root@mhfh:~# ./service --id=05 --verbose

Cellular Network Reconnaissance & Baseband Security

Identify and defend against over-the-air (OTA) threats. From IMSI catcher detection to deep baseband security audits and protocol analysis.

#Cellular#LTE#5G#IMSI#SDR#SS7

[ REQUEST BRIEFING ][ READ MORE ]

The Air Gap: Securing the Cellular Interface

While mobile OS security has improved, the cellular interface remains a significant blind spot. Every mobile device communicates over the air using complex protocols (GSM, LTE, 5G) that are often poorly implemented or inherently vulnerable. Our network reconnaissance services provide a deep audit of how your devices interact with the cellular world.

We specialize in identifying 'Invisible' threats like IMSI catchers (often called Stingrays), which impersonate legitimate cell towers to intercept traffic, track locations, or downgrade encryption. For high-risk individuals and organizations, understanding the security of the radio environment is critical.

Our team of radio frequency (RF) experts uses Software Defined Radio (SDR) and custom baseband analysis tools to monitor for anomalies in the cellular handshake that indicate interception or surveillance.

IMSI Catcher & Stingray Detection

Modern IMSI catchers have evolved to be nearly undetectable to standard mobile phones. They exploit the fact that phones will naturally connect to the strongest available signal and that 2G/3G protocols lack mutual authentication.

We deploy specialized sensors that monitor the local radio spectrum for signature 'false base station' behaviors, such as:

1. Silent Downgrade: Forcing a 4G/5G phone down to an unencrypted 2G connection.

2. Abnormal Cell Selection: Towers that lack the standard neighbor lists or have suspicious LAC/CID configurations.

3. Paging Anomalies: Unusual patterns in how the network identifies and 'calls' devices.

We provide real-time alerting and historical mapping of cellular interception threats in specific geographic areas.

tools/network-recon_util.sh

AES-256 SECURED

# Monitoring for suspicious LTE paging requests via SDR
$ ./mhf-lte-monitor --band=B1,B3 --imsi-filter=310... --detect-catchers

# Analyzing baseband logs for 'Ciphering Disabled' events
$ ./mhf-bb-analyzer --log=diag_log.bin --grep='NAS_EPS_SECURITY_MODE_COMMAND'

Baseband Processor Auditing

The baseband processor (the chip that handles radio communication) is a separate computer inside your phone with its own proprietary OS. It often has direct access to the phone's RAM and peripherals via DMA (Direct Memory Access).

We perform deep audits of baseband implementations (Qualcomm, Samsung Shannon, MediaTek) to find remote code execution (RCE) vulnerabilities. A successful baseband exploit can allow an attacker to compromise the entire phone over-the-air, without the user ever clicking a link.

Our services include the reverse engineering of baseband firmware and the fuzzing of protocol stacks (RRC, NAS, MAC) to identify vulnerabilities before they are exploited in the wild.

Real-time IMSI catcher (Stingray) detection and alerting
LTE and 5G protocol stack vulnerability analysis
SS7 and Diameter interconnection security audits
Baseband firmware reverse engineering and hardening
Over-the-Air (OTA) payload interception and analysis
RF spectrum monitoring for unauthorized cellular emitters

SS7 & Diameter Protocol Analysis

Beyond the local radio link, the global cellular backbone (SS7 for 2G/3G and Diameter for 4G/5G) is riddled with decades-old vulnerabilities. These allow attackers to track your location anywhere in the world or intercept SMS 2FA codes just by knowing your phone number.

We perform audits of your organization's cellular identity security, testing if your numbers are vulnerable to location tracking or SMS interception via international carrier roaming interconnects.

The Future of Mobile Network Security

As we transition to 5G, new security features like encrypted IMSIs (SUCI) are being introduced, but new vulnerabilities are also emerging. Our team remains at the forefront of cellular security research, ensuring your communications remain private in an increasingly monitored spectrum.

root@mhfh:~# man cellular-network-reconnaissance-&-baseband-security --faq

Frequently Asked Questions

Most 'IMSI Catcher Detector' apps are ineffective because they lack the low-level access to the baseband processor required to see the suspicious signaling. Professional hardware sensors are the only reliable way to detect them.

Yes. Attackers can send 'Provide Subscriber Info' (PSI) or 'Any Time Interrogation' (ATI) requests to the SS7 network to get your current cell tower location from your carrier, often without the carrier even knowing it happened.

5G improves security by encrypting the IMSI (SUPI) into a SUCI, but many 5G networks still use 'Non-Standalone' (NSA) mode, which relies on the older 4G LTE core, meaning many legacy vulnerabilities still exist.

No. While we can intercept the data packets, the end-to-end encryption used by those apps remains secure. However, a baseband exploit could potentially allow an attacker to compromise the phone's OS and then access the decrypted data.

$ ls -F ./related-services/