The ‘rogue GSM tower’ episode and Cambridge Analytica - why ethics matters to technology

April 24, 2018
David Burgess profile picture

David Burgess

Director Legba Inc. |

Rogue BTS

The “rogue GSM tower” episode last week at the RSA Security Conference proves once again the most important standards we have to build into our software are not technical, but ethical. I’m writing about this because of the recent Cambridge Analytica mess and because I’m ‘David’, the author of the SMS received by many of the participants in the conference when their handsets hooked on the so-called “rogue GSM tower”.

The 'rogue GSM tower' message that was broadcast at the RSA Conference by our software

The ‘rogue GSM tower’ message that was broadcast at the RSA Conference by our software

I was not at the conference, but I’m fairly sure I know what happened. The “rogue GSM tower” was a BTS (base station) running our software, YateBTS. Probably, a laptop with a bladeRF radio board. Since places like the RSA Conference in San Francisco are very crowded, handsets tend to fall back to 2G/GSM.

But how is it that a phone with a certain SIM card can authenticate on an unknown network? This is possible due to the poor security of GSM. And in a very crowded radio landscape like the one at the RSA Conference, some phones will end up in GSM mode.

This is precisely why we’ve included a signed welcome SMS in our YateBTS software: as a warning that the handset has connected to a different network. In terms of Radio Access Networks, it’s as close as possible to the ‘informed consent’ notion which originated in healthcare but is nowadays an essential for software and online.

IMSI catchers and other (not-so-)silly hacks

In a place full of security professionals, there is no wonder the episode went on Twitter. Specialists are well aware of the so-called IMSI catchers (or “fake towers” or “StingRay”) used both by law enforcement and criminals to hijack phones. When connecting a handset on a BTS, one can locate the person, perform man-in-the-middle spoofs or even try to penetrate the handset itself.

I can only speculate about the the motives for running YateBTS at the RSA Conference. If it was not a joke, then it was a silly attempt to start an IMSI catcher, because they ended up broadcasting our message. Other than that, phones can be ‘owned’ in GSM irregardless of the software and hardware involved. There are multiple ways to do that.

I don’t talk publicly about the specific technical details of IMSI-catching. However, I will be giving a workshop on general security issues of cellular networks at the DeepSec conference in November, in Vienna. And if you are interested in methodical Radio Access Network research, you can try the LabKit, our laboratory BTS/eNodeB.

But, in another respect, this story brought to my mind the recent Cambridge Analytica scandal and its ethical consequences.

The IMSI catchers-Cambridge Analytica similarity

An app called thisisyourdigitallife collected the data of up to 87 million Facebook users for Cambridge Analytica, without any apparent consent. Data were used to influence ballots such as the Donald Trump election and Brexit. Facebook’s great failure is not necessarily allowing an app to harvest the data, but the fact that they didn’t take any measures against it in spite of various private warnings they had received over the years, including from the Federal Trade Commission in 2011.

For some, a huge technology company built on addictive features ending up in such trouble is a fable with an obvious moral. I see things differently: the Cambridge Analytica scandal concerns all people in technology. It’s a serious signal in terms of ethics and responsibility.

“the Cambridge Analytica scandal concerns all people in technology. It’s a serious signal in terms of ethics and responsibility.”

It all comes down to the old ‘bug or feature’ issue

At YateBTS, we got the idea of the ”welcome” SMS several years ago, at Burning Man. Taking advantage of GSM’s weak security, we were able to build something useful: an ad-hoc mobile network in an area with no signal. We configured our software and we raised a genuine tower with adequate power. The SMS was needed because we had to make users aware of their phone number. Then we’ve realized it had a better, long-term use: preventing base stations powered by YateBTS from being used as IMSI catchers out of the box.

Similarly, ease of collecting personal data was a great feature for Facebook app developers, and it was used in countless useful ways. But then it turned out to be a horrific bug for subscribers. In a similar way, we’ve limited a GSM-bug-turned-YateBTS-feature from becoming again a malevolent bug, by keeping the SMS in the mature YateBTS distributions.

We only needed one second of consideration to realize what might happen, and we’re happy we did.In the end, we all feel more rewarded if we manage to build software for people.

David Burgess at Burning man 2009
9 years ago, at the Burning Man 2009