All right, can you go, ooh, wow, you guys can hear me really well, can't you? All right, my
name is, uh, Eric Escobar. I'm a security engineer for Barracuda Networks, uh, and today I'm
going to be talking to you guys about discovering and triangulating rogue cell towers. Uh,
so a bit about me. Ooh, that's loud. Uh, I started out as a civil engineer, and when I say
started out, I went through, got my bachelors, my masters, and now I have a P.E., I'm a
licensed civil engineer. Um, my parents loved that, but I told them I was going to go into
computers, so that, that didn't go over so well. Um, so I've always loved computers, uh, I've
always nerded out on all things wireless, even before that I was a licensed ham radio operator.
Um, and I also love to automate things, so my chicken coop is automated, it opens, closes,
feeds them, does the whole thing. Uh, and my sprinklers are run by a cron job, so that's,
that's the level of nerd that we're talking. Uh, and so three years ago is when
I started working at Barracuda Networks. Um, I was previously, about exactly three years ago,
pumping water in the middle of a field, um, as a civil engineer doing some well maintenance, and
then I got a lucky break from my, uh, great boss, and he said, hey, you know what, I think
you have a good mind for this. Uh, if you want to try the security space, then, um, you know,
we'd love to have you. And so I took him up on it, and then we headed over to DEF CON, and since
then I've, I've been in all things wireless. Um, so the first year, somebody asked me, are you,
are you the fox? And I said, uh, no, I, I'm not the fox, what are you talking about? And they
said, hey, uh, I'm doing the wireless CTF. And I said, wireless CTF, I could totally get
involved with that. The next year, we came back thinking, we're just going to go look for the
fox, and we ended up winning the wireless CTF. Um, so that was really, really, really cool. Um, so,
that was really great, and then this year, hopefully, uh, when I get done with this talk, we
will have won second year in a row. So, that would be pretty awesome, too. Um, let's see. Alright,
so a bit about what I do at Barracuda Networks. I'm a security engineer, like I said. So, I do
incident response stuff with my team, uh, pen testing. We do, uh, Red Team Fridays, where we
bring in pizza, and Red Team, our network, which is pretty awesome. Uh, I've even been lucky
enough to do some social engineering campaigns, phishing campaigns, uh, and if any of you guys
are bug crowd readers, you know what I'm talking about. Uh, so, I've been working with, uh,
researchers, um, when it was just, uh, Barracuda doing it, you probably talked to me at some
point in time. Um, I also do infrastructure scanning, and I've done a little bit of IPAM work
and, uh, multi-factor authentication for, uh, Barracuda. Alright, so, today, what we're gonna
cover is, uh, what is a rogue cell tower, why you should care about rogue cell towers, how to
detect a rogue cell tower, how to find one after you've detected it, and how you can build a
detector at home. And then, once you've detected one, why don't you go ahead and do some
research on it. What the heck do you do with it? Alright, so, first up, what is a rogue cell
tower? Well, it's something that's purchased by companies, governments, or other hackers, um, and
it has the ability to trick your phone into thinking that it's a real cell phone tower. So,
it's kind of like an evil twin attack if you're familiar with wireless at all. Uh, these are
known as IMSI catchers, interceptors, cell site simulators, stingrays, and there's probably a few
other things, but really, uh, they're pretty much called cell site simulators or IMSI catchers,
because stingrays, they're popularly known by is, is a corporate term, or it's, uh, the, the
name of the actual company that makes them. Uh, and rogue cell towers have the ability to collect
information about you indirectly, just through metadata, and metadata can tell you a lot of
things about you. Uh, call length, uh, numbers that you've dialed, uh, and those kinds of
things. And in some conditions, they can even downgrade, uh, your connection, um, and so they
can listen to your messages, your calls, and they can even get some data. Alright, so, uh,
how are they used today? I'm not gonna go over this a whole lot, but, but pretty much the ACLU has
identified 66 agencies in 24 states that own stingrays. Um, these have been used to monitor
demonstrations in the United States, such as in, uh, Chicago in the political protest. Last
year, there was, uh, Freddy Martinez. He talked at the Crypto Village, and he did a great talk on,
uh, Freedom of Information Act requests, and dealing with IMSI catchers, and how to prove that
they're actually being used. Uh, and then, it's also possible to make an IMSI catcher at home, uh,
Chris, back in DEF CON, uh, 18, uh, he made an actual IMSI catcher and showed it off, and that
was way more technical than I could probably ever hope to do at any time soon, but it, it's a
really cool trick, er, not trick, it's a really cool hack, and, uh, from there, basically, we're
gonna see if we can detect what he did. So, if you wanna know more about cell-side simulators, or
if this is the first time that you've ever heard that, uh, go check out the EFF and the ACLU. They
have these two, um, great links, and they're also, um, really, really, really, really, really,
awesome for just getting a lot more information, and it goes far more in-depth than I could do in,
in even a full presentation about that. Um, and so, abroad, they're also used. There's not a whole
lot of great data on this, but we know that there have been, you know, sightings of these in
Ireland, the UK, China, Germany, Norway, South Africa. Um, Chinese spammers are also caught
using this to send spam phishing messages, and they're used by governments and corporations
alike, and, and I think corporate espionage is also where they're used. In terms of, uh,
there's a lot of other data that they would probably want from the, from the, from the
their competitors, and if somebody doesn't have a way to detect a cell site simulator, you
could be giving up corporate secrets, uh, without even knowing it. So, let's talk about what the
IMSI is, an IMSI catcher. So, IMSI stands for International Mobile Subscriber Identity. Uh,
it's used as a means of identifying a device on the cell network. It's typically 15 digits
long, um, and it contains information about your device. So, there's the MCC, which is the
mobile country code, the MNC, which is the network code, and there's the mobile
subscription identity, identification number, or MSIN. Um, so, all of the country codes, the MCC,
are available on Wikipedia. So, if you want to look one up, maybe you make one of these devices,
and you want to say, hey, that doesn't look like, uh, the United States country code, and if
you're in the United States, you know, what, what should mine be? Um, and you see something come
up, you can take a look at these. They're all on Wikipedia. Same thing with MNC. All of these are
available. There's a big list of them. So, if you're ever curious, you can just head on over
there and check it out.
Uh, so, basically, to summarize all that, an IMSI is a unique identifier to your device. So,
that, that's you. I mean, that's like your MAC address of your laptop. That, that's what can
identify your device. And so, if you swap, you know, uh, your SIM card into different phones,
then that's something that, that can still identify that SIM card itself. And so, here's what
a, uh, sample IMSI would look like. So, you can see it has the MCC, which is 310 for the USA. It
has the MNC for AT&T, uh, and that's 026, and then the unique identifier, which is your MSIN.
So, why should you care about this? Well, if somebody were to drive up, uh, and have an IMSI
catcher, you know, maybe you're sitting there and you're having coffee at a coffee shop, um,
you're one big fish in, in that, or you're one fish in that big net. Uh, so, what could happen
is if they're driving up and say they're, say somebody's looking for someone in the area and
they think that they're there, they grab all of the information. Because your phone, it just
goes for the song, strongest signal strength. And so, if they, if it happens to be
that, that IMSI catcher, then that's you. And it doesn't matter if it's a government. It
doesn't matter if it's a hacker. These things are easy to build for less than, you know, a
couple grand. Um, and to get all that personal information, it could be well worth it. And
also, there was a talk of LTE downgrade to GSM this year. Uh, and so, that's another thing
that you, uh, Cell Tower, um, controls, you know, some of the options that are sent to the
mobile device. And so, if they want to downgrade you, you can totally do that. I saw a couple
times when I was upstairs in the wireless village that, uh, what had happened is it downgraded
from, uh, LTE to 2G and you knew something bad was going on. Um, uh, so that, that's just one way,
is, is you're just a small fish in a big net and they can catch anybody that's around you.
Alright, so why should you care about this? Well, I think if, if you don't know by now, there's a
couple reasons why you should. Um, your phone will connect automatically to cell site
simulators. It, it doesn't matter, you know, it's not like, uh, connecting to an access point
with your cell phone. What will happen is, uh, your phone will just pick the thing that has the
strongest signal. It doesn't ask you. It doesn't say, hey, this one looks kind of fishy. It
just says, hey, this one gives me the best signal. Let's go from there. Um, and thieves can
steal your personal information. Hackers can track where you go, who you're talking to, and
then grab all sorts of data about you. Uh, your digital life can be sniffed out of the air by
anyone and, I mean, it's re- the hardware is always coming down in cost. Um, and your company,
it could be leaking trade secrets. I mean, just think about two-factor authentication if it's
sent over SMS and they can intercept that. Um, you know, then they could have that second factor
if they've already got your password. Uh, not to mention, a lot of people think that text
messages are, um, you know, they're, they're extremely private and if you don't believe so,
just ask somebody, hey, can I flip through your text messages real quick? They won't let you.
Alright, so why build a detector? So there's some Android phones that have apps that, you know,
that you can do this. But I found that you need to have a specific model and you also need to have
it root to work. Um, and I wanted something cheaper. I didn't want to have a phone dedicated
only to just watching, uh, cell towers. Um, and I also wanted a device that was really cheap. I
mean, I'm, I just want something that's, you know, around $50 so that it's easy to make and it's
not like, oh, well you could totally detect them for a couple grand. Um, and I also wanted to be
able to set it and forget it. And I wanted to be alerted to any anomalies. I didn't want to have
to be something where I was, got suspicious all of a sudden, I had to go turn it on and figure out
how to rig it all up. Um, and I wanted to be alerted to any anomalies. I didn't want to have to be
nervous. Um, I wanted to be, and I wanted the ability to network them together. So if I
wanted three, if I wanted five, if I wanted a hundred, I wanted the ability to just plug it
into the network and have them all talk to each other. So, how do you actually detect
rogue cell tower? Well, every cell tower or a base transceiver station, BTS, beacons out
information about itself. And this is available to your phone. Um, but, you know, it has stuff
like the, the radio frequency channel number that it's on. We talked about the MCC, the MNC, the
cell ID, the location area code, so that's specific to where you actually are. Um, the
transmit power and some neighboring cells. Neighboring cells I haven't had a lot of luck with,
but all the rest should still be enough to, to do it. Um, so like I said, these values should
remain pretty constant. You know, you don't want your country code to change, cause if you're
not in the United States, then all of a sudden, you, I mean, you could have a problem. You, you
know that if you're in the United States, you should have a 310. If it's not, then something,
something else is going on. Um, the MNC, the MNC, the MNC, the MNC, the MNC, the MNC, the MNC, the MNC,
your network code shouldn't change, the cell tower, the unique identifier shouldn't change, the
area code shouldn't change, and the transmit power, that shouldn't al- that should also not
change. Uh, now there's reflections and things and, and ways that that can change, but overall
at, at a period of time, it should just average out. Um, so okay, so how do you, so if, if values
deviate from what you've expected, it can mean that there's some maintenance taking place. It's
not necessarily that, hey, all of a sudden, transmit power went down, or maybe a cell tower
went down. Uh, it could just mean that something is deviated. And it can just be, mean that
changes are being made to the network. Um, but that's the whole reason why I wanted to be able to
go find it. Because if there's a new signal that's coming out, I want to go see, hey, is this a
cell tower that's messing up? Or is this, you know, maybe they're adding some extra, you know,
carriers to it. There could be something actually happening. So the ability to go out and find
it is, is really crucial to knowing if something's actually happening. And really the way that
this works is it's like a ba- it's like you're, you're taking a baseline. And so you're
sitting there and you're watching the neighborhood. You're watching to see, you know, what
cars go in and out. Um, and you're just being familiar with what's in your airspace. And if
something drastically different hops in your airspace, you know that, hey, maybe I should be
suspicious of this. And maybe I need to go check it out. So these are just some sample values.
310 again, United States. 026 is AT&T. The unique ID for the cell tower and the radio channel
that it's on. If any of those change or, you know, the tower goes completely away or a new
tower comes up in its place with a really strong signal strength, you know that's something you
should probably look at. Alright, so how, so, so let's, let's just do a quick example of this. Um,
if a new tower pops up with an unknown cell tower ID and high transmission power, you know, the
mobile country code can mismatch, the frequency can mismatch, um, and, you know, maybe the
location area code could change too. These are all things to keep in mind, all things to look
for. They don't all need to change, but a couple of changes here and there are enough to be
suspicious of. And so obviously, why locate a tower? Well, you want to know if it's a cell
tower or if it's a van with a tower inside of it. And now, now let's talk about actually
locating them. So I'm going to combine all of this unique cell tower data, receive power and
location. And, uh, the easiest way that I found is to combine all of that information on one
detector that can be moved around. If you just have a couple of detectors spread out, you know,
say throughout a neighborhood or something, um, you're not going to get as great a data as if you
can just move around because then you can take a bunch of different points. And we'll talk about
that later on. So this is an example heat map that I made and I, this is just me driving around
and I selected one tower and this is, this is me practicing on an actual tower. This isn't a
rogue cell tower. This is just me driving around and seeing like, hey, let's see if I can find,
uh, what an actual tower is. You know, kind of as a, as a blind test. And so when I plotted up the
data, here, this is, you know, you can see that red spot and that's where signal strength is
highest. And that comes down to probably about a 20, 30 meter radius. And that's enough to tell, is
there a tower poking up out of the ground that's a couple hundred feet. Um, it's really easy to
tell if there's nothing there or if there is something there. Or maybe on top of a building
there's some antennas. Um, it's a good way of telling, you know, does that look shady or is
that, you know, a van parked outside my street or some, you know, hacker or kid sitting in the
back of a car. Um, so multiple det, detectors with known local data. Um, I'm going to go over
the different locations, allow for trilateration of suspected, you know, towers. Um, and the
received power and distance, they're not inversely proportional. You'll need some regression
formulas and they're required to calculate in order to fine tune the results. It's less
accurate but it's still pretty good. And, uh, TDOA or Time Distance of Arrival. This is
another way that I'd thought like, hey, maybe I could find a cell tower this way. But really, I
don't have an accurate enough time. And if you're not familiar with what TDOA is, it's a way
to, um, you know, you're waiting for a signal to come in and you're measuring the speed or
the length of time that it takes uh a light signal to come from that tower to wherever you
are. And measuring the time it's kind of like GPS it works with you know the speed of light
stays constant and so you can use that to kind of do some math but you need a really accurate
clock and that's not something that I have and so I thought okay well that's not going to
work. Oh am I going back the other way? Alright so now I'm going to talk about
trilateration versus triangulation. So a lot of people get mad at me when I inversely use
these um and I get it but some people don't and when I was doing this presentation before
there was a lot of questions about it so I'm going to go over it real quick um if this is
something you already understand great you get a refresher and if you don't hopefully you know
the difference. Alright so like any good engineer I have my north arrow for my free body
diagram uh and so let's let's picture that there's an explosion or a really loud sound. The
way triangulation works is if you're at home and if your friends are at home and you're
friends at the store or maybe your wife's at work and you all hear the same big explosion
you're all going to look in the same or you're all going to look in the direction of the
explosion. And so if you were to intersect all the lines of where you guys are looking you're
going to see pretty much a pretty good representation of where the explosion probably
happened if you all call each other and say hey I'm you know I'm at home I'm looking you know
towards the southeast and if I'm at the store I'm looking west and I'm at work looking north
you can have a pretty good idea of kind of where it came from. Um and so I'm looking at the
north arrow and so triangulation the angle there from the north arrow you know to wherever
direction you're looking that's the angle that you're actually talking about and a lot of people
get that confused with what trilateration is. Um and so with with triangulation you have your
known points of where you are and you can use that to find you know the very center of that
triangle. So this is something that I've wanted to do I've wanted to add this feature uh I didn't
have enough time to do it before this but if somebody wants to help me work on it I'd love to
take up any helpers. Um so conceptually this makes sense but I haven't actually tried it out and
so what I want to do is basically put like an RF shielded dome on top of my antenna and have it
spin around. And when it spins around uh at some point when it hits where when it lines up where
the cell tower is it'll have a high signal strength. So right now if uh you see this uh like
this is a cross section of it if the cell tower is right in line with where the slice is in it
you'll have a high signal strength reading as this spins around. And then you can tell right here
the signal is being blocked cause it's RF shielded and so you'll have a lower signal. And so if you
spin this all around and you have multiple detectors you have different signals that are
different angles and when all those angles intersect that's typically where it's gonna be. So
this is all just conceptual I haven't done this one this isn't how I normally do it but it's it's
something I just throw out there. And so technically my detector uses trilateration. And so
this is kinda this is a good representation of what I mean by that. So trilateration is just
magnitude of what's being felt. So say you're 100 feet away from a cell tower you'll have full
bars. Say you're 300 feet you know you maybe only have 2 bars, 1000 feet it drops off to a
single bar. So you know that you're a certain distance away based on your signal however you
don't know um you know what direction that's coming in. And so uh if you're 100 feet away that
cell tower could be in a circle anywhere that's 100 feet away from you. And likewise you know if
you have a weak signal strength you know that hey you could be about 1000 feet away from that
tower uh but it could be anywhere on that big circle. So how do you fix this? Well you add more
detectors. And so say you have 2 detectors that are there uh you know they have the same power
strength then you're gonna have 2 cell tower you know possibly 2 cell towers uh where those 2
circles intersect. And so how do you determine if it's you know only or which one of those it is?
You add a third detector and then where all 3 of those circles intersect that's where your cell
tower most likely is or in and around that area. But that's a way that you can you know get rid of
just knowing uh the power level that it's at.
Uh and so again you do a lot of math. There are plenty of python scripts, plenty of bash scripts,
plenty of other ways that you can easily calculate this when you know where you are and the
magnitudes that you're feeling. Um so that's one of those things if you don't know how to do it
just google it there's plenty of information out there. Um so how do you actually locate that
tower? Well power it's not it's not linear. Um you'll need more data, you'll need more
monitoring nodes and you'll need to do back of the envelope math. So what I mean to say is that
you're not gonna directly find you know the square uh uh uh uh uh uh uh square uh square
you know one foot by one foot area where this tower is transmitting from but it's good enough to
get you in the general vicinity of it. Um and cell towers they also have different sectors so
they're not just a perfect omnidirectional antenna that radiates in all directions. So that's
why having multiple detectors helps you kind of work out the fuzzy math and help you actually
find out where it is. Um and so that's why I like the multipoint trilateration so you get a lot
of points, you collect a lot of data and it gives you a lot more accurate results. And so
obviously I don't have a rogue cell tower that I can just test it with and I'm not gonna make one
and have the FCC get mad at me.
So I uh tested this on just real towers and say hey maybe this is a cell tower you know that's
that's a rogue one. Let's pretend like it's rogue and I wanna go check it out. So that's that's
kinda just drove around town and saw what was out there. Um so yeah back to this slide again you
can tell there's probably a tower in this area and sure enough if I were to show you the google
maps of where this is there's absolutely a tower there. Alright so let's talk about the actual
build itself. I used a raspberry pi 3 power adapter and a SD card running the stock
Raspbian all this stuff is really um you know there's plenty of guides on how to set this up.
Then I bought a sim 900 GSM module it's all available on Amazon you can go there it's like
$17 I'll post links to all this and stuff you'll see later on. Um there's a serial GPS module
again $16 off Amazon pretty cheap and then a software defined radio and now there's more
cautionary tales about this but I'll tell you about that going on. And then it's also made of
scrap wood and hot glue. I was gonna like 3D print some really nice case for this and then I
figured oh we're at a hacker conference and this is hacked together so I'm not gonna make it any
better. Cause it definitely works. So brace yourself this is quite literally a hack. If it
shows up. There we go. Alright so let's let's talk let's break this down and
actually see what's there. Uh okay so on top you have the GPS module cause that extra you know
7 inches really gives it the height that it needs to get a clear view of the sky. Um I'm gonna
show you how it works. Um the SIM 900 cell module also goes up on top cause hey you want the
best reception possible. Um mind you this is in my passenger seat so uh then there's on both sides
of this to connect the the Bluetooth and the GPS module together there's a serial to USB
adapter there. And so that that basically just gives you serial data and that's why I like
using the uh Raspberry Pi cause it gives you 4 USBs and so it's pretty easy um to connect it all
up and and set it going so you don't have to burn your CPU on at a GPIO pins. Um so again scrap wood and hot glue.
That's pretty much what I always use. And then uh there's a software to find radio. It's it's a
USB TV tuner. It's an it's called an RTL-SDR. Uh we'll talk more about that. So the how much does
it actually cost? Well if you wanna do this with a Raspberry Pi Zero and really keep cost down.
Raspberry Pi Zero is about $10 so when you include shipping with it uh $5 wireless adapter off
Amazon. You know $5 USB hub, $5 SD card. You can shop around fi- find all of this a lot cheaper
or you know you might just have it sitting somewhere in your bedroom. Um and then the the real
piece that you probably don't have lying around is the $27 uh SIM 900 module and you can just buy
this off Amazon. It's you know FCC regulated. It has all it's FCC IDs. Um and then there's also
the $16 serial GPS module and if you wanna get a little bit nicer one I got the Adafruit model.
It's about $40 but it gets the job done a lot nicer. It's a lot quicker to fix positions. So in
total it's fi- oh in total it's $52. Um and again you can make it even cheaper than that
depending on where you source some of your materials from.
So let's talk about the SIM 900 module. Um so it it will give you uh a whole list of commands and
this is the typical modem AT commands that I didn't know anything about um and so I had to dig
into. And their their guide that they have online has a ton of different commands you can just
read through it and one of the ones that I found is this engineering mode. So when you toss the SIM
900 and when you give it the AT commands which I'll go through in a little bit um it'll show you
hey okay it's good to go and it'll give you 7 towers with the highest information.
Um and there's a ton of information and it's all via serial connection so if if you know how to use
serial it's all exactly the same. And what's even better is there's no SIM card required just to put
in engineering mode. And I just also want to stress this that does not sniff any traffic this is
FCC regulated this is not doing anything bad this is everything that your phone can see that you
can see on your phone um and I'll go over how you can actually see this on your phone to some
degree not not nearly as good as this but um let's move on. So there's uh something called field test mode which most phones have
uh if you have an iPhone if you just pretend to dial a number and you put in star three zero zero one you
know pound one two three four five pound star uh that'll bring in field test mode uh I'm not I'm not
trolling you that actually will do it. Um and this is a good way to see a lot of information about uh
what's around you. Now it's a little bit hard to navigate and if you want you can google and there are
plenty of guides that show you how to use this field test mode. Um with Android the it can vary from
phone to phone so just google it you can find it. Uh and there's also plenty of other
apps since Android is much more open that you can see. Um so here's here's a quick example of what
the SIM 900 readout is. So AT to just check if it's okay um and then the the setting it in
engineering mode and then uh after that you check hey engineering mode you know what do you have
for me. And then it will relay a bunch of data and at first I looked at this and I was like I have
absolutely no idea what this means so let's let's dig into it. Um and so basically you have your
channel number, your receive level, you have your uh uh uh uh uh uh uh uh uh uh uh uh uh uh
you have your base station identifier code, your cell ID, your MCC and your MNC and your LAC
these are all things that we talked about. Um and so for so this is the GPS serial that I got.
This is a little bit nicer than the one that you can get online but uh the the cheaper one will
definitely do. This is the Adafruit model and it fixes the reason I picked it is because it
fixes the position very quickly and it has great indoor reception and it works exactly like you
would expect it to work. Um it just you plug it in and it just starts dumping data. And when I say
dumping data I this is exactly what I saw when I first plugged it in. And this scrolls so fast
that to take the screen shot it was hard not to get it to blur. Um so you can get idea uh you know
I looked at this like I don't even know what this means. Luckily you know there's plenty of
information online on how to handle this uh data. And so you break it down you really only care
about this type of a line. Uh and this line you know when you translate it out and dump it in the
sequel database that I have it set up to go into you get your latitude, your longitude, the
number of satellites that you have, the GPS quality, the altitude, you know all of that stuff.
Altitude and the units of that altitude. Uh the GPS quality too it goes zero one two. Zero is if
you don't have a fix and it doesn't know where you are. One if it's not that accurate but it'll
still do and two if it's locked on and you have a good positioning. Uh so next up is Raspberry Pi
3. Pretty straight forward. Um runs stock Raspbian as the operating system. And it has the enough
power to run the software defined radio. So I use this uh Raspberry Pi to do other software
defined radio stuff and it's set up to use it. Um and so I'm going to show you how it works.
So I just you know I just repurposed it. I didn't want to have to get something else. And it
also has 4 USB ports which is really nice cause you can plug in as many serial adapters as you
want with a hub. And it works it works a lot better than trying to use any GPIO pins as a
serial adapter. And it's also really easily powered by a USB battery pack. You can get one of
these battery packs online for like say 5-10 dollars um and you can run it all day off of this
cause it's so low power. So now next I want to talk to you guys about the the I guess semi
controversial part of this. So there's the TV tuner. This is so this is designed so you get a
USB and you can uh basically you plug this in and you can you know watch uh TV on your phone any of
the broadcast or not TV on your phone TV on your laptop any of the broadcast channels that are
out there. Um it has a wide range of frequencies and it's typically used by a lot of hackers to do
really cheap software defined radio cause it's 20 dollars. Um however depending where you are
this could be definitely against the law to listen to GSM traffic. So I don't want to encourage
this at all if this is not legal where you are.
Um but there are plenty of GitHub repositories out there that'll let you listen into unencrypted
traffic uh and and not to break it. We're not breaking any GSM traffic. Um and it's not
necessary at all to locating the towers. It just gives you some deeper insights if that's
something that you're interested in uh and trying out. And if you do just let me know how it
works cause I'd be really interested in hearing it. Um so basically everything dumps to a SQLite
database. Uh it's it's pretty simple when you when you look at this because I just basically went
through in the Python script and it just goes through goes you know every couple seconds and
it'll snag all the data that's out there. And it dumps it and it lets you do a lot of queries on it
so you know you can you have your time of where you are, your time, where you are, you have your
latitude, longitude, you know all the information that we just talked about all in one nice and
neat place. And uh you know after you take a drive you don't want to have to go through and look
through you know hundreds of thousands of lines of cell of cell data. I mean it's gonna suck and
there's no way to really divine anything new. Um so it's it's it's it's it's it's it's it's it's it's
meaningful out of that. Um so that's why uh you want to make it pretty. You want to make it really
easy to look at. You want to make it so that you show a picture to your wife, mom, cat and then
you know say hey this is what I did and then they're like oh that's not just numbers on a
screen. Um and so uh when I was in civil engineering I used a ton of GIS software but it's
really expensive and so that's when I came across QGIS. Its completely free, open source um
and basically what this does is like kinda of Google Maps you can place points and you can do math
between those points. Um and it's it's a really really cool tool and um it's uh good for
extensive program so I could do a full talk on just how to use QGIS and all the stuff to learn.
But some of the things that you're going to want in QGIS, you're going to want IDW or
inverse distance weighting, you're going to want the open layers plugin, this will give you
maps and GIS data and you'll also want uh or it also gives you Python command line
automation. And it's it's super easy once you visualize it and it and it lets you just you
know actually get your hands on the data and make sense of it. Now what I really really
like about this is that uh once you've done everything the right way, once you're comfortable
with how to do this in the GUI, it has a full command line set. So you can know exactly what
you're doing and then script it all up so you can just run a cron job and have it you know pump
out nice looking images all the time. Um and with that with the Python script then you can have
it say hey you know this doesn't look right, I want to send an alert out. And we'll talk more
about alerts here in a little bit. But basically this is just a sample of like hey how am I
going to import data and get the xy and power information and stuff like that.
into it. And so this is just a sample of just me just making some random points kind of uh in the
program itself. And you can see that you can overlay maps to it, you can have street data, you
can even have satellite data. Um this is a great program if you're just looking for anything
GIS related and you just want to get started in GIS cause it's very similar to ArcGIS. So if
you're looking to get into maybe some professional tools, check this out first. It's good for a lot
of other things not just finding rogue cell towers. Alright so the next part of this is
okay so you've detected that there's a disturbance in the forest. You see that okay my my maps are
showing me that there might be a new tower somewhere. You know I'm getting these notifications
so what you know what the heck do you do? How do you actually get this information to you? You
know so you're at the grocery store and you know that there's something outside or maybe there's
you know a new cell tower popping up. How do you know how to get that information to yourself?
There's a couple of ways um so you can if depending on what your favorite scripting language
is you can go in there and have it just send you a straight email. A lot of people don't check
their email you know very frequently so you maybe you want to have it set up with Twilio and have
it send you a text message. Uh Twilio is about $20 a year if you just want to send a couple text
messages. It's really great they have a great documentation. I highly recommend using them and
if you're a little bit more technical and you just want to send push notifications to your phone
I use an app called uh pushover and it allows you to send just like it says push notifications
it's really great gives you a ton of different settings. So now here's the problem that I have.
Uh when your detector goes off what the heck do you do? Um well you turn off your phone. I
mean if you're not really sure and you're actually nervous about your privacy being infringed
upon just turn off your phone. Um that's that's really the only thing you can do. Uh and then you
can start looking at the data. You can take what I you know the maps that I've shown you how to
make and you can look at it and say uh where is this? Let's go take a look at it. And then maybe
you go on a road trip. And with this you can just go out there and you can um you know you can you
can go see hey is there anything out there? Uh am I nervous? You know you can just go out there and
you know that something's you know gonna be where it's not shouldn't be or you could just say
hey it looks like they're doing some maintenance on a tower somewhere. Um so this allows you the
opportunity to go drive around and see what's actually out there. And with that I think that's
it. At um if you guys want just send me an email to this email address and I'll answer any
questions. And I'll I'll be posting the slides by Friday uh to this website ragingsecurity.ninja
so feel free to go check it out. And yeah I really encourage you guys to shoot me an email.