How does OpenBTS

Detect and wiretap cell phones

Roland Freest

Everyone has their phone with them and it's the primary phone for more and more people. That pleases the law enforcement authorities, who use the cell phones to track their owners and listen to their conversations.

EnlargeThe current location of any mobile phone can be determined via the cellular network.
© istockphoto / Alkalyne, Philipp Bartlett

Locating a cell phone is relatively easy: every cell phone always registers with the base station that emits the strongest radio signal, which is usually closest to it. If you can determine which station that is, you can also roughly say where a person or their cell phone is currently located. However, depending on the area and population density, this can be a radius of 100 meters to a few kilometers.

However, the cell phone must also report so that it can be located. Such a message can be triggered with a silent SMS, it is also called Silent SMS or Stealth Ping. It must not be confused with a Flash SMS: This is a message that immediately pops up on the display of the mobile phone when it is received, without the user having to open it first.

Unnoticed query

The recipient of a silent SMS is not aware of the arrival of this message. His phone does not emit a signal and does not register any new SMS. However, the device also sends a response to the mobile network operator without being noticed, which contains, among other things, the internal subscriber ID IMSI (International Mobile Subscriber Identity). Using this code, which is read from the SIM card, the owner of the phone can be clearly identified. Together with the location of the radio cell, this data is forwarded by the mobile network operator to the authorities.

A silent SMS is answered automatically even if the phone is switched off. This can only be prevented by removing either the SIM card or the battery from the mobile phone. The procedure is legally permissible because a silent SMS is not a message with communicative content - the SMS does not contain any text. Therefore, these messages do not fall under Article 10 of the Basic Law, which guarantees the inviolability of letters, post and telecommunications secrecy. However, the surveillance must be ordered by a judge via silent SMS, unless they are, there is an imminent danger.

Cell phone tracking is daily practice

These silent SMS are used by the Office for the Protection of the Constitution, the police and customs. They regularly send these messages to suspects' phones in order to be able to create movement profiles. After a request from a member of the Bundestag of the Left, the federal government announced some figures: According to this, the BKA sent 96314 silent SMS and the Federal Office for the Protection of the Constitution 107852. The customs investigation authorities even texted 236617 silent messages. The figures from the individual federal states add up to this: In North Rhine-Westphalia, for example, the police sent 255874 silent SMS. Since these messages are primarily used to track people, several text messages are usually sent to a limited number of cell phones. In North Rhine-Westphalia there were 2,644 telephones in 778 investigations, so each cell phone was spoken to around 100 times.

EnlargeYou can also send your own silent SMS using a smartphone like the HTC One X.
EnlargeHushSMS offers various types of SMS, including Silent SMS ("Send PING").
EnlargeHushSMS also distinguishes several Silent SMS methods.

Send your own silent SMS

At the moment there doesn't seem to be an app that can prevent the answering of silent SMS, at least on smartphones. With HushSMS, however, there has been software for Android devices for a long time with which you can send silent SMS yourself. It is true that you do not find out in which radio cell the cell phone being contacted is currently located - this data is only available to the cell phone operators. The feedback, however, reveals whether the other device is switched on or not, without the owner knowing about it.

The author of HushSMS warns that the software will not work on every Android smartphone. However, owners of HTC models in particular have a good chance that the program will run on their phones, as the Sense surface from HTC contains a special function that is required. He therefore recommends downloading the free lite version and trying it out first. It supports various other types of SMS, but not Silent SMS. If everything works there, the full version will probably also work, for which the Google Play Store costs 1.50 euros. Since HushSMS is very technical, you should study the explanations on the website before using it for the first time.

Monitor cell phones with the IMSI catcher

As already mentioned at the beginning, a cell phone always connects to the base station from which it receives the strongest signal. The law enforcement authorities, but also the secret services, take advantage of this to eavesdrop on the conversations. To do this, they use an IMSI catcher with which they can simulate a base station. If you bring it close enough to the phone, it emits the strongest signal and the phone logs in. This works because a cell phone authenticates itself to the base station, but the station not to the cell phone. The IMSI-Catcher can, for example, pretend to be "Vodafone" without being checked.

A little trick is necessary to be able to listen to cell phone calls with an IMSI catcher. Because the 3G-GSM networks are usually encrypted in the same way as the UMTS mobile radio. The IMSI catcher therefore simulates a 2G network that is unencrypted by default. This standard is still supported by all cell phones. The mobile phone then automatically switches to 2G mode and the conversation can be monitored. The user is not aware of this: According to the standard, the phone should warn of this by means of a visual display if communication with the base station is not encrypted. In countries like India, however, the law requires all calls to be unencrypted. Since the annoying message would pop up every time the radio cell was changed, these warnings are now switched off by all mobile network operators via SIM card.

EnlargeWith a device like the USRP from Ettus Research you can build your own IMSI catcher.

IMSI catchers are manufactured by Rohde & Schwarz in Munich, for example, and the devices cost six to seven-digit sums. At the Defcon hacker conference in 2010, however, Chris Paget showed a self-made device, consisting of programmable wireless hardware from Ettus Research and the open source software OpenBTS, which had only cost 1500 dollars to purchase. Using a connected notebook, he was able to record all cell phone calls in the area.