A secure cell phone maker has uncovered more than a dozen cell phone towers around the U.S. that no one seems to know who owns them and no one is sure how they get installed.
The towers were uncovered by ESD America, which built the CryptoPhone 500, a highly modified Galaxy S III secured phone with end-to-end encryption and firewall protection of its baseband chip, plus its own custom Android distribution with many vulnerabilities the ESD team found and removed.
The highly self-monitored phone does more than protect itself; according to Popular Science, it found 17 different phony cell towers known as "interceptors," detected by the CryptoPhone 500 around the United States during the month of July.
Interceptors are described to look to a typical phone like an ordinary tower, but once a phone connects with the interceptor, a variety of over-the-air attacks become possible, such as eavesdropping on calls and texts to pushing spyware to the device.
ESD America CEO Less Goldsmith found it suspicious that a lot of these interceptors are right on top of U.S. military bases. "So we begin to wonder – are some of them U.S. government interceptors? Or are some of them Chinese interceptors?" Goldsmith told Popular Science. "Whose interceptor is it? Who are they, that's listening to calls around military bases? Is it just the U.S. military, or are they foreign governments doing it? The point is: we don't really know whose they are."
Given the expense involved and where they are based, Goldsmith didn't think this was the work of hacker gangs. They don't have the money nor the access to some of the locations where the towers are based.
Plus the technology is not trivial. Phones have a separate OS for using the baseband processor, a chip that acts as the middleman between the phone's O.S. and the cell towers. Baseband chip manufacturers like Broadcom and Intel disclose nothing about the baseband O.S., making it all but impossible for hackers to crack.
In July, Goldsmith and his team drove by the government facility with one of their phones, a Samsung Galaxy S4 and an iPhone as part of a test. "As we drove by, the iPhone showed no difference whatsoever. The Samsung Galaxy S4, the call went from 4G to 3G and back to 4G. The CryptoPhone lit up like a Christmas tree," he said.
The baseband firewall on the Cryptophone lit up with alerts showing that the phone's encryption had been turned off and that the cell tower had no name, a telltale sign of a rogue base station. Standard towers by the major carriers will have a name, whereas interceptors often do not. The interceptor tower also forced the CryptoPhone from 4G down to 2G, a much older protocol that is easier to de-crypt in real-time. But the standard smart phones didn’t even show they’d experienced the same attack.
Goldsmith would not disclose sales figures or a retail price for the GSMK CryptoPhone 500, but didn't dispute an article in MIT Technology Review earlier this year that said he sells about 400 phones per week for $3,500 each.
Now, I am not interested in a phone that's three years out of date technologically and costs as much as a down payment on a car. But it would be nice if regular handset makers started adding that baseband firewall and alert, so we can know when we are around a tower that might do nasty things to our phone.