It is a research project aimed at analyzing the operation of cellular networks and potential surveillance methods. The version application can detect cellular attacks targeting . It observes baseband packets and analyzes suspicious activities within them, thereby identifying the presence of malicious base stations. Let's catch them all in one go!

The three screenshots of the application showcase its summary, map, and data pack views.

What is a rogue base station? A malicious base station, also known as a fake base station, is a rogue network base station that tricks your phone into connecting to it. Attackers can use malicious base stations for various purposes, such as tracking user locations, intercepting network traffic, or even launching remote code execution attacks on baseband chip firmware. According to radio technology, attackers can easily set up malicious base stations. In the network, phones can connect to these base stations without further verification — similar to open - networks. Since this issue is inherent to the specification, the best defense is to turn off the connection on your phone. Recent support this feature as a setting in lockdown mode.

Since then, the network authenticates the phone. In theory, this should prevent attackers from setting up rogue base stations with extended capabilities, such as intercepting network traffic. However, state-sponsored attackers can coerce mobile network operators into cooperation, allowing them to still set up rogue base stations that authenticate through roaming infrastructure. Such attacks have been reported.

How does malicious base station detection work? Perfectly disguised malicious base stations are difficult to distinguish from real ones. However, attackers face certain challenges during the setup process. This project aims to identify such challenges and build detection metrics based on them. In the initial version, the application uses the following metrics to detect malicious base stations:

• Is there a base station in the positioning service () database: This indicator can detect illegal base stations established in a short period of time.
• Distance between the base station and the actual user location: This metric can detect malicious base stations with incorrect parameter settings.
• Compare the cell's channel and physical cell: This metric can also detect malicious base stations with incorrect parameter settings.
• Bandwidth: This metric can detect malicious base stations using low-cost or obsolete hardware.
• Network Rejects Packet: This metric reveals network authentication failure.
• Signal Strength: This metric indicates whether a malicious base station is attempting to force user connection by transmitting a signal significantly stronger than those from other base stations.

In actual tests conducted in Europe and the United States, we found that all these indicators may also be triggered for legitimate reasons. Some anomalies are to be expected. For example, if a mobile network operator sets up a new cell, it may take - days for it to appear in the database. Certain cells may reduce bandwidth per user, especially during high traffic periods. When connects to a network without a valid SIM card, it will receive a network rejection packet. This includes SIM cards that are not allowed to roam and situations where the target network provider does not have coverage but other networks are available. Additionally, signal strength may vary. Combining multiple indicators and assigning them different weights can make more reliable. However, may still warn you about legitimate base stations. Given the rarity of rogue base station attacks, most warnings seen by ordinary users are false positives.

How does it work on a technical level? It will capture the data packets exchanged between the cellular baseband chip and the device. Then, it will analyze these packets to look for the aforementioned anomalies and your location history. For more detailed information on how it works, please refer to our presentation.

How to Respond to Rogue Base Station Warnings? Given the high likelihood of false positives due to regular network anomalies, you do not need to be concerned about malicious base stations being reported to you. Through our selective research, we aim to improve detection algorithms to issue more accurate warnings in the future. Depending on your threat model, receiving a warning may mean different things. Even if you connect to a genuine rogue base station, it does not necessarily mean you are being monitored or hacked. It also does not imply the existence of mass surveillance. Due to the way rogue base stations operate, it is expected that users other than the intended targets may see and connect to these stations. From the user's perspective, immediate actions are very limited. Receiving a warning means you have connected to a suspicious base station. When a malicious base station is expected within the wireless coverage area, you can enable airplane mode or turn off your phone. For further investigation, especially when the connection to a malicious base station is combined with other unexpected behaviors, please save a copy of the report in a separate storage.

I want to try it! Amazing! We are currently in the early testing phase and are testing our detection metrics with a broader user base. You can install it on the main, even on a jailbroken with lockdown mode enabled, as a sensor.

The device supports running or updating to the supported version. It analyzes the baseband protocol messages of Qualcomm and Intel chips. This means that if you have the supported version or later, it is supported!

When should non-jailbreak mode be used? It can detect malicious base stations that track users and intercept network traffic. Malicious base stations may be the first step in further attacks on the user's phone. Such subsequent attacks are costly, meaning only high-risk users (such as politicians, journalists, or human rights activists) are likely to be targeted. These targeted attacks are likely to be aimed at the user's primary device. To make such attacks as difficult as possible, enable Lockdown Mode on the primary device, disable certain features, and always update to the latest version. With these security settings enabled, it supports running on the latest version. We recommend using it in non-jailbreak mode on the primary device. Using it in non-jailbreak mode means you must manually collect baseband packets regularly. Malicious base station attacks require physical proximity. Generally, if possible, it's best to turn off your device in places where you suspect an attacker might be. However, this may not always be feasible—attackers could also be in unexpected locations. We recommend regularly importing packets, especially when you have been in suspicious locations within the past hour, such as airports, national borders, or protest sites.

When should jailbreak mode be used? In jailbreak mode, baseband packets are automatically collected in the background. No user interaction is required, so you won't forget to perform system diagnostics. Additionally, on devices equipped with Qualcomm modems, other data can be obtained. This makes a jailbroken device with a Qualcomm modem an excellent sensor for detecting malicious base stations! Using an auxiliary device as a sensor has limitations. Firstly, your primary phone may observe and connect to different cells due to various factors, such as: other network operators' SIM cards, different signal reception characteristics, or other cellular selection algorithms running in the modem. Secondly, assuming the jailbroken device is not your primary device and you are a user at risk, you may not observe targeted attacks. When carrying a jailbroken auxiliary device using a Qualcomm modem as a sensor for malicious base stations, always remember that this device can easily become a target for attackers. We only recommend using this setup for research purposes.

Will there be an Android version? We are primarily focused on the version and do not currently have specific plans for the application.