Suspicious tower sniffing

Looking up a few of those terms, I learn: MCC = Mobile Country Code (3 digits, e.g., 310 = USA) MNC = Mobile Network Code (2 to 3 digits, e.g., 26 or 026 = T-Mobile) LAC = Location Area Code (0 to 65535 on GSM)

This database can look up where a tower is located that you find on your cellphone with freeware such as WiGLE

For example: MCC = 310 = USA mobile country code MNC = 260 = T-Mobile mobile network code LAC = 328 = location area code CellID = 29021

Finding this on your phone, using WiGLE freeware for example, you realize you're connected to a cell tower at Moffett Field at GSM CellTower 310-260-328-29021 location is (37.408436,-122.065147) Accuracy:1300 mX

Unfortunately this is on that web page: "This CellTower Locator sends query to Google location server, and returns the location. If the data are not included in their databases, no results will be returned."

It is that same crappy Google database.

I've yet to find a database that is actually accurate. Some towers show up in the FCC database, but most do not. The FCC establishes a region for the carrier, and within that region the carrier can do whatever they want, subject to approval by the local authority (county, city,etc.)

Probably every tower has a piece of paperwork registered with some government entity, but it might be the planning department or the city council minutes. That is, the data is not centralized.

I am told (but don't know first hand) that every CDMA tower can report its lat/lon. This is not found in GSM.

Nope. CDMA carriers Verizon and Sprint stopped sending BSLAT/BSLON many years ago. This is what arrives today: Worse, the CDMA vendors are sending garbage for locations, and some (Samsung) phones are trying to interpret the garbage as useful data:

Good info. But I don't think GSM ever reported a location, right or wrong.

Do you know roughly when the FCC stopped requiring tower ID for cellular?

This week's "Security Now" touched on the dirt boxes. It mentioned that the towers themselves have some monitoring capability. I will wait for the transcript to be uploaded, then post it. But it had to do with a case where some guy was using a cellphone jammer to create a "zone of safety" around him while driving.

The current douche-baggery of the texting while driving crowd is driving like they stole the car to get to the traffic light so that they have more time to check SMS, Farcebook or whatever while the light is red. Most drivers try to not catch red lights, but these asses value their instagram viewing over broken bones.

I'm getting very close to being that old man that yells to get off his grass.

FCC ruling regarding the jammer.

Of course the older Stingrays have jammers in them.

Dunno. I only do CDMA.

I don't think the FCC ever required transmitting a specific tower ID or location. What they do require is the SID (system ID) which was administered by the FCC until about 2003, when it was taken over by private organizations: For international cellular, it's regulated by IFAST:

You're only considered "old" when you've lost your optimism and given up hope that things will change.

miso wrote, on Thu, 20 Nov 2014 02:25:30 -0800:

Is that what they used to isolate the Baltimore prison to prevent the inmates from using cellphones from the inside to organize crime outside?

miso wrote, on Thu, 20 Nov 2014 02:30:16 -0800:

What I don't understand is why he jammed the cellphones in Florida, where it's NOT illegal to talk on a cellphone why driving, and, more importantly, why he didn't just use the fake cell phone tower.

Wouldn't a fake cell phone tower have worked BETTER than a jammer because it wouldn't have given him away?

Abe Swanson wrote, on Thu, 20 Nov 2014 19:15:03 +0000:

I'm trying to find the specs on the jammer he used because I don't understand why use a jammer when a fake cell phone tower might be better.

This TRJ-89 jammer is able to block cell service only within a 5 mile radius, according to Antenna Systems and Solutions Co., 931 Albion Avenue, Schaumburg, Illinois 60193, Phone: 847-584-1000, Fax: 847-584-9951

A 28 page power point presentation on the jammer specs is here.

I think it is easier just to jam than to create a fake tower, though you are correct that both techniques would screw things up for the cellular users, presuming you don't relay the cellular traffic. Chris/Kristen Paget went so far as to set up Asterisk so that calls did go through.

I don't think there is a fake CDMA tower scheme in the wild. Thus you could interfere with GMS but not CDMA.

This is news to me, so thanks for the link.

They describe the system as being something like a femto cell, so the cellular companies have to set up and bless this scheme.

Look at this as a man in the middle attack. They read the IMSI and if you are on the white list (allowed numbers), you can use the cellular system.

I guess the prisoners need to build yagi antennas to get to the real network.

Jamming is easy. Spoofing requires far more hardware and expertise: Most of the cellular test equipment can do much the same thing. This one should do for emulating CDMA (not GSM) systems: Some YouTube videos of a similar test set in action:

I didn't understand the article, but they said this: "Jamming the phones is illegal and impractical, Smith said. ?I?m inside the unit, and sometimes I need to make a call.? Technology to detect them is not always effective, and once they are identified it can require a confrontation with an inmate to confiscate it."

So, it's not a jammer for sure. And, it's not a triangulator either.

It looks like they are *all* the carriers at once, and, as you said, the from Tecore Networks Intelligent Network Access Controller (iNAC) system only allows whitelisted IMSI-based calls to be passed through.

Some people are complaining though, that they drive by the prison in Baltimore, and they can't make phone calls:

Service monitors were never blocked, even in the analog days.

Another good article. These people drove by the facility and the prison system was stronger than the real cellular. Because they weren't on the white list, they couldn't use the service.

Since the carriers are all on different bands, there is nothing stopping the facility from being on all systems, well presuming you have the money.

This setup isn't really all that different from set ups at say convention centers or in the subway. The only difference is the white list feature.

Sorta. The theory was that everyone that bought the software/firmware was a legitimate. However, when it became obvious that many customers were various "agencies", that didn't want to be identified, tracking the buyers was quickly dropped. For monitoring cell phone calls, service monitors had call progress tracking and various forms of filtering, that made it easy.

Speaking of analog, remember this incident? A perfect recording of an intercepted Newt Gingrich cell phone conversation, discussing his ethics problems, was provided to congressional "ethics" investigators. Allegedly, it was done with a scanner, which was even then impossible without considerable added hardware. Mostly likely, it was done with a service monitor. Incidentally, the Martins were eventually fined $500 for their recordings.

If Newt wasn't mobile, it could have been done with a scanner. But you would need a good ear to figure out the person was worthy of scanning.

The cost of the service monitors was a bit steep for the average hobbyist. ;-)

Nope. Even analog cell phones (AMPS) would hop frequencies every few seconds. Listening to AMPS on a scanner was impossible unless you could decode the control tones (no data, just tones) and switch the scanner to the next channel. Since each carrier was originally granted 333 channel pairs, programming a scanner for 333 channels was problematic.

In 1997, it's also possible that it was a TDMA or GSM phone, which are even less likely to be successfully intercepted by a common scanner.

Not for US government agencies. However, it probably was NOT done using a service monitor or scanner.

I've never heard the recording, but I read somewhere that both sides were crystal clear, with no dropouts, switching clicks, or fades. That's not easy to do.

The problem is full duplex. In order to record both sides of the conversation, one would need two scanners. One scanner to listen to the handset on the handset frequency, and the other to listen to the base station on a different frequency. That's because the handset transmit audio is NOT repeated by the base station[1]. So, if you want to hear the handset transmit audio, you have to listen on the handset frequency. Finding a location where one can hear both the handset and the base station is also rather problematic.

Kinda makes me wonder where the recording really came from.

[1] With AMPS, if it did repeat the audio, there would be about a 100 msec delay, where the echo would drive users nuts. This is different from the roughly 250 msec processing delay of digital handsets. What you actually hear in the earphone on a cell phone handset is side-tone, produced locally in the handset with zero delay.