Suspicious tower sniffing

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
RSSI    lat    long    cellid    LAC    mnc    mcc
-97    35.793002    -115.319457    242674663    24595    310    260
-67    35.777788    -115.330649    6913    154    310    260
-90    35.762719    -115.341747    242674663    24595    310    260
-94    35.746597    -115.353559    242674663    24595    310    260
-92    35.728712    -115.360608    242674666    24595    310    260
-87    35.71133    -115.366699    242674666    24595    310    260

This is from the Blackberry app signal tracker. Now I suppose the hot  
reading could be a tower. The location is near the Gold Strike Casino.  


Re: Suspicious tower sniffing
On Wed, 19 Nov 2014 00:11:13 -0800, miso wrote:

Quoted text here. Click to load it

Looking up a few of those terms, I learn:
MCC = Mobile Country Code (3 digits, e.g., 310 = USA)
MNC = Mobile Network Code (2 to 3 digits, e.g., 26 or 026 = T-Mobile)
LAC = Location Area Code (0 to 65535 on GSM)


Re: Suspicious tower sniffing
On Wed, 19 Nov 2014 00:11:13 -0800, miso wrote:

Quoted text here. Click to load it

This database can look up where a tower is located that you find
on your cellphone with freeware such as WiGLE  
http://www.cell2gps.com/

For example:
MCC = 310 = USA mobile country code
MNC = 260 = T-Mobile mobile network code
LAC = 328 = location area code
CellID = 29021

Finding this on your phone, using WiGLE freeware for example, you realize
you're connected to a cell tower at Moffett Field at  
GSM CellTower 310-260-328-29021 location is (37.408436,-122.065147) Accuracy:1300 mX

Re: Suspicious tower sniffing

Quoted text here. Click to load it

Unfortunately this is on that web page:
"This CellTower Locator sends query to Google location server, and returns  
the location. If the data are not included in their databases, no results  
will be returned."

It is that same crappy Google database.  

I've yet to find a database that is actually accurate. Some towers show up  
in the FCC database, but most do not. The FCC establishes a region for the  
carrier, and within that region the carrier can do whatever they want,  
subject to approval by the local authority (county, city,etc.)

Probably every tower has a piece of paperwork registered with some  
government entity, but it might be the planning department or the city  
council minutes. That is, the data is not centralized.  

I am told (but don't know first hand) that every CDMA tower can report its  
lat/lon. This is not found in GSM.


Re: Suspicious tower sniffing

Quoted text here. Click to load it

Nope.  CDMA carriers Verizon and Sprint stopped sending BSLAT/BSLON
many years ago.  This is what arrives today:
<http://802.11junk.com/jeffl/crud/CDMA-data.jpg
<http://802.11junk.com/jeffl/crud/Droid-X2-02.jpg
Worse, the CDMA vendors are sending garbage for locations, and some
(Samsung) phones are trying to interpret the garbage as useful data:
<http://stackoverflow.com/questions/5409696/why-getbasestationlatitude-keeps-returning-the-integer-max-value-unknown
<https://code.google.com/p/android/issues/detail?id=53518
<https://code.google.com/p/android/issues/detail?id=29819


--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Suspicious tower sniffing
Jeff Liebermann wrote:

Quoted text here. Click to load it

Good info. But I don't think GSM ever reported a location, right or wrong.  

Do you know roughly when the FCC stopped requiring tower ID for cellular?

This week's "Security Now" touched on the dirt boxes. It mentioned that the  
towers themselves have some monitoring capability. I will wait for the  
transcript to be uploaded, then post it. But it had to do with a case where  
some guy was using a cellphone jammer to create a "zone of safety" around  
him while driving.  

Quoted text here. Click to load it

The current douche-baggery of the texting while driving crowd is driving  
like they stole the car to get to the traffic light so that they have more  
time to check SMS, Farcebook or whatever while the light is red. Most  
drivers try to not catch red lights, but these asses value their instagram  
viewing over broken bones.

I'm getting very close to being that old man that yells to get off his  
grass.
  

Re: Suspicious tower sniffing
FCC ruling regarding the jammer.
http://transition.fcc.gov/eb/Orders/2014/FCC-14-55A1.html
Of course the older Stingrays have jammers in them.  

Re: Suspicious tower sniffing
miso wrote, on Thu, 20 Nov 2014 02:30:16 -0800:

Quoted text here. Click to load it

What I don't understand is why he jammed the cellphones in Florida,  
where it's NOT illegal to talk on a cellphone why driving, and,  
more importantly, why he didn't just use the fake cell phone tower.

Wouldn't a fake cell phone tower have worked BETTER than a jammer
because it wouldn't have given him away?

Re: Suspicious tower sniffing
Abe Swanson wrote, on Thu, 20 Nov 2014 19:15:03 +0000:

Quoted text here. Click to load it

I'm trying to find the specs on the jammer he used because I don't  
understand why use a jammer when a fake cell phone tower might be better.

This TRJ-89 jammer is able to block cell service only within a 5 mile  
radius, according to Antenna Systems and Solutions Co., 931 Albion Avenue,
Schaumburg, Illinois 60193, Phone: 847-584-1000, Fax: 847-584-9951
http://www.antennasystems.com/category/jammers.html

A 28 page power point presentation on the jammer specs is here.
http://www.antennasystems.com/Sales%20Presentation.ppt

Re: Suspicious tower sniffing
Abe Swanson wrote:

Quoted text here. Click to load it


I think it is easier just to jam than to create a fake tower, though you are  
correct that both techniques would screw things up for the cellular users,  
presuming you don't relay the cellular traffic. Chris/Kristen Paget went so  
far as to set up Asterisk so that calls did go through.

I don't think there is a fake CDMA tower scheme in the wild. Thus you could  
interfere with GMS but not CDMA.
  


Re: Suspicious tower sniffing

Quoted text here. Click to load it

Jamming is easy.  Spoofing requires far more hardware and expertise:
<www.ebay.com/sch/i.html?_nkw=cdma+base+station+emulator>
Most of the cellular test equipment can do much the same thing.  This
one should do for emulating CDMA (not GSM) systems:
<http://literature.cdn.keysight.com/litweb/pdf/5989-0513EN.pdf
Some YouTube videos of a similar test set in action:
<


https://www.youtube.com/playlist?list=PLAC6FCC5EA06843FA




--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558


Re: Suspicious tower sniffing
Jeff Liebermann wrote:

Quoted text here. Click to load it


https://www.youtube.com/playlist?list=PLAC6FCC5EA06843FA


Service monitors were never blocked, even in the analog days.


Re: Suspicious tower sniffing

Quoted text here. Click to load it


https://www.youtube.com/playlist?list=PLAC6FCC5EA06843FA


Quoted text here. Click to load it

Sorta.  The theory was that everyone that bought the software/firmware
was a legitimate.  However, when it became obvious that many customers
were various "agencies", that didn't want to be identified, tracking
the buyers was quickly dropped.  For monitoring cell phone calls,
service monitors had call progress tracking and various forms of
filtering, that made it easy.

Speaking of analog, remember this incident?
<http://www.cnn.com/ALLPOLITICS/1997/01/13/tape/index.shtml
A perfect recording of an intercepted Newt Gingrich cell phone
conversation, discussing his ethics problems, was provided to
congressional "ethics" investigators.  Allegedly, it was done with a
scanner, which was even then impossible without considerable added
hardware.  Mostly likely, it was done with a service monitor.
Incidentally, the Martins were eventually fined $500 for their
recordings.

<http://jacksonville.com/tu-online/stories/042697/_tape_pr.html
<http://www.pbs.org/newshour/bb/politics-jan-june97-cellular_01-14/

--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Suspicious tower sniffing
Jeff Liebermann wrote:

  
Quoted text here. Click to load it

If Newt wasn't mobile, it could have been done with a scanner. But you would  
need a good ear to figure out the person was worthy of scanning.

The cost of the service monitors was a bit steep for the average hobbyist.  
;-)

Re: Suspicious tower sniffing

Quoted text here. Click to load it


Nope.  Even analog cell phones (AMPS) would hop frequencies every few
seconds.  Listening to AMPS on a scanner was impossible unless you
could decode the control tones (no data, just tones) and switch the
scanner to the next channel.  Since each carrier was originally
granted 333 channel pairs, programming a scanner for 333 channels was
problematic.

In 1997, it's also possible that it was a TDMA or GSM phone, which are
even less likely to be successfully intercepted by a common scanner.

Quoted text here. Click to load it

Not for US government agencies.  However, it probably was NOT done
using a service monitor or scanner.  

I've never heard the recording, but I read somewhere that both sides
were crystal clear, with no dropouts, switching clicks, or fades.
That's not easy to do.

The problem is full duplex.  In order to record both sides of the
conversation, one would need two scanners.  One scanner to listen to
the handset on the handset frequency, and the other to listen to the
base station on a different frequency.  That's because the handset
transmit audio is NOT repeated by the base station[1].  So, if you
want to hear the handset transmit audio, you have to listen on the
handset frequency.  Finding a location where one can hear both the
handset and the base station is also rather problematic.

Kinda makes me wonder where the recording really came from.


[1] With AMPS, if it did repeat the audio, there would be about a 100
msec delay, where the echo would drive users nuts.  This is different
from the roughly 250 msec processing delay of digital handsets.  What
you actually hear in the earphone on a cell phone handset is
side-tone, produced locally in the handset with zero delay.

--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Suspicious tower sniffing

I can neither confirm nor deny that I monitored analog cellular, but some  
calls didn't hop all the much. ;-) Nor can I confirm or deny I heard one of  
those phone sex service calls, but the conversation lasted long enough for  
the task to be completed. Um, allegedly. If it ever happened.  

Is there a statute of limitation on this stuff?


Re: Suspicious tower sniffing

Quoted text here. Click to load it

The timing varied.  As I vaguely recall, 30 seconds per channel was
about the maximum.  Since you've effectively pleaded the 5th
amendment, please consider yourself guilty of something.  Note that
the constitution entitles you to a speedy trial.  In this case, the
trial was conducted so fast, that you may not have noticed.

Quoted text here. Click to load it

Yes:
"Statutes of Limitation in Federal Criminal Cases: An Overview"
<http://fas.org/sgp/crs/misc/RL31253.pdf
Prosecution is allowed for only as long as the wrong political party
is in power.  Since monitoring political figures might be construed as
something that might be done by a terrorist, there is no expiration
date as acts of terrorism are not protected by statutory limitations.



--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Suspicious tower sniffing

Quoted text here. Click to load it

Around 1995 or so, an attorney friend pointed out that it wasn't illegal to
listen in on cellular calls, baby monitors, cordless phones, etc. The
illegal part was doing something with what you happened to hear.

Quoted text here. Click to load it

N/A if it wasn't illegal in the first place.


Re: Suspicious tower sniffing
wrote:

Quoted text here. Click to load it

Cellular is blocked in most scanners by the ECPA enacted in 1986 well
before the 1997 incident:
<http://en.wikipedia.org/wiki/Electronic_Communications_Privacy_Act
<http://wiki.radioreference.com/index.php/Cell_blocked
You're correct that under the 3rd party FCC monitoring rules, you can
listen, but not tell anyone.

Quoted text here. Click to load it

The illegal part was giving the recording to the politicians which
constitutes disclosure.  The Martins pleaded guilty and were fined
$500 each.
<http://jacksonville.com/tu-online/stories/042697/_tape_pr.html
The NY Times should also have been fined for publishing a transcript
of the conversation, but wasn't.


--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: Suspicious tower sniffing
wrote:

Quoted text here. Click to load it

Cellular was indeed blocked in my Radio Shack PRO-2006, but removing the
block involved snipping the lead on a single diode, if I remember correctly.
It was beyond easy. I still have that scanner around here somewhere, but I
haven't used it in years. These days, cellular has gone digital, a lot of
police and fire have either gone digital and/or use frequency hopping, and
CB scanning is useless with the little dipole antenna, etc. No one uses 900
MHz phones anymore, so that's gone, as well.

The last time I scanned CB, it turned out that I was within range of some
woman with a base station who spent hours every day flirting with truckers.
My (ex)wife used to listen in while I was at work. I guess it was her
equivalent of soap operas. Speaking of duplex, we could hear the woman
clearly, but we frequently couldn't hear the truck drivers. That would have
required a better antenna.


Site Timeline