research-article

Open access

Catch You Cause I Can: Busting Rogue Base Stations using CellGuard and the Apple Cell Location Database

Authors:

Matthias Hollick,

Jiska ClassenAuthors Info & Claims

RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 613 - 629

https://doi.org/10.1145/3678890.3678898

Published: 30 September 2024 Publication History

All formats PDF

Abstract

Mobile phones connect to the Internet and receive phone calls using a cellular baseband chip. Basebands pose a substantial attack surface, as they do not only process but also decrypt personal data. Cellular attackers usually force a phone to connect with a, e.g., to record identity information and locations, intercept or manipulate traffic, or execute arbitrary code by exploiting vulnerabilities in the baseband stack. s are stealthy, as smartphones attempt to connect to nearby base stations and do not display any indicators of compromise to the user. While their detection with Software-defined Radios (SDRs) is possible, usability and scalability are limited.

We research and expose the baseband interface on recent iPhones for Intel and Qualcomm chips to detect attacks. We integrate these findings into a user-friendly app called CellGuard. Detection even works on non-jailbroken iPhones with the latest security updates and Lockdown mode. We enhance detection by utilizing Apple’s internal database with highly accurate cell tower information and in-depth reverse engineering of Apple’s baseband interface protocols to find further indicators of compromise. During multiple weeks of evaluation, we collect data on various devices using CellGuard and evaluate the results, along with measurements from our own setup. Our baseband analysis framework BaseTrace will be helpful beyond detection, as it can interact with the baseband and decode any management information exchanged, including satellite communication in the iPhone 15.

References

[1]

National Security Agency. 2023. Ghidra. https://ghidra-sre.org

[2]

Apple. 2016. WWDC 2016 – Unified Logging and Tracing. https://devstreaming-cdn.apple.com/videos/wwdc/2016/721wh2etddp4ghxhpcg/721/721_unified_logging_and_activity_tracing.pdf

[3]

Apple. 2022. Emergency SOS via satellite available today on the iPhone 14 lineup in the US and Canada. https://www.apple.com/newsroom/2022/11/emergency-sos-via-satellite-available-today-on-iphone-14-lineup/

[4]

Apple. 2022. Location Services & Privacy. https://www.apple.com/legal/privacy/data/en/location-services/

[5]

Apple. 2023. Bug Reporting Profiles and Logs. https://developer.apple.com/bug-reporting/profiles-and-logs/

[6]

Apple. 2023. Dispatch. https://developer.apple.com/documentation/DISPATCH

[7]

Apple. 2024. Choosing a Membership. https://developer.apple.com/support/compare-memberships/

[8]

Apple. 2024. iPhone SE (2nd generation) - Technical Specifications. https://support.apple.com/kb/SP820?locale=en_US

[9]

Apple Developer Forum. 2020. Log Retention on iOS Sysdiagnose. https://forums.developer.apple.com/forums/thread/123393

[10]

Nikias Bassen and Martin Szulecki. 2023. libimobiledevice. https://libimobiledevice.org

[11]

Pete Bell. 2023. 2G and 3G Shutdowns Continue. https://blog.telegeography.com/2g-and-3g-shutdowns-continue

[12]

blacktop. 2023. ipsw. https://github.com/blacktop/ipsw

[13]

bobzilla, arkasha, and uhtu. 2023. WiGLE: Wireless Network Mapping. https://www.wigle.net

[14]

Ravishankar Borgaonkar and Swapnil Udar. 2023. Darshak. https://github.com/darshakframework/darshak

[15]

Amat Cama. 2018. A walk with Shannon: A walkthrough of a pwn2own baseband exploit. https://www.youtube.com/watch?v=6bpxrfB9ioo

[16]

Cellmapper. 2023. Cellular Coverage and Tower Map. https://www.cellmapper.net

[17]

CellularPrivacy. 2023. Android IMSI-Catcher Detector. https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector

[18]

Nick Chan, Lakhan Lothiyi, Nebula, Mineek, and Tom. 2023. palera1n. https://github.com/palera1n/palera1n

[19]

Merlin Chlosta, David Rupprecht, Christina Pöpper, and Thorsten Holz. 2021. 5G SUCI-Catchers: Still Catching Them All?. In Proceedings of the 14th ACM Conference on Security and Privacy in Wireless and Mobile Networks (Abu Dhabi, United Arab Emirates) (WiSec ’21). Association for Computing Machinery, New York, NY, USA, 359–364. https://doi.org/10.1145/3448300.3467826

Digital Library

[20]

Jiska Classen. 2020. Fuzzing the phone in the iPhone. https://media.ccc.de/v/rc3-11358-fuzzing_the_phone_in_the_iphone

[21]

Jiska Classen. 2023. Frida Scripts. https://github.com/seemoo-lab/frida-scripts

[22]

Joseph Cox. 2018. With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes. https://www.vice.com/en/article/gy7qm9/how-i-made-imsi-catcher-cheap-amazon-github

[23]

Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, and Edgar Weippl. 2014. IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. In Proceedings of the 30th Annual Computer Security Applications Conference (New Orleans, Louisiana, USA) (ACSAC ’14). Association for Computing Machinery, New York, NY, USA, 246–255. https://doi.org/10.1145/2664243.2664272

Digital Library

[24]

Adam Demasi. 2021. Documentation Home. https://theos.dev/docs/

[25]

Zak Doffman. 2024. Apple’s iOS 18 RCS Release Gets Closer—Encryption Still A Problem. https://www.forbes.com/sites/zakdoffman/2024/03/30/new-apple-iphone-16-pro-max-and-ios-18-leak-googles-imessage-warning/

[26]

Electronic Frontier Foundation. 2022. Crocodile Hunter. https://github.com/efforg/crocodilehunter

[27]

Ettus Research. 2024. USRP X310. https://www.ettus.com/all-products/x310-kit/

[28]

Lars Fröder. 2023. TrollStore. https://github.com/opa334/TrollStore

[29]

Galan. 2023. GSM Spy Finder. https://apk.support/app/kz.galan.antispy

[30]

William Gallagher. 2023. Apple says 2 billion of its devices are in active use. https://appleinsider.com/articles/23/02/02/two-billion-apple-devices-are-in-active-use

[31]

Nico Golde. 2018. There’s Life in the Old Dog Yet: Tearing New Holes into Intel/iPhone Cellular Modems. https://comsecuris.com/blog/posts/theres_life_in_the_old_dog_yet_tearing_new_holes_into_inteliphone_cellular_modems/

[32]

Nico Golde and Daniel Komaromy. 2016. Reverse Engineering and Exploiting Samsung’s Shannon Baseband. https://comsecuris.com/blog/posts/shannon/

[33]

Graeme Green. 2021. 5G Security when Roaming – Part 1. Mpirical (2021). https://www.mpirical.com/blog/5g-security-when-roaming-part-1

[34]

GSMA Intelligence. 2023. The Mobile Economy 2022. https://www.gsma.com/mobileeconomy/wp-content/uploads/2022/02/280222-The-Mobile-Economy-2022.pdf

[35]

Mark Gurman. 2021. Apple Plans to Add Satellite Features to iPhones for Emergencies. https://www.bloomberg.com/news/articles/2021-08-30/apple-plans-to-add-satellite-features-to-iphones-for-emergencies

[36]

Alexander Heinrich, Niklas Bittner, and Matthias Hollick. 2022. AirGuard - Protecting Android Users from Stalking Attacks by Apple Find My Devices. In Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks (San Antonio, TX, USA) (WiSec ’22). Association for Computing Machinery, New York, NY, USA, 26–38. https://doi.org/10.1145/3507657.3528546

Digital Library

[37]

Hex-Rays. 2023. IDA Pro. https://hex-rays.com/ida-pro/

[38]

iVerify. 2024. iVerify. https://iverify.io/

[39]

Ralf Keller, David Castellanos, Anki Sander, Amarisa Robinson, and Afshin Abtin. 2021. Roaming in the 5G System: The 5GS Roaming Architecture. Ericsson Reports (2021). https://www.ericsson.com/4981f6/assets/local/reports-papers/ericsson-technology-review/docs/2021/roaming-in-the-5g-system.pdf

[40]

Eunsoo Kim, Dongkwan Kim, CheolJun Park, Insu Yun, and Yongdae Kim. 2021. BaseSpec: Comparative Analysis of Baseband Software and Cellular Specifications for L3 Protocols. In Proceedings of the 2021 Annual Network and Distributed System Security Symposium (NDSS). https://syssec.kaist.ac.kr/pub/2021/kim-ndss2021.pdf

[41]

Tobias Kröll. 2021. ARIstoteles: iOS Baseband Interface Protocol Analysis. https://doi.org/10.26083/tuprints-00019397

[42]

Tobias Kröll, Stephan Kleber, Frank Kargl, Matthias Hollick, and Jiska Classen. 2021. ARIstoteles – Dissecting Apple’s Baseband Interface. In Computer Security – ESORICS 2021, Elisa Bertino, Haya Shulman, and Michael Waidner (Eds.). Springer International Publishing, Cham, 133–151.

[43]

Sravan Kundojjala. 2023. Qualcomm Gains Baseband Share in Q3 2022. https://www.strategyanalytics.com/strategy-analytics/blogs/components/handset-components/handset-components/2023/02/14/qualcomm-gains-baseband-share-in-q3-2022

[44]

Swantje Lange, Francesco Gringoli, Matthias Hollick, and Jiska Classen. 2024. Wherever I May Roam: Stealthy Interception and Injection Attacks through Roaming Agreements. In Computer Security – ESORICS 2024. Springer International Publishing.

Digital Library

[45]

Sukchan Lee. 2024. Open5GS. https://open5gs.org/

[46]

Zhenhua Li, Weiwei Wang, Christo Wilson, Jian Chen, Chen Qian, Taeho Jung, Lan Zhang, Kebin Liu, Xiangyang Li, and Yunhao Liu. 2017. FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild. In NDSS.

[47]

Berly Lipton. 2022. Police Are Still Abusing Investigative Exemptions to Shield Surveillance Tech, While Others Move Towards Transparency. https://www.eff.org/deeplinks/2022/07/police-are-still-abusing-investigative-exemptions-shield-surveillance-tech-while-0

[48]

Dominik Maier, Lukas Seidel, and Shinjo Park. 2020. BaseSAFE: Baseband Sanitized Fuzzing through Emulation. In Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks (Linz, Austria) (WiSec ’20). Association for Computing Machinery, New York, NY, USA, 122–132. https://doi.org/10.1145/3395351.3399360

Digital Library

[49]

Slava Makkaveev. 2022. Vulnerability within the Unisoc Baseband opens Mobile Phones Communications to Remote Hacker Attacks. https://research.checkpoint.com/2022/vulnerability-within-the-unisoc-baseband/

[50]

Mandiant. 2023. macos-UnifiedLogs. https://github.com/mandiant/macos-UnifiedLogs

[51]

György Miru. 2017. Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices. https://comsecuris.com/blog/posts/path_of_least_resistance/

[52]

Stig F. Mjølsnes and Ruxandra F. Olimid. 2017. Easy 4G/LTE IMSI Catchers for Non-Programmers. In Computer Network Security. Springer International Publishing, Cham, 235–246. https://doi.org/10.1007/978-3-319-65127-9_19

[53]

Aleksander Morgado and Dan Williams. 2021. libqmi. https://www.freedesktop.org/wiki/Software/libqmi/

[54]

Mozilla. 2023. Mozilla Location Service. https://location.services.mozilla.com

[55]

MVT. 2024. Mobile Verification Toolkit. https://docs.mvt.re/en/latest/

[56]

National Security Agency. 2024. Mobile Device Best Practices. https://www.documentcloud.org/documents/21018353-nsa-mobile-device-best-practices&xcust=2-1-2330195-1-0-0

[57]

Peter Ney, Ian Smith, Gabriel Cadamuro, and Tadayoshi Kohno. 2017. SeaGlass: Enabling City-Wide IMSI-Catcher Detection., Vol. 2017. 36–53. https://doi.org/10.1515/popets-2017-0027

[58]

Oros42. 2022. IMSI-catcher. https://github.com/Oros42/IMSI-catcher

[59]

Andrew Orr. 2022. Craig Federighi outlines iOS 17 privacy and Apple’s stance on AI. https://appleinsider.com/articles/23/06/05/craig-federighi-outlines-ios-17-privacy-apples-stance-on-ai

[60]

Ivan Palamà, Francesco Gringoli, Giuseppe Bianchi, and Nicola Blefari-Melazzi. 2021. IMSI Catchers in the wild: A real world 4G/5G assessment. Computer Networks 194 (2021), 108137. https://doi.org/10.1016/j.comnet.2021.108137

[61]

Daniele Palmas. 2020. Wireshark QMI dissector for Qualcomm based modems. https://github.com/dnlplm/WiresharkQMIDissector

[62]

Shinjo Park, Altaf Shaik, Ravishankar Borgaonkar, Andrew Martin, and Jean-Pierre Seifert. 2017. White-Stingray: Evaluating IMSI Catchers Detection Applications. In 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, Vancouver, BC. https://www.usenix.org/conference/woot17/workshop-program/presentation/park

Digital Library

[63]

Shinjo Park, Altaf Shaik, Ravishankar Borgaonkar, and Jean-Pierre Seifert. 2019. Anatomy of Commercial IMSI Catchers and Detectors. In Proceedings of the 18th ACM Workshop on Privacy in the Electronic Society (London, United Kingdom) (WPES’19). Association for Computing Machinery, New York, NY, USA, 74–86. https://doi.org/10.1145/3338498.3358649

Digital Library

[64]

PentHertz. 2023. OpenBTS. https://github.com/PentHertz/OpenBTS

[65]

Cooper Quintin. 2022. VICTORY: Google Releases “disable 2g” Feature for New Android Smartphones. https://www.eff.org/deeplinks/2022/01/victory-google-releases-disable-2g-feature-new-android-smartphones

[66]

Ole André Vadla Ravnås. 2022. Frida. https://frida.re

[67]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2020. IMP4GT: IMPersonation Attacks in 4G NeTworks. In Proceedings of the 2020 Annual Network and Distributed System Security Symposium (NDSS). https://www.ndss-symposium.org/wp-content/uploads/2020/02/24283-paper.pdf

[68]

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 2019. Breaking LTE on Layer Two. In 2019 IEEE Symposium on Security and Privacy (SP). 1121–1136. https://doi.org/10.1109/SP.2019.00006

[69]

Security Research Labs. 2015. IMSI Catcher Score. https://opensource.srlabs.de/projects/snoopsnitch/wiki/IMSI_Catcher_Score

[70]

Security Research Labs. 2015. Snoop Snitch SQL Queries for Detection. https://github.com/srlabs/snoopsnitch/tree/master/analysis/catcher/sql

[71]

Security Research Labs. 2018. SnoopSnitch Compatibility. https://opensource.srlabs.de/projects/snoopsnitch/wiki/DeviceList

[72]

Security Research Labs. 2022. SnoopSnitch. https://opensource.srlabs.de/projects/snoopsnitch

[73]

Altaf Shaik, Ravishankar Borgaonkar, N Asokan, Valtteri Niemi, and Jean-Pierre Seifert. 2016. Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. In Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). https://arxiv.org/pdf/1510.07563.pdf

[74]

Adam Simmons. 2022. Cell Tower Range: How Far Do They Reach?https://dgtlinfra.com/cell-tower-range-how-far-reach/

[75]

skibapps. 2023. Cell Spy Catcher (Anti Spy). https://play.google.com/store/apps/details?id=com.skibapps.cellspycatcher

[76]

SS7ware. 2024. YateBTS. https://yatebts.com

[77]

Software Radio Systems. 2024. srsRAN. https://github.com/srsran/srsran_4g

[78]

Riley Testut. 2023. AltStore. https://github.com/altstoreio/AltStore

[79]

Mika Tuupola. 2017. Reverse Engineering Apple Location Services Protocol. https://www.appelsiini.net/2017/reverse-engineering-location-services/

[80]

Unwired Labs. 2023. OpenCelliD. https://opencellid.org/

[81]

Ralf-Philipp Weinmann. 2012. Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. In Proceedings of the 6th USENIX Conference on Offensive Technologies (Bellevue, WA) (WOOT’12). USENIX Association, 2. https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf

[82]

Ralf-Philipp Weinmann. 2017. Did I hear a shell popping in your baseband?https://vimeo.com/214013463

[83]

Harald Welte. 2022. OsmoBTS. https://osmocom.org/projects/osmobts/wiki

[84]

Amy While. 2022. SignalReborn. https://github.com/elihwyma/SignalReborn

[85]

Tim Willis. 2023. Multiple Internet to Baseband Remote Code Execution Vulnerabilities in Exynos Modems. https://googleprojectzero.blogspot.com/2023/03/multiple-internet-to-baseband-remote-rce.html

[86]

Wireshark Foundation. 2023. Wireshark. https://www.wireshark.org

[87]

Yaru Yang, Yiming Zhang, Tao Wan, Chuhan Wang, Haixin Duan, Jianjun Chen, and Yishen Li. 2024. Uncovering Security Vulnerabilities in Real-world Implementation and Deployment of 5G Messaging Services. In Proceedings of the 17th ACM Conference on Security and Privacy in Wireless and Mobile Networks (Seoul, Republic of Korea) (WiSec ’24). Association for Computing Machinery, New York, NY, USA, 265–276. https://doi.org/10.1145/3643833.3656131

Digital Library

[88]

Zerodium. 2019. Zerodium Payouts. https://zerodium.com/program.html

Cited By

Lange SGringoli FHollick MClassen J(2024)Wherever I May Roam: Stealthy Interception and Injection Attacks Through Roaming AgreementsComputer Security – ESORICS 202410.1007/978-3-031-70903-6_11(208-228)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70903-6_11

Index Terms

Catch You Cause I Can: Busting Rogue Base Stations using CellGuard and the Apple Cell Location Database
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Network security
    1. Mobile and wireless security

Recommendations

Apple Watch App Development
Apple iPhone Encyclopedia - iPhone 8 Inside-Out Features: Comprehensive Inside out features of iPhone 8 and what to Expect in iPhone 8 plus
Catch me if you can: an abnormality detection approach for collaborative spectrum sensing in cognitive radio networks

Collaborative spectrum sensing is subject to the attack of malicious secondary user(s), which may send false reports. Therefore, it is necessary to detect potential attacker(s) and then exclude the attacker's report for spectrum sensing. Many existing ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

RAID '24: Proceedings of the 27th International Symposium on Research in Attacks, Intrusions and Defenses

September 2024

719 pages

ISBN:9798400709593

DOI:10.1145/3678890

Copyright © 2024 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 September 2024

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Hessian State Ministry of Higher Education, Research, Science and the Arts
Federal Ministry of Education and Research of Germany (BMBF)

Conference

RAID '24

RAID '24: The 27th International Symposium on Research in Attacks, Intrusions and Defenses

September 30 - October 2, 2024

Padua, Italy

Acceptance Rates

RAID '24 Paper Acceptance Rate 43 of 173 submissions, 25%;

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
646
Total Downloads

Downloads (Last 12 months)646
Downloads (Last 6 weeks)188

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lange SGringoli FHollick MClassen J(2024)Wherever I May Roam: Stealthy Interception and Injection Attacks Through Roaming AgreementsComputer Security – ESORICS 202410.1007/978-3-031-70903-6_11(208-228)Online publication date: 16-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-70903-6_11

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten