I was recently at the Internet at Liberty conference in DC, where inter net activists (i.e., activists who use the inter net) congregated and discussed mechanisms for dealing with surveillance and monitoring by telecommunications companies. Particularly, I was demoing my own "Evil Basestation" project (built on OpenBTS), which teaches activists what the network knows about them and how it gathers than information. We set up a series of phones on a custom cellular network, and then monitor and record their calls and SMS. We also actively filter SMS based on keywords and detect encrypted SMS. However, that system is not the point of this post (but if it interests you, please email me!)
While I was at Liberty conference, an interesting question came up. The vast majority of cellular attacks target 2G cellular systems; a protocol supported by almost every phone on Earth. In fact, a common attack involves using a 3G jammer to force phones back to the 2G standard. This is done because 2G doesn't require authentication of the tower, anyone with a BTS can just pretend to be AT&T or T-Mobile. This attack is done primarily by smaller operators (such as criminals) as large government agencies with warrants can just go to AT&T directly.
At the same time, most (if not all) 3G phones have a "3G only" option deep in their configuration. Would enabling this option keep a phone from camping on a 2G tower, even if there were no 3G towers around? Or, is it instead a "3G preferred" setting that is still open for attack? Both seem plausible, though my personal guess is that the phones would connect to provide emergency service. Luckily, this is fairly easy for us to test!
We set up an OpenBTS install in the basement of Soda Hall here at UC Berkeley. There's no wireless coverage in the basement, so we're able to tightly control the cellular coverage available. With OpenBTS running, it provides the only coverage in the area, and provides only 2G support.
We used 3 three phones for testing. One (the control) is a 2G-only candy-bar Nokia I bought in Bangalore. The second is the nokia N900, a 3.5G Maemo phone. Lastly, we have a Samsung Galaxy S, a 3G Android phone. Each were started and successfully camped on the BTS. The connection was verified by sending an SMS ("working") to the phone.
The first test involved changing the phone to 3G-only mode. This was done on both the N900 and Galaxy S. The phones immediately showed "no coverage". We attempted to contact them via SMS and did not receive the messages or see any network activity. The control phone remained camped and received messages. So far so good! It looks like 3G-only mode does protect you against 2G attacks.
Following that, we restarted the phones to see if they'd try to camp on a 2G tower on boot in 3G-only mode. Again, we saw no activity on the network; the phones did not camp and showed "no coverage". We saw no registration attempts either, and no chances to record their SIM or phone serial number. The control phone camped successfully.
In conclusion: hurrah! 3G-only mode seems to protect you from 2G-based rogue BTS attacks. This is great news.
It's worth noting that these results may not generalize. Two phones (from very large providers) properly following the protocol does not mean that all phones do this. Even identical models of phone may have different baseband software and thus behave differently. Still, it's certainly a positive result. If you're worried about cellular attacks from bad guys, put your phone in 3G only mode. In most large cities in the US, the 3G coverage is good and you'll never notice the loss.
Lastly, this does not protect you from AT&T or the NSA though, as they're able to record communications inside the network without hijacking your phone. So if you're hiding from them, I'd try something else.
Kurtis Heimerl (firstname.lastname@example.org)