What motivated this article is the irrational phobias floating around, sparked by the media, and a byproduct of the NSA / Edward Snowden extravaganza. All of the sudden we have people running around slashing their wrists, developing constipation, high blood pressure, erectile dysfunction and self imposed sleep depravation over the technologies being used to fight 21st Century threats and solve crimes.
I absolutely do not give a rats ass that my mobile device is exploited in the process of locating a terror cell or finding a missing child. Furthermore, the secrecy surrounding this technology puts people in a junior G-man mentality feeding fantasies a la Edward Snowden. If you’ve come to the conclusion that I dislike Snowden you are both perceptive and correct. Snowden’s crania-vaginal inversion has done considerable harm in spite of the fact that he was simply a minor functionary. That was my non-billable moment of self expression.
So let’s demystify the cell tower simulator. Cell tower simulators are devises designed to interact with a mobile device, within a limited range, for purposes of collecting information that can then be used to identify and track a mobile device. They have two modes of operation: active and passive. In active mode, they function as a cell tower forcing the phone to connect to the simulator and exchange information like the IMSI (International Mobile Subscriber Identity) and the device’s ESN (Equipment Serial Number). The IMSI provides country, network and phone number, while the ESN is your phone’s unique serial number; they may also collect the M.A.C. address of the WiFi device on the phone. Simulators come in all shapes and sizes: some are rack mounted and hard-wired, others are handheld. The more sophisticated simulators have the ability to increase the phone’s output power or load executable files into the phone’s memory.
How is this information used? To best answer that question we need to understand how cell phones interact with their networks.
Cell phones communicate using one of two protocols GSM or CDMA, so a cell tower simulator needs to support one or the other. In GSM, which is used extensively in Europe and by two carriers in the U.S., a cell phone is assigned one of 124 frequencies each being 200 kHz wide. Think of it as a multilane highway where each unique vehicle is assigned a lane to use for the duration of their travel. The 200 kHz is the width of the traffic lane. Because these traffic lanes are used for communications, there must be an inbound and outbound corridor or you wouldn’t be able to hear your significant other interrupting to tell you to pick up a gallon of milk. That’s what occurs, every time you use your mobile device to place a call or for data access. So collecting the ESN and IMSI is what allows us to identify what device is using what traffic lane as well as what content (voice or data) belongs to what phone. Once court orders are obtained, the intercept usually occurs at the switch and not at the r.f. side of the network.
Much of the need for secrecy surrounding this technology is simply to deny a potential target knowledge of the capability, but some component of that is to avoid unfounded privacy concerns in the general population.
In addition to detection, the technology also allows for direction finding of a signal. To estimate location of a device requires a minimum of two direction vectors but preferably three or more.
The picture below illustrates a typical fixed installation.
The are numerous manufacturers of cell tower simulators, Sting Ray is but one type manufactured by Harris Corporation, in Melbourne, FL. If you look at the front panel you’ll see that it supports 4 transmit antennas, 3 receive antennas and two direction finding antennas along with their corresponding control signals. The direction finding antennas are rotated to locate and provide a direction to a signal of interest. The Sting Ray is also usable in a mobile application so it has a built-in GPS receiver with its corresponding antenna jack so that the system knows its exact location at all times.
These devices are not eavesdropping devices they detect and track signals of interest as well as determine direction of a known IMSI and ESN Could they be used to turn a cell phone into an active bug? The answer is yes, but actual eavesdropping requires other technologies.
So, don’t stop talking dirty with your wife or girlfriend and know that in the event of a threat or crime, we have the ability to employ modern technology to increase our odds in the fight.
Your only real issue becomes: do you trust the authorities to conduct themselves within established guidelines and are guidelines free from ambiguities that would allow too much latitude?