Skip to main content

Phony cell towers are the next big security risk

Phony cell towers are the next big security risk


In China, signal hijacks have become an epidemic. Is the rest of the world next?

Share this story

Last month, a Mr. Li in Shenyang, China, received a text from his bank's customer service number, notifying him that his credit card had accumulated reward points and telling him how to cash them in. When he followed the link and logged in, the site went dead. An hour later, he noticed more than $650 missing from his account. Only then did he realize he'd been scammed. The text had come from his bank's number, but it didn't come from his bank.

The text came from his bank's number, but it didn't come from his bank

Instead, it came from a fake cell tower, a racket that's reaching epidemic levels in China. Scammers use a device called a base station to set up a fake signal coming from a local house or shop. As long as it's the strongest signal available, phones will connect automatically. The phony tower can't reach the larger network, so if you try to place a call or visit a website, you'll come up empty — but unless you're actively using your phone, you'd never know the difference. From there, scammers can send texts from any number they want. In cases like Mr. Li's, that turns out to be a very lucrative trick.

Qihoo 360, China's largest mobile security firm, has caught more than 1.2 billion messages from fake cell towers between April and June of this year, more than 13 million per day. Qihoo's figures only include messages caught by the company's app, so it's likely the total number is even higher. "It's very lucrative to have a tower device right now. People will pay big money for it," says Ren Huan, Qihoo 360’s head of mobile security. "We predict that this year and next year will be the worst time for us."

Qihoo has caught 1.2 billion messages in just three months

Roughly half the messages were simple advertising, sent from fake cell stations so as to dodge mass-texting fees, but Qihoo tagged another third of the messages as promoting illegal services, and 15 percent as outright fraud. The messages can appear as fake invoices, credit card statements, or phone bills from the carriers themselves. In each case, the message comes from the bank or phone company's official customer service number, giving targets no reason to doubt that the message is real.

At the heart of the scam is a basic vulnerability with the GSM or 2G phone network, established in the mid-’80s before the rise of 3G and 4G networks. Towers check that each connected phone is legitimate, but there's no system to authenticate the towers themselves. When the system was designed 30 years ago, cell tower hardware was too expensive for such an attack to be practical. Now, a fake base station can be built for as little as $700, making it much easier to turn a profit.

As of this April, it's a felony to mass-manufacture the devices within Chinese borders, but in the thriving world of Chinese electronics manufacturing, those restrictions can be hard to enforce. Qihoo shows the densest cluster of attacks coming not in the populous south, but a northern manufacturing city called Zhengzhou, where unauthorized hardware can be more easily manufactured and sold under the table. Chinese police have been cracking down on any factories caught with the equipment, with regular arrests and 24 production sites shut down so far this year, but judging by Qihoo's numbers the crackdown has barely put a dent in the attacks.

A fake base station can be built for as little as $700, making it easy to turn a profit

While China has seen the most widespread attacks, the vulnerability is being exploited on an increasingly global scale. In the US, law enforcement uses the same weaknesses to follow suspects, setting up fake towers with officially sanctioned Stingray device, although many have questioned the legality of the tactic. Reports have also shown an alarming number of fake cell towers operating in Washington DC, although it’s difficult to pin down who is behind the irregularities. Outside of the US, a similar attack was used by journalists in India to wiretap politicians, while Czech police say they’ve seen it used for industrial espionage. In a landmark paper in The Harvard Journal of Law and Technology, the ACLU's Christopher Soghoian describes how the technology has spread, and why it has become so difficult to contain. "The fact that there are so many places in China that you can buy this stuff is alarming, but they don't have a monopoly on this technology. There are places you can buy this stuff in India, in Russia, and Israel too," Soghoian told The Verge. "It's time to secure our phone calls."

"It's time to secure our phone calls."

Some in the US government are trying to do just that. In July, Congressman Alan Grayson sent the Federal Communications Commission a formal inquiry about the problem, and the agency has since formed a task force to investigate the issue. Still, securing the network may be harder than it sounds. Modern 3G and 4G networks are immune to the attack, thanks to two-way authentication, but it will be years before the US can abandon the vulnerable GSM or 2G networks entirely, and doing so means upgrading thousands of towers across the country. So far, AT&T is leading the way, planning to abandon GSM by 2017, but that gives attackers three years to keep exploiting the vulnerability in the US, and even longer in the rest of the world.

In the meantime, China is relying on scrappier fixes like the Qihoo app, which blocks any messages it identifies as suspicious but can't stop them from being delivered to the phone. Beyond that, researchers like Huan are relying on Chinese police getting smarter about tracking down the people buying and selling the towers. "We actually have a lot of data from the end user," Huan says, "but we are not law enforcement. And then there are the agencies responsible for catching these guys, but they don't have any data."