

00:10:22.021-->00:10:25.925
Neighboring cells, I haven't had
a lot of luck with, but all the
rest should still be enough to

00:10:25.925-->00:10:32.565
to do it. Um, so like I said,
these values should remain
pretty constant, you know, you

00:10:32.565-->00:10:36.035
don't want your country code to
change, because if you're not in
the United States, then all of a

00:10:36.035-->00:10:39.806
sudden, I mean, you could have a
problem. You know that if you're
in the United States, you should

00:10:39.806-->00:10:44.677
have a 310, if it's not, then
something, something else is
going on. Um, the MNC, you're

00:10:44.677-->00:10:48.748
network code shouldn't change.
The cell tower, the unique
identifier shouldn't change. The

00:10:48.748-->00:10:52.886
area code shouldn't change. And
the transmit power, that should
also, that should also not

00:10:52.886-->00:10:59.025
change. On other reflections and
things and ways that can change,
but overall, at a period of

00:10:59.025-->00:11:03.963
time, it should just average
out. Um, so ok, so how do you,
so if if values deviate from

00:11:07.901-->00:11:10.603
what you've expected, it can
mean that there's some
maintenance taking place. It's

00:11:10.603-->00:11:14.340
not necessarily that, hey, all
of a sudden transmit power went
down or maybe a cell tower went

00:11:14.340-->00:11:18.912
down. Uh, it could just mean
that something has deviated. And
it could just mean that changes

00:11:18.912-->00:11:22.649
are being made to the network.
Um, but that's the whole reason
why I wanted to be able to go

00:11:22.649-->00:11:26.819
find it, because if there's a
new signal that's coming out, I
want to go see, hey, is this a

00:11:26.819-->00:11:30.557
cell tower that's messing up? Is
this, you know, maybe they're
adding some extra, you know

00:11:30.557-->00:11:34.594
carriers to it. There could be
something actually happening. So
the ability to go out and find

00:11:34.594-->00:11:39.165
it, is really crucial to knowing
if something's actually
happening. And really the way

00:11:39.165-->00:11:43.202
that this works is it's like a
ba-, it's like you're you're
talking a baseline. And so

00:11:43.202-->00:11:46.839
you're sitting there and you're
watching the neighborhood,
you're watching to see you know

00:11:46.839-->00:11:51.611
what cars go in and out, um,
you're just being familiar with
what's in your airspace and if

00:11:51.611-->00:11:55.148
something drastically different
hops in your airspace, you know
that, hey, maybe I should be

00:11:55.148-->00:12:01.521
suspicious of this. Maybe I need
to go check it out. So these are
just some sample values. 310

00:12:01.521-->00:12:07.994
again, United States. 026 is
AT&T. The unique ID for the cell
tower and the radio channel that

00:12:07.994-->00:12:12.498
it's on. If any of those change
or you if the tower goes
completely away or a new tower

00:12:12.498-->00:12:16.035
comes up in its place with a
really strong signal strength,
you know that it's something you

00:12:16.035-->00:12:21.040
should probably look at.
Alright, so how, so so let let's
just do a quick example of this.

00:12:23.643-->00:12:28.881
Um, if a new tower pops up with
an unknown cell tower ID and
high transmission power, you

00:12:28.881-->00:12:33.753
know the mobile country code
could mismatch, the frequency
could mismatch. Um, and you

00:12:33.753-->00:12:37.257
know, maybe the location area
code could change too. These are
all things to keep in mind, all

00:12:37.257-->00:12:41.427
things to look for. They don't
all need to change, but a couple
of changes here and there are

00:12:41.427-->00:12:48.001
enough o be suspicious of. And
so obviously, why locate a
tower? Well, you want to know if

00:12:48.001-->00:12:54.707
it's a cell tower or if it's a
van with a tower inside of it.
And now, now let's talk about

00:12:54.707-->00:12:59.512
actually locating them. So I'm
going to combine all this unique
cell phone tower, receive power

00:12:59.512-->00:13:03.950
and location and and, uh, the
easiest way that I've found is
to combine all of that

00:13:03.950-->00:13:08.488
information on one detector that
can be moved around. If you just
have a couple of detectors

00:13:08.488-->00:13:11.891
spread out, you know say,
throughout a neighborhood or
something, um, you're not going

00:13:11.891-->00:13:15.228
to get as great a data, is if
you can just move around,
because then you can take a

00:13:15.228-->00:13:20.233
bunch of different points. And
we'll talk about that later on.
So this is an example heat map

00:13:22.502-->00:13:27.040
that I made and this is just me
driving around and I selected
one tower and this is this is me

00:13:27.040-->00:13:31.778
practicing on an actual tower.
This isn't a rogue cell tower,
this is just me driving around

00:13:31.778-->00:13:37.617
and seeing like, hey, let's see
if I can find a what an actual
tower, kind of as a blind test.

00:13:37.617-->00:13:41.320
And so when I plotted up the
data, here, this is, you know
you can see that red spot and

00:13:41.320-->00:13:45.258
you can see that signal strength
is highest. And that comes down
to probably about a 20 30 meter

00:13:45.258-->00:13:48.695
radius and that's enough to tell
is there a tower poking up out
of the ground that's a couple

00:13:48.695-->00:13:52.498
hundred feet. Um, it's really
easy to tell if there's nothing
there or if there is something

00:13:52.498-->00:13:55.935
there. Or maybe on top of a
building there's some antennae
that's um that's a good way of

00:13:55.935-->00:14:00.073
telling. You know, does that
look shady or is that, you know,
a van parked outside my street

00:14:00.073-->00:14:05.078
or some, you know hacker kid
sitting in the back of a car.
Um, so multiple detectors with

00:14:07.380-->00:14:13.252
known locations allow for
trilateration of suspected, you
know, towers. Um and the

00:14:13.252-->00:14:16.889
received power and distance are
they're not inversely
proportional. You'll some

00:14:16.889-->00:14:21.227
regression formulas and they're
required to calculate in order
to fine tune the results. It's

00:14:21.227-->00:14:26.199
less accurate, but it's still
pretty good. And, uh, TDOA, or
Time Distance of Arrival, this

00:14:26.199-->00:14:30.103
is another way that I had
thought, hey, maybe I can find a
cell tower this way. But really,

00:14:30.103-->00:14:34.273
I don't have an accurate enough
time and if you're not familiar
with what TDOA is, it's a way

00:14:34.273-->00:14:38.711
to, um, you know, you're waiting
for a signal to come in and
you're measuring the speed or

00:14:38.711-->00:14:43.883
the length of time that it
takes. Uh, a light signal to
come from that tower to wherever

00:14:43.883-->00:14:47.854
you are. And measuring the time
it's kind of like GPS, it works
with, you know, the speed of

00:14:47.854-->00:14:52.492
light is constant and so you can
use that to kind of do some
math. But you need a really

00:14:52.492-->00:14:57.497
accurate clock and that's not
something that I have and so I
thought, ok well that's not

00:15:01.234-->00:15:06.139
going to work. Alright, so now
I'm going to talk about
trilateration verse

00:15:06.139-->00:15:11.444
triangulation. So a lot of
people get mad at me when I
inversely use these, um, and I

00:15:11.444-->00:15:15.047
get it, but some people don't
and when I was doing this
presentation before, there's a

00:15:15.047-->00:15:18.518
lot of questions about it. So
I'm going to go over it real
quick, um, if this is something

00:15:18.518-->00:15:21.988
you already understand. Great.
You get a refresher. And if you
don't, hopefully you know the

00:15:21.988-->00:15:28.161
difference. Alright, so like any
good engineer, I have my north
arrow for my free body diagram.

00:15:28.161-->00:15:33.132
And so let's let's picture there
is an explosion or a really loud
sound. The way triangulation

00:15:33.132-->00:15:37.236
works is if you're at home and
your friends at the store, maybe
your wife's at work, you all

00:15:37.236-->00:15:41.307
hear the same big explosion,
you're all going to look in the
same, or you're all going to

00:15:41.307-->00:15:45.444
look of the explosion. And so if
you were to intersect all the
lines of where you guys are

00:15:45.444-->00:15:49.382
looking, you're going to see
pretty much a pretty good
representation of where the

00:15:49.382-->00:15:53.152
explosion probably happened if
you all call each other and say,
hey, ya know, I'm at home, I'm

00:15:53.152-->00:15:58.124
looking towards the southeast
and if I'm at the store, I'm
looking west and I'm at work

00:15:58.124-->00:16:03.062
looking north, you can have a
pretty good idea of kind of
where it came from. Um and so

00:16:05.131-->00:16:09.135
triangulation, the angle there
from the north arrow, you know,
to wherever direction you're

00:16:09.135-->00:16:12.872
looking, that's the angle you're
actually talking about. And a
lot of people get that confused

00:16:12.872-->00:16:18.344
with what trilateration is. Um,
so with triangulation you have
your known points of where you

00:16:18.344-->00:16:22.882
are and you can use that to
find, you know, the very center
of that triangle. So this is

00:16:22.882-->00:16:26.519
something that I've wanted to
do. I've wanted to add this
feature. I didn't have enough

00:16:26.519-->00:16:29.922
time to do it before this, but
if somebody wants to help me
work on it, I'd love to take up

00:16:29.922-->00:16:34.260
any helpers. Um, so conceptually
this makes sense, but I haven't
actually tried it out. And so

00:16:34.260-->00:16:38.564
what I want to do is basically
put like an RF shielded dome on
top of my antennae and have it

00:16:38.564-->00:16:43.369
spin around. And when it spins
around, uh at some point, when
it hits where it, when it lines

00:16:43.369-->00:16:47.340
up where the cell tower is, it
will have a high signal
strength. So right now, if you

00:16:47.340-->00:16:51.677
see this, uh, like this is a
cross-section of it, if the cell
tower is right in line with were

00:16:51.677-->00:16:56.749
the slice is in it, you'll have
a high signal strength reading
as it spins around. And then you

00:16:56.749-->00:17:00.152
can tell right here, the signal
is being blocked because it's RF
shielded and so you'll have a

00:17:00.152-->00:17:03.956
lower signal. And so if you spin
this all around, you'll have
multiple detectors, you have

00:17:03.956-->00:17:07.793
different able and when all
those angles intersect, that's
typically where it's gonna be.

00:17:07.793-->00:17:11.230
So this is all just conceptual,
I haven't done this one. This
isn't how I normally do it, but

00:17:11.230-->00:17:17.303
it's something I just threw out
there. And so technically my
detector uses trilateration. And

00:17:17.303-->00:17:22.108
so this is kind of, this is, a
good representation of what I
mean by that. So trilateration

00:17:22.108-->00:17:26.345
is just magnitude of what's
being felt. So say you're 100
feet away from a cell tower,

00:17:26.345-->00:17:30.616
you'll have full bar versus say
you're 300 feet, you know, you
maybe only have two bars, 1000

00:17:30.616-->00:17:35.688
feet it drops off to single bar.
So you know that your certain
distance away based on your

00:17:35.688-->00:17:40.693
signal, however, you don't know,
um, what direction that's coming
in. And so, uh, if you're 100

00:17:43.963-->00:17:50.269
feet away, that cell tower,
could be in a circle anywhere
that's a 100 feet away from you.

00:17:50.269-->00:17:53.506
And likewise, you know, if you
have a weak signal strength, you
know that you could be about

00:17:53.506-->00:17:58.477
1000 feet away from that tower,
um, but it could be anywhere on
that big circle. So how do you

00:17:58.477-->00:18:02.949
fix this? Well you add more
detectors. And so say you have
two detectors that are there.

00:18:02.949-->00:18:07.386
And you know, they have the same
power strength, then you're
gonna have two cell towers, ya

00:18:07.386-->00:18:11.657
know, possibly two cell towers,
where those two circles
intersect. And so how do you

00:18:11.657-->00:18:18.264
determine if it's only or which
one of those that it is. You add
a third detector and then where

00:18:18.264-->00:18:22.101
all three of those circles
intersect, that's where your
cell tower most likely is. Or in

00:18:22.101-->00:18:27.039
and around that area. But that's
a way that you can get rid of
just knowing uh the power level

00:18:27.039-->00:18:33.846
that it's at. Uh and so again,
you do a lot of math. There are
plenty of python scrips, plenty

00:18:33.846-->00:18:37.516
of batch scripts, plenty of
other ways that you can easily
calculate this, when you know

00:18:37.516-->00:18:41.687
where you are and the magnitudes
that you're feeling. Um, so
that's one of those things, if

00:18:41.687-->00:18:46.692
you don't know how to do it,
just Google it. There's plenty
of information out there. Um, so

00:18:46.692-->00:18:50.963
how do you actually locate that
tower. Well, power, it's not,
it's not linear. Um, you'll need

00:18:50.963-->00:18:55.201
more data, you'll need more
monitoring nodes and you'll need
to do back the envelope math. So

00:18:55.201-->00:19:00.172
what I mean to say is that
you're not gonna directly find,
ya know the, square, ya know one

00:19:00.172-->00:19:03.175
foot by one foot area where this
towers transmitting from, but
it's good enough to get you in

00:19:03.175-->00:19:07.413
the general vicinity of it. And
cell towers they also have
different sectors, so they're

00:19:07.413-->00:19:11.250
not just a perfect
omnidirectional antenna that
radiates in all directions. So

00:19:11.250-->00:19:14.920
that's why having multiple
detectors helps you kind of work
out the fuzzy math and help you

00:19:14.920-->00:19:20.259
actually find out where it is.
Um and so that's why I like the
multi-point trilateration, so

00:19:20.259-->00:19:23.929
you get a lot of points, you
collect a lot of data. And it
gives you a lot more accurate

00:19:23.929-->00:19:26.932
results. And so obviously, I
don't I don't have a rogue cell
tower that I can just test it

00:19:26.932-->00:19:31.570
with and I'm not going to make
one and have the FCC get mad at
me, so I uh, tested this on just

00:19:31.570-->00:19:35.708
real towers and say, hey, maybe
this is a cell tower or you know
that's a rogue one. Let's

00:19:35.708-->00:19:39.378
pretend like it's rogue and now
when I go check it out. So
that's that's kind of just drove

00:19:39.378-->00:19:45.051
around town and saw what was out
there. Um, so yeah, back to this
slide again. You can tell,

00:19:45.051-->00:19:48.654
there's probably a tower in this
area and sure enough if I were
to show you the Google Maps of

00:19:48.654-->00:19:53.826
where this is, there's
absolutely a tower there.
Alright, so let's talk about the

00:19:53.826-->00:19:59.331
actual build itself. I used a
raspberry pi 3 power adapter and
an SD card running the stock

00:19:59.331-->00:20:03.202
raspi and all this stuff is
really, um, you know, there's
plenty of guides on how to set

00:20:03.202-->00:20:08.307
this up. Then I bought a SIM900
GSM module, it's all available
on Amazon. You can go there,

00:20:08.307-->00:20:12.878
it's like 17 dollars. I'll post
links to all this and stuff
you'll see later on, um, there's

00:20:12.878-->00:20:18.217
a serial GPS module, again 16
dollars off Amazon. Pretty
cheap. And then a software

00:20:18.217-->00:20:22.321
defined radio and now there's
more cautionary tales about
this, but I'll tell you about

00:20:22.321-->00:20:26.725
that going on. and then it's
also made of scrap wood and hot
glue. I was gonna 3D print some

00:20:26.725-->00:20:30.262
really nice case for this and
then I figured, uh, we're at a
hacker conference and this is

00:20:30.262-->00:20:33.499
hacked together, so I'm not
going to make it any better,
'cause it definitely works. So

00:20:33.499-->00:20:38.504
brace yourself. This is quite
literally a hack. If it shows
up. There we go. [applause]

00:20:45.778-->00:20:52.184
Alright so let's break this down
now actually and see what's
there. Uh, ok, so on top you

00:20:52.184-->00:20:56.455
have the GPS module, 'cause that
extra 7 inches, you know, really
gives it the height that it

00:20:56.455-->00:21:01.627
needs to get a clear view of the
sky. Um, the SIM900 cell module
also goes up on top, 'cause hey

00:21:01.627-->00:21:07.500
you want the best reception
possible. Um, mind you this is
in my passenger seat, so, uh

00:21:07.500-->00:21:11.437
then there is, on both sides of
this, to connect the the
Bluetooth and the GPS module

00:21:11.437-->00:21:15.908
together. There's a serial to
USB adapter there. And so that
basically just gives you serial

00:21:15.908-->00:21:20.412
data and that's why I liked
using the Raspberry Pi, 'cause
it gives you four USBs, so it's

00:21:20.412-->00:21:24.617
pretty easy, um, to connect it
all up and and set it going so
you don't have to burn your CPU

00:21:24.617-->00:21:29.822
on added GPIO pins. Um, so
again, scrap wood and hot glue.
That's pretty much what I always

00:21:29.822-->00:21:34.927
use. And then uh there's a
software defined radio, it's a
USB TV tuner, it's called an

00:21:34.927-->00:21:39.698
RTLSTR, uh, we'll talk more
about that. So how much does it
actually cost. Well, if you want

00:21:39.698-->00:21:43.202
to do this with Raspberry Pi 0
and really keep costs down,
Raspberry Pi 0 is about 10

00:21:43.202-->00:21:47.640
dollars and when you include
shipping with it, uh, 5 dollar
wireless adapter off Amazon, you

00:21:47.640-->00:21:52.945
know, 5 dollar USB hub, 5 dollar
SD card. You can shop around and
find all of this a lot cheaper

00:21:52.945-->00:21:57.550
or you know you might just have
it sitting somewhere in your
bedroom. Um and then the the

00:21:57.550-->00:22:01.820
real piece that you probably
don't have lying around is the
27 dollar uh SIM900 module and

00:22:01.820-->00:22:05.925
you can just buy this off
Amazon. You know, it's FCC
regulated has all its FCC IDs,

00:22:05.925-->00:22:11.697
um, and then there's also the 16
dollar serial GPS module and if
you want to get a little bit

00:22:11.697-->00:22:16.869
nicer one, I got the adafruit
model. It's about 40 dollars,
but it gets the job done a lot

00:22:16.869-->00:22:23.075
nicer, it's a lot quicker to fix
positions. So in total it's
oooo, in total it's 52 dollars.

00:22:23.075-->00:22:26.946
Um and again you can make it
cheaper than that depending on
where you source some of your

00:22:26.946-->00:22:31.116
materials from. So let's talk
about the SIM900 module. Um so
it it will give you uh a whole

00:22:31.116-->00:22:33.118
list of commands and this is the
typical modem AT commands that I
didn't know anything about um

00:22:33.118-->00:22:36.589
and so I had to dig into. And
there there guide that they have
online has a ton of different

00:22:36.589-->00:22:41.594
commands. You can just read
through it and one of the ones
that I found is this engineering

00:22:46.498-->00:22:51.203
mode. So when you toss the
SIM900, when you give it the AT
commands, which I'll go through

00:22:51.203-->00:22:54.540
in a little bit, um, it'll show
you, hey, ok, it's good to go.
And it'll give you 7 towers with

00:22:54.540-->00:22:59.378
the highest information. Um and
there's a ton of information and
it's all via serial connections.

00:22:59.378-->00:23:03.015
So if if you know how to use
serial, it's all exactly the
same. And what's even better is

00:23:03.015-->00:23:08.554
there's no SIM card required
just to put in engineering mode
and I just also want to stress

00:23:08.554-->00:23:13.125
this, that does not sniff any
traffic. This is FCC regulated,
this is not doing anything bad.

00:23:13.125-->00:23:17.563
This is everything that your
phone can see, that you can see
on your phone. Um and I'll go

00:23:17.563-->00:23:21.100
over how you can actually see
this on your phone, to some
degree, not nearly as good as

00:23:21.100-->00:23:27.406
this, but um, let's move on. So
there's something called field
test mode, which most phones

00:23:27.406-->00:23:33.112
have. Uh if you have an iPhone,
if you just pretend to dial a
number and you put in star 3001,

00:23:33.112-->00:23:38.284
you know pound 12345, pound
star, uh that will bring in
field test mode and I'm not

00:23:38.284-->00:23:43.122
trolling you, that actually will
do it. Um and this is a good way
to see a lot of information

00:23:43.122-->00:23:47.593
about, uh, what's around you.
Now it's a little bit hard to
navigate and if you want you can

00:23:47.593-->00:23:52.064
Google and there are plenty of
guides that show you how to use
this field test mode. Um, with

00:23:52.064-->00:23:56.802
Android the, it can, vary from
phone to phone. So just Google
it, you can find it. And there's

00:23:56.802-->00:24:03.475
also plenty of other apps since
Android is much more open that
you can see. Um, so here's

00:24:03.475-->00:24:09.048
here's a quick example of what
the SIM900 readout is. So AT did
it's check if it's ok, um and

00:24:09.048-->00:24:14.253
then that setting in engineering
mode and then, uh, after that
you check, hey engineering mode,

00:24:14.253-->00:24:17.623
you know, what do you have for
me? And then it will relay a
bunch of data and at first I

00:24:17.623-->00:24:21.293
looked at this and I was like, I
have absolutely no idea what
this means. So let's dig into

00:24:21.293-->00:24:26.632
it. Um and so basically you have
your channel number, your
receive level, you have your,

00:24:26.632-->00:24:32.004
uh, you have your base station
identifier code, your cell ID,
your MCC and your MNC and your

00:24:32.004-->00:24:38.744
LAC. These are all things that
we talked about. Um and so for,
so this is the GPS serial that I

00:24:38.744-->00:24:42.681
got. This is a little bit nicer
than the one you can get online,
but uh the cheaper one will

00:24:42.681-->00:24:46.018
definitely do. This is the
adafruit model and it fixes, the
reason that I picked it is

00:24:46.018-->00:24:50.522
because it fixes the position
very quickly and have great
indoor reception and it works

00:24:50.522-->00:24:54.626
exactly like you would expect it
to work. Um, it just, you plug
it in and it just starts dumping

00:24:54.626-->00:24:59.999
data. And when I say dumping
data, this is exactly what I saw
when I first plugged it in and

00:24:59.999-->00:25:04.870
this scrolls so fast that to
take the screenshot it was hard
not to get it to blur. Umm, so

00:25:04.870-->00:25:07.973
you can get idea, you know, I
looked at this, I like, I don't
even know what this means.

00:25:07.973-->00:25:13.312
Luckily, you know, there's
plenty of information online on
how to handle this data. And so

00:25:13.312-->00:25:17.683
you break it down, you really
only care about this type of a
line. Uh and this line you know

00:25:17.683-->00:25:21.620
we translate it out and dump it
and the SQL database that I have
it setup to go into, you get

00:25:21.620-->00:25:26.091
your latitude, your longitude,
the number of satellites that
you have, the GPS quality, the

00:25:26.091-->00:25:32.131
altitude and the units of that
altitude. Uh the GPS quality too
goes zero one two. Zero is if

00:25:32.131-->00:25:35.868
you don't have a fix and it
doesn't know here you are. One
if it's not that accurate, but

00:25:35.868-->00:25:40.873
it will still do and two if it's
locked on and you have a good
positioning. Um, so next up is

00:25:43.342-->00:25:48.580
Raspberry Pi 3, pretty straight
forward. Um runs stock Raspbian
is the operating system. And it

00:25:48.580-->00:25:53.018
has enough power to run the
software to find radio. So I use
this uh Raspberry Pi to do other

00:25:53.018-->00:25:57.222
software defined radio stuff and
it's setup to use it. Um and so
I just, you know, I just

00:25:57.222-->00:26:01.093
repurpose that, I didn't want to
have to get something else. and
it also has 4 USB ports, which

00:26:01.093-->00:26:05.264
is really nice. 'Cause you can
plug in as many serial adapters
as you want with a hub and it

00:26:05.264-->00:26:09.268
works, it works a lot better
than trying to use any GPIO pins
as a serial adapter. And it's

00:26:09.268-->00:26:13.372
also really easily powered by
USB battery pack. You can get
one of these battery packs

00:26:13.372-->00:26:17.976
online for say 5-10 dollars. Um
and you can run it all day off
of this 'cause it's so low

00:26:17.976-->00:26:24.716
power. So now next I wanna talk
to you guys about the the I
guess semi-controversial part of

00:26:24.716-->00:26:29.788
this. So there's the TV tuner.
It's, so this is designed so you
get a USB and you can, uh,

00:26:29.788-->00:26:33.625
basically you plug this in and
you can you know, watch, uh, TV
on your phone, any of the

00:26:33.625-->00:26:37.596
broadcast, or not TV on your
phone, TV on your laptop. And of
the broadcast channels that are

00:26:37.596-->00:26:41.500
out there. Um it has a wide
range of frequencies and is
typically used by a lot of

00:26:41.500-->00:26:45.704
hackers to do really cheap
software defined radio. 'Cause
it's 20 dollars. Um, however

00:26:45.704-->00:26:49.475
depending on where you are, this
could be definitely against the
law to listen to the GSM

00:26:49.475-->00:26:54.546
traffic. So I don't want to
encourage this at all if this is
not legal where you are. Um, but

00:26:54.546-->00:26:58.517
there are plenty of GitHub
repositories out there that will
let you listen into unencrypted

00:26:58.517-->00:27:04.790
traffic and not to break it.
We're not breaking any GSM
traffic. Um and it's not

00:27:04.790-->00:27:08.060
necessary at all to locating the
towers, it just gives you some
deeper insights if that's

00:27:08.060-->00:27:12.064
something that you're interested
in. Uh, and trying out and if
you do, just let me know how it

00:27:12.064-->00:27:17.736
works, 'cause I'd be really
interested in hearing it. Um, so
basically everything dumps to a

00:27:17.736-->00:27:22.975
SQL like database. It's it's
pretty simple when you when you
look at this because I just

00:27:22.975-->00:27:26.778
basically went through and the
Python script and it just goes
through goes, you know, every

00:27:26.778-->00:27:30.782
couple seconds and it will snag
all the data that's out there.
And it dumps it and it lets you

00:27:30.782-->00:27:34.386
do a lot of queries on it, so
you know you can, you have your
time of where you are, your

00:27:34.386-->00:27:38.557
time, where you are, you have
your latitude, longitude, you
know, all the information that

00:27:38.557-->00:27:45.497
we just talked about all in one
nice and neat place. And uh you
know, after you take a drive,

00:27:45.497-->00:27:49.067
you don't wanna have to go
through and look through, you
know, hundreds of thousands of

00:27:49.067-->00:27:53.171
lines of cell of cell data, I
mean, it's gonna suck and
there's no way to really divine

00:27:53.171-->00:27:57.843
anything meaningful out of that.
Um, so that's why, uh, you wanna
make it pretty. You wanna make

00:27:57.843-->00:28:01.480
it really easy to look at. You
wanna make it so that you can
show a picture to your wife,

00:28:01.480-->00:28:05.083
mom, cat and then you know say,
hey, this is what I did and
they're like, oh, that's not

00:28:05.083-->00:28:10.489
just numbers on a screen. Um and
so, when I was in civil
engineering, I used a ton of GIS

00:28:10.489-->00:28:14.393
software, but it's real
expensive. And so that's when I
came across QGIS. It's

00:28:14.393-->00:28:18.864
completely free. Open source. Um
and basically what this does is
kind of like Google maps, you

00:28:18.864-->00:28:24.069
can place points and you can do
math between those points. Um
and it's it's a really extensive

00:28:24.069-->00:28:29.107
program, so I could do a full
talk on just how to use QGIS and
all the stuff to learn. But some

00:28:29.107-->00:28:34.346
of the things you're gonna want
QGIS, you're gonna want IDW or
Inverse Distance Weighting.

00:28:34.346-->00:28:38.951
You'll want the openlayers
plugin. This will give you maps
and GIS data. And you also want,

00:28:38.951-->00:28:43.789
or it also gives you Python
Command Line automation. And
it's it's super easy, once you

00:28:43.789-->00:28:48.460
visualize it and it and it let's
you just you know actually get
your hands on the data and make

00:28:48.460-->00:28:53.465
sense of it. Now, what I really
really like about this is that,
uh, once you've done everything

00:28:56.768-->00:29:00.572
the right way. Once you're
comfortable with how to do this
in the GUI, it has a full

00:29:00.572-->00:29:04.810
command line set, so you can
know exactly what you're doing
and then script it all up, so

00:29:04.810-->00:29:09.414
you can just run a cron job and
have it, you know, pump out nice
looking images all the time. Um

00:29:09.414-->00:29:13.018
and with that with the Python
script, then you can have it
say, hey, you know, this doesn't

00:29:13.018-->00:29:17.589
look right. I wanna send an
alert out. I'll talk more about
alerts here in a little bit. But

00:29:17.589-->00:29:21.727
basically this is just a sample
of like, hey, how am I going to
import data and get the x y and

00:29:21.727-->00:29:27.566
power information and stuff like
that into it. And so this is
just a sample of just of me just

00:29:27.566-->00:29:31.503
making some random points kind
of, uh, in the program itself.
And you can see that you can

00:29:31.503-->00:29:36.208
overlay maps to it, you can have
street data, you can even have
satellite data. Um, this is a

00:29:36.208-->00:29:39.778
great program if you're just
looking for anything GIS
related. And you just want to

00:29:39.778-->00:29:43.382
get started in GIS 'cause it's a
very similar to ArcGIS. So if
you're looking to get into maybe

00:29:43.382-->00:29:47.252
some professional tools, check
this out first. Good for a lot
of other things, not just

00:29:47.252-->00:29:52.257
finding rogue cell towers.
Alright, so the next part of
this is, ok, so you detected

00:29:55.394-->00:29:59.998
that there's a disturbance in
the force. You see that, ok, my
my maps are showing that there

00:29:59.998-->00:30:03.902
might be a new tower somewhere.
You know, I'm getting these
notifications, so you know what

00:30:03.902-->00:30:07.372
the heck do you do. How do you
actually get this information to
you. You know, so you're at the

00:30:07.372-->00:30:11.610
grocery store and you know that
there's something outside or
maybe there's you know a new

00:30:11.610-->00:30:14.946
cell tower popping up. How do
you know, how do you get that
information to yourself? There's

00:30:14.946-->00:30:18.884
a couple of ways, um, you can,
if depending on what your
favorite scripting language is,

00:30:18.884-->00:30:22.187
you can go in there and have it
just send you a straight e-mail.
A lot of people check their

00:30:22.187-->00:30:25.924
e-mail, you know, very
frequently, so you maybe you
want to have it setup with

00:30:25.924-->00:30:30.362
Twilio and have it send you a
text message. Uh, Twilio is
about 20 dollars a year if you

00:30:30.362-->00:30:34.433
just want to send a couple text
messages. It's really great,
they have a great documentation.

00:30:34.433-->00:30:37.335
I recommend using them and if
you're a little bit more
technical and you just want to

00:30:37.335-->00:30:42.674
send push notifications to your
phone. I use an app called, uh,
Pushover. And it allows you to

00:30:42.674-->00:30:46.011
send, just like it says, push
notification that's really
great, gives you ton of

00:30:46.011-->00:30:51.016
different settings. So now,
here's the problem that I have.
Uh, when you're detector goes

00:30:53.552-->00:30:58.156
off, what the heck do you do?
Um, well, you turn off your
phone. I mean if you're not

00:30:58.156-->00:31:01.693
really sure and you're actually
nervous about your privacy being
infringed upon, turn off your

00:31:01.693-->00:31:05.530
phone. Um, that's that's really
the only thing you can do. Uh
and then you can start looking

00:31:05.530-->00:31:09.501
at the data. You can take what
I, you know, the maps that I've
showed you how to make and you

00:31:09.501-->00:31:13.038
can look at it and say, uh,
where is this? Let's go take a
look at it. And then maybe you

00:31:13.038-->00:31:18.043
go on a road trip. Well with
this, you can just go out there
and you can, um, you know, you

00:31:18.043-->00:31:22.447
can go see, hey is there
anything out there. Um, am I
nervous, you know, that

00:31:22.447-->00:31:25.684
something's you know, gonna be
where it's not, it shouldn't be.
Or you could just say, hey,

00:31:25.684-->00:31:29.221
looks like they're doing some
maintenance on a tower
somewhere. Um, so this allows

00:31:29.221-->00:31:34.126
you the opportunity to go drive
around and see what's actually
out there. And with that, I

00:31:34.126-->00:31:39.131
think that's it. Um, if you guys
want, just send me an email to
this email address and I'll

00:31:41.233-->00:31:46.238
answer any questions. [applause]
And I'll be posting the slides
by Friday, to this website,

00:31:50.542-->00:31:54.112
Raging Security dot Ninjas, so
feel free to go check it out
and, yeah, I really encourage

00:31:54.112-->00:31:59.117
you guys to shoot me an e-mail.
[applause]