Building a homemade BTS (Base Transceiver Station) is easy. I remember making one back in 2011 with a USRP SDR. Nowadays, you can even create a 5G network, not just LTE. There’s plenty of good open-source software available. Paired with an SDR, you are good to go. The rest is just some scripting to automate some tasks, probably how they flooded the SMS.
You pay for the coverage and the infrastructure they built.
> you're saying most people can just point some metal out of their window and the neighborhood would be happy
Technically? Yes, you can do it in a few hours, or as a weekend project if you’ve never done it before. Just grab a full-duplex SDR; you don’t need to go for expensive ones like the USRP. Get a BladeRF or LimeSDR, download the software, and set up the station.
The problem lies with the regulations. Depending on where you live, you might face hefty charges for violating spectrum rules, and they are actively looking for such violations by the way. One of the proofs of concept we did with the regulators here in Canada involves using a drone to detect these violations. It’s just a matter of time before they find you.
Is there a reason cellular tower base stations don’t have this spectrum surveillance capability? With such broad coverage, it would be straightforward to triangulate and report coarse location of unlicensed broadcasting.
I suppose they totally have that capacity, because cellular networks depend on fair play of thousands of devices sharing access to a part of the spectrum in a given area. Constant stats gathering has to be vital for detection of hardware faults and coverage problems in very complex city networks. Stations can even ask mobile devices to work as remote probes, and report immediate signal levels for each station they can receive. Operators have all the incentives to snitch on anything suspicious or broken to both the regulatory body, and the security services (who probably reply “oh, it's ours” most of the time).
Prior leaks or reports… can’t recall which… said the service providers could trace people with pinpoint accuracy. Way better than GPS. The cops were using it. I think it was in a law enforcement portal with some telecoms, too.
The other trick was how more things are designed to stay on even when they look off. An older one with older phones would make it answer silently so you didn’t know if they were listening.
There’s so many risks with telecoms that high-assurance security (a) said keep cell phones away from anything security-critical and (b) used Red-Black separation where whatever connects to untrusted line never had any plaintext, just encrypted. Seperation kernels, like INTEGRITY-178B and seL4, were invented to hopefully do that with software.
Even without a SIM card with the location off and the phone in airplane mode, the service providers have pinpoint accuracy. This is because all phones can communicate with 911 even without a SIM. It is always active logging your location.
For law enforcement they have multiple levels of collecting location data. Of course, your location is sent to Google or Apple etc as you move around. Even your searches for destinations in stuff like Google Maps, even incognito in Google Maps, reports your search, live, to law enforcement if they request it. Often with sketchy legal justifications to the third party.
If a target is moving around a city, they can be followed live on the array of cameras everywhere, accessible remotely. Many with facial recognition. Others in populated areas collecting all kinds of information. Wifi broadcasts, bluetooth devices, any RFID, all collected, stored and combined. This is how they are able to use a form of geo fencing requests to find out who was in an area at a specific time, potentially interacting with the target.
Networks of interactions at a global scale get revealed this way.
It just goes on and on too. Go to a rural area and maybe everyone has front door cameras. LE can access them remotely.
In fact, your entire ISP connection can be man in the middle decrypted and parts overwritten in transit, if given access at the ISP level.
While working in iCloud typing notes or watching YouTube videos, they can control your live sessions, watch you compose a document... Choose which videos you are recommended. Choose the advertisements you see.
The possibilities for them really are endless and all of this happens in many cases. It is a surveillence state.
this can have it's perks, even if it has scary avenues for abuse. My phone but-dialled my countries version of 911 once, and police showed up at my door. I had recently moved, so there was no reason for them to know my location, as I had not updated my address anywhere, but they did know. It was a dense set of units, and they knew which door to knock on. I assumed it was this triangulation tech that allowed for it to work, so it rest a little easier knowing if I call and cannot really communicate, I can expect some sort of response fairly promptly.
Seperation kernels don't help, because all the radio and Qualcomm spyware is in the baseband chip already, which is completely sealed off. Only avaliable from the CPU through a serial line.
They help to eliminate lots of vulnerable code from the TCB. If that’s what attackers are hitting, then it will definitely help. If hitting the other stuff, it won’t help. How valuable it is depends on how often each is targeted.
Kernel up used to be the most, targeted layers. I’ve been out of the field a few years. I don’t know how many black hats use 0-days on basebands in practice.
You would have to buy some spectrum, just like the existing wireless carriers. And spectrum is a limited resource, so you'd have to buy some that someone else wants to sell.
The phone part is no different. It's easy to run your own FreeSWITCH or Asterisk server at home and connect a cellphone using Wireguard. It costs ~0.5$ US per month to get nearly unlimited everything. Calls and SMS work just fine. The problem is always mobility. You need either Wifi or some of those odd reseller brand ultra cheap pre-paid plans (like "1$ for the first 200mb" plans). Then you need to make sure only the voice/sms is allowed to use the data and you get a 2$ nationwide working cellphone. You can also share someone else plan by having them leaving their Phone wifi hotspot on.
As for reliability, well, that's your problem now, good luck!
> point some metal out of their window and the neighborhood would be happy?
> Most phone providers are part of a scheme that allows customers to report suspicious text messages for free by forwarding it to 7726. If you forward a text to 7726, your provider can investigate the origin of the text and arrange to block or ban the sender, if it’s found to be malicious
It would be useful to have a list of Countries/operators adopting the 7726 ("SPAM") number. It seems also some European Countries do.
Often there's a long click menu in your SMS app to do it.
But all that really does is copy the body into a new SMS. There's no metadata to indicate it's forwarded, as you suspect.
This means texting 7726 is a two step process. First you send the body. You immediately get a response asking for the phone number of the spam sender, so then you sent that.
Source number authorization depends on how the messages get to the carrier and how the carrier has things setup. At the end of the day, there's a lot of trust though; and a lot of connections would be difficult/expensive to confirm that the connection is authorized to send messages from the sources they're using.
Think of BCP38 for IP spoofing, but for number spoofing. If you get an appropriate country mobile number from a carrier in that country, are you going to pay for a portability lookup to confirm that carrier is the authorized carrier for that number? Does that carrier check source numbers for all of the connections they have?
Some of the aggregators are good at checking sources, and some aren't, but aggregators are often authorized to send messages from many different countries, so they're likely to have their connections unchecked, because keeping the list updated is hard. It's like IP transit, but a lot worse.
Put it in your dialer for detailed info. It used to be able to show real signal levels instead of bars once activated but now this is where we are. Need a little test kit to get the full info. May need to re-enter or reboot to exit the mode. Depends on the phone.
I’ve been in a lot of bad signal areas proposing repeaters or diagnosing issues and used it.
That's a pretty clever way to be very stupid! Anyone who reports the message (forward it to 7726, spells SPAM) to a network tips the network off that messages are landing on subscribers devices that didn't come through their system.
And I guarantee there are devices listening into, characterising and locating radio emitters in major cities at the very least.
I like the fact that some of the earliest mappings had 0 mapped to "OPER" ("Operator"), because it makes me imagine that this number 33700 is like some interpretation of 337 and then shouting twice for the "operator" (as in, the literal physical person that used to sit and connect calls using wires and a patch board).
Taking this further then, and given that:
- 3 is assigned to any of the three letters DEF, and
- 7 is assigned to any of the three letters PRS,
we could invent the following meaning:
DES = "Déclaration d'Envoi de Spam". (Lit. "Declaration of sending of spam", as in a report about spam sending).
The double 0 is, as mentioned, in our invented meaning like shouting "Operator! Operator!"
And with this invented meaning it's like we are shouting for help from the operator to deal with this spam :D
Of course here I'm starting with 337 and backronyming "DES" to a plausible but probably weird sentence. If it was a real, the French would probably have worded the original sentence quite differently and the resulting number would be different as well.
(Also, looking at the article I'm not sure if any European countries also had 0 used for "OPER" or not. Guess I'll have to travel to some museums in France and have a look at some old phones with my own eyes at some point.)
I don't know if it was involved here, but "spectrum monitoring" (that's the keyword for more information about equipment you can get and who the expected customers are) is definitely a thing that is done in many places, and not only by the military, but also by police and regulators. It's not clear where the mast was installed (the CoL police aren't specifically limited to that very small area and one arrest was South London and one was Manchester) but if it was in central London, as a glaring terrorist target with an airport (London City) and heliport, I'd be very, very surprised if there's nothing watching the spectrum. Whether the operators of the spendy gear would share the information up for such "petty" crime, I don't know.
And there's always the Ham community who really, really hate spectrum abusers.
Come to think of it, the mobile operators themselves have a large national network of radio receivers with lots of fancy time-of-flight, phased array multi-path, multi-band capabilities.
Maybe these days Ofcom can just ask them if they are interested in something specific.
I don’t think spectrum monitoring capability is all that secret. Certainly anyone with the knowledge to set up their own BTS should recognize the possibility they could be triangulated.
Yeah if you run a private antenna either the police or some men from your country's equivalent to FCC will come to your door and politely ask you to stop, if they are having a good day, most likely confiscate some of the equipment as well. And that's just for emitting anything on reserved spectrum or with too much power, not even for crime.
The Polish democratic opposition used to do this in the 80's, during the communist era. As far as I remember, their technique relied on balloons, they would attach a homemade antenna and tape player to a balloon, set it on a timer and release the balloon into the air. Before the transmission started, they'd be long gone and the balloon would have drifted far from the original site, making the perpetrators much harder to track down. As a bonus, they'd get an antenna high up in the air (which is good for reception), which was also hard to disable, even if you managed to pinpoint its location.
Listening isn't illegal so you can do that without moving. People move just to listen to different things with limited range, one form of it is called wardriving if you're doing it to wifi for example.
You can't send a phishing SMS from a receive-only device. Any mobile tower must have an active transmitter (at the very least, so the handset knows what network it thinks it's connected to!).
Transmitting on a licensed mobile service band without the license is a very good way to earn a knock on your door.
Eavesdropping on tower-to-handset comms is illegal too (in the UK), but it's not very practical to find just a receiver, unless they already know almost exactly where it is and are able to do a TEMPEST-like attack on the local oscillator or something. So as long as you keep quiet and don't do anything to indicate you're listening, such as, posting on Twitter about it or you do crime based on it, you'll get away with it. However, a receiver can't bump a victim handset down to a primitive-enough protocol, so all you'll get is encrypted content and maybe a smidge of metadata (I'm not sure exactly what is and isn't encrypted for each "G").
That's not true - it is indeed illegal to listen in to radio transmissions which are not intended for you. Doing so is a criminal offence punishable by an unlimited summary fine (the precise amount is determined based on the offender's personal income and other circumstances).
I'm fairly sure in the UK it's illegal, tho I don't know for certain. But even if not, you could be arrested for conspiracy to commit fraud (or similar).
I do wonder whether this is the right move. Sure law breaking must be punished, but seems like precisely the skillset & mindset you'd want on your side if you were potentially heading towards confrontation in a world of cyber, drones and asymetric warfare...
I’m sure the folks from Cheltenham can find them if they want a chat.
But given these guys appear to have been running this as part of a bigger spam/fraud game rather than for curiosity/ general mischief they might be too far in the poacher category for the gamekeepers.
Depends on the sentence he gets. They did just write about his name and skillset in a national newspaper. If he only serves a year or two that can end up as a positive for his career.
To me, this is the right move. The skillset needed to build such RF endpoints is not that rare. Any decent EE college graduate should be able to rig one up with an off the shelf software-defined radio and some literature review. If all they did were to build it for laughs and boasts I would hope they would just be yelled at and threatened with a sizeable fine next time they try such spectrum violations.
But they apparently phished a lot of information with the intent to defraud folks, which in my book completely changes the proper response. My 2c.
Why does this work? How simple is it to follow the sms protocol, I thought there were spam filters in place on the phones to prevent receiving any traffic from towers which are not registered to a well known network provider (or what have you).
SMS is sent in some leftover space in the mobile data channel, there's very little verification to that up until relatively recent standards.
If you can pretend to be a 2G/3G tower and jam the real tower, you can force phones to connect to you and you can send whatever calls and texts you want.
This is mostly a 2G issue. Modern Android devices, and perhaps iOS devices, have a toggle to disable 2G for this reason.
With fully compliant 5G, even police IMSI catchers become pretty difficult to use.
> This is mostly a 2G issue. Modern Android devices, and perhaps iOS devices, have a toggle to disable 2G for this reason.
My Android phone, Motorola Edge 20, has a setting for preferred network type. Options are 5G/4G/3G/2G, 4G/3G/2G, 3G/2G, or 2G only. Doesn't seem to be a way to disable 2G or 3G, even though most networks here (UK) no longer support them.
For phones that support it, there's a separate toggle for disabling 2G. I don't think the preference setting you're referring to has the same effect. If I recall correctly, The separate 2G toggle goes down to the modem especially rather than just being configuration.
I do have my phone set to 4G+5G only through that same screen, though, as my modem lacks the 2G toggle as well. If there are missing options in the dropdown, try dialing *#*#4636#*#* and see if you can configure it through there.
I don't know exactly what determines what configuration is exposed to the UI, it's possible your modem simply lacks support for disabling entire generations of cellular technology.
I believe the SIM supports all kinds of rules for what networks and xG should be visible to the user.
I know for a fact a local network has 3G here, but it’s not exposed on my phone to choose, presumably because it knows there’s 4G and 5G and carriers don’t want some dolt camping on 3G and eating more mhz/bit. I used to camp on 3G because Canada sent out too many dumb “emergency alerts” for custody disputes 1000km away, but those only operated over LTE, not 3G.
People don’t believe me when I say you can see, and sometimes connect to, US networks from a tall building in Toronto from over the lake because Canadian SIMs have rules/conditions to hide them, but if you put in an overseas SIM, you’ll see them on a scan.
Have also had a world of a time with a French SIM refuse to connect to a Canadian tower because it really preferred the US towers (lower roaming costs maybe?).
My Pixel 6a has a toggle in settings labeled "Allow 2G". It does have a note saying it may help you connect in situations where reception is poor, and that it may potentially be used for emergency calls even if you turn it off.
I was under the impression that most European countries were keeping 2G around for legacy applications and voice calls on roaming (until VoLTE roaming and emergency calls finally become equally reliable), shutting down 3G if anything?
I’ve always found that a weird characterization. It’s sent in the signaling channel, but why is that “leftover”? The channel is still established for the SMS, and it’s not like that channel bandwidth would go unused otherwise.
It’s like saying “postcards are delivered in the leftover part of the mail truck unused by letters and parcels” :)
> I’ve always found that a weird characterization. It’s sent in the signaling channel, but why is that “leftover”? The channel is still established for the SMS, and it’s not like that channel bandwidth would go unused otherwise.
In modern standards, it is indeed not a “leftover” (although RCS exists which is another can of worms), but originally it was transmitted in a best-effort manner using what is essentially a "hack" on SS7 (unlike phone calls which is guaranteed reception - or at least not going through).
I don't think this was ever true, unless I'm misunderstanding what you mean by "best-effort" or "hack".
In GSM, SMS are delivered either over the SDCCH (when no voice call is happening simultaneously) or the SACCH (when a voice call is already in progress). In the latter case, you might argue that they're piggy-backing onto existing resources, but in the former, there are definitely dedicated resources being allocated specifically for SMS delivery.
SMS delivery has also always been reliable, both on the lower level (both SDCCH and SACCH are reliable) and the upper one (the phone reports successful delivery back to the sending SMSC), so while there are no timing guarantees (is that what you mean by best-effort?), delivery always eventually succeeds once resources are available.
The protocol even goes to significant lengths to ensure timely (re)delivery in case various error scenarios, such as a full inbox on a phone or a phone being out of reception.
While 140 bytes aren't much, reliability is actually great, until you add spam filtering, roaming, and inter-network delivery to the mix, when things can quickly go off the rails. (One unexpected consequence of how it's implemented is that for mutual reachability, it doesn't only matter what operators the sender and recipient have a contract with, but also in which network the recipient is currently roaming.)
> SMS delivery has also always been reliable, both on the lower level (both SDCCH and SACCH are reliable) and the upper one (the phone reports successful delivery back to the sending SMSC), so while there are no timing guarantees (is that what you mean by best-effort?), delivery always eventually succeeds once resources are available.
That's the opposite of my experience in the early 2000s. I mean, the whole reason you'd always enable delivery reports is because delayed delivery or failed delivery were almost a daily occurrence. Anyone who sent SMS blind would quickly learn to either enable delivery reports, or just start calling people more.
Not all Android devices have this toggle. I personally own three Android devices (and have one Android device from work) and none of them have this option. Right now I can see both a Samsung S21 and Samsung A73 provide only the following: 5G/4G/3G/2G; 4G/3G/2G; 3G/2G; 3G only; 2G only. Some people have said it depends on the network operator--however I have access to 4 different phones attached to all three network operators in my country and the options are the same across all three (including the two operators who have no 2G network whatsoever making it even more silly Android insists on keeping 2G enabled if you only want 4G/5G).
The problem is mostly the insecure defaults. Every modern phone is configured to be backward compatible and connect to an older generation of network if a newer generation is not present (like in the case of being deliberately jammed by an adversary). In 2G, mutual authentication is not existent, it happens only one way - only the network authenticates the handset. If you are close enough to the victim (only screaming louder, i.e. more power than the legitimate network, but from a significant distance doesn't work, because of the RTT of the signal - TDMA-based systems are very time-sensitive in nature), nothing prevents you from operating your own mobile infrastructure and disable any encryption (i.e. in 2G, during the handshake, you just say A5/0 - no encryption, to the handset) - you can not enable encryption anyway, because you do not have the corresponding key that is on the SIM card, only the legitimate carrier has that.
Whether or not the victim will be notified about the absence of encryption, depends on the state of a single bit on the SIM card [1]. In 99% of the cases, there is no warning that the handset is currently using A5/0.
From now on, you are at the grace of the rogue network operator - they can send you anything from any number, sit in the middle of every call and capture every frame of data.
I don't think the current level of technological education of the general public is enough for most of them to know why it is important to force your phone to work only with modern network standards and that is what police and other government agencies interested in operating IMSI catchers exploit.
> ...that is what police and other government agencies interested in operating IMSI catchers exploit.
Is encryption really significant to whether or not the police are able to monitor cellular phones? As bandwidth is already centrally allocated, there is a limited number of legal cellular network operators, and a competent authority could already compel (indeed, could have already compelled) mobile operators to provide master keys and diversification information under the Snooper Charter 2016[1].
This implies compliance with the law and a formal procedure, and an authority might not always follow the law for various reasons. At least the use of encryption means one is less likely to be a subject of surveillance in an unlawful manner.
Consider intelligence operation abroad, for example.
Slightly off topic, but this is demonstrated in a show called Mr. Robot. I find it insanely cool that the hacking in Mr. Robot closely resembles real life.
What interests me is the intelligence and innovation of this. You would think these bad actors would fair well doing societal good using their skills and not resort to crime.
That's always been the case. Dumb crooks don't last long.
As to why they choose this way, over a "legitimate" (like dark pattern writing, or PID mining) vocation, there are many reasons.
I suspect that a big one, is the "blackball" effect, that having a conviction on your record will create. Once we are convicted, then we become unhireable, in many industries, so it's not like we have a choice. Also, the pay for nefarious work can be quite good.
Can confirm. Have read many articles about known gang members and drug lords. It usually starts with doing some dumb things at younger age and then struggle to find and keep a legal job.
Think about the "innovation" here. Learning to set up your own cell tower is quite a feat, but how are you going to monetize it? Are you going to start your own cell provider and try to compete with the existing major players? Or are you going to use the tech for some fast capital right now?
If the goal was to learn just enough about cell tech to exploit it for profit, then a legal approach is off-the-table because of the extraordinary effort needed to ever get anything off the ground.
The A/51 rainbow tables can be found here: https://opensource.srlabs.de/projects/a51-decrypt/files
It can be made to work using a 10 bucks RTLSDR for RX.
Had they used a legal provider for the TX, they would not have been caught.
This smells like yet another case of children at work and police officers trying to sell themselves as super heroes. This is getting old.
I think you meant to end that with "phone calls" rather than "to deliver SMS?" SS7 was used for that, but had a significant amount of idle time since most phone calls are much longer than the time needed to setup the connection.
I do indeed mean SMS, but I was focusing more on the air interface. There, SMS definitely consume resources in the same way that calls do (although of course at a very different rate: SDCCH uses 0.8 kbit/s, as opposed to 13 kbps for full rate voice/CSD traffic channels).
Because it dates to a time when such attacks were infeasible. GPS is very similar in that regard. Even HTTPS was uncommon back when I was in university. NASA spacecraft still communicate over unencrypted channels.
not just mindsets, but the computing power available. These days, my smartphone is millions of times more powerful and the computation to do TLS encryption on every website I visit is trivial for a computer that fits in the palm of my hand. Way back when, the 1 or 2 kilobytes or so a modern RSA private key (PEM format) would take up on disk was meaningful when you only had 4 megabytes of RAM and CPUs ran in the megahertz range.
Also to a dumb phone it doesn't matter whether an SMS contains a phishing link because it has no way of accessing it. Until the advent of smart phones SMS phishing was a non-issue.
Works fine on Firefox from a custom Android ROM through a VPN here. Last time I checked a post where people complained about Cloudflare, even Ladybird for Android made it through. You need cookies and Javascript, but that's all you need to pass the technical checks it seems.
Cloudflare likes to block things like Tor and CGNAT because of the abuse and unidentifiability those networks provide, and maybe there's a filter on some enemy states set up by the British government, but they really don't seem to care all that much about what you're running on your phone. Blocks seem to be largely network-based in my experience.
This is absurdly dishonest. I don’t use Chrome. I use a VPN sometimes, when I’m travelling, in a DigitalOcean IP range (which has a dubious reputation). I don’t live in the US or Europe, which is often Californian for ‘a list of trusted countries’. I’ve never, once, ever, had an issue with CloudFlare.
The regular vocal super-minority of people that have this issue need only expose the fact that they’re running Lynx on their Gentoo-powered toaster, upside down, on the international space station.
If you hit a problem like this I'd like to hear about it. If you're willing I an take a HAR file and pass it on to the Turnstile team and they can see why.
Sorry, I missed your reply. Thanks for the offer. I'll try to figure out whether this phone browser (a rather old Firefox fork) can take HAR traces and send it to you by email if I succeed.
Edit: No VPN, no Tor, no add-blocking, Javascript & cookies enabled. The only suspect is old hardware and slowly maintained software (although updated only recently by the vendor)
I have emailed mods to ask for a link update so your comment can be demoted, and more room given for discussion. Thanks for pointing it out, did not see/check when submitting.
For those unaware the "City of London" is in fact a small part of London, what you might call downtown, and they have their own police force. fwiw they're regarded as a very competent police force
It’s not a conspiracy; the City of London police, alongside normal local duties, have a national responsibility for many kinds of economic and cyber crime.
This almost certainly comes from long experience investigating fraud and other financial crimes amongst the businesses and people based there, to a degree and level of complexity not found in other regions of the UK.
For instance they host Action Fraud for the entire country.
If you want to talk about enforcement priorities, contact your PCC, or better yet, right now, your local candidates.
This article and others say the Corporation pretty much does as it pleases. There's a "conspiracy theory" that says that the City instigated Brexit to avoid EU jurisdiction.
The Corporation is some kind of acquisitive out-of-democratic-control alien dropped into the middle of London finance. OTOH the City is just another rich men's club I guess. Nice that its democracy for company-entities.
The City of London is very small, safe (quick look online returns that the crime rate is "73% lower than London and 67% lower than national average"), and very rich, and obviously right in the middle of a top world city. So I am guessing that their police force is well resourced, able to attract "top talent", and not bogged down by anti-social and petty crime.
Yes it is, a friend had their laptop stolen, the police tracked down the offenders within 2 hours and returned the items. What they also don’t tell you is that it’s a dystopian panopticon and runs on a slightly different legal system than the rest of the U.K.
The City Police have a very, small patch and little violent crime, but are geared up to deal with IRA/ISIS-type threats.
Part of this means they have surveillance coverage of virtually the entire areas. It also mean that they can get anywhere very, very quickly.
Well it’s a reputation, so it’s hard to quantify. But anecdotally I’ve heard from numerous people who had dealings with that they were very competent (compared to most British forces presumably).
I’ve also heard that their average level of policeman is more educated , ie many holding degrees, masters etc. I presume this must be due to the nature of the work they’re most known for ie combatting complex fraud, organised crime etc
Erm, yep? You compared #officers/#residents for City & Met police; I'm saying that's irrelevant. City has much lower #residents/#crime, or / money changing hands, or / footfall on an average business day, etc.
Could you please stop posting unsubstantive comments and flamebait? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
Yes; mine does that too. Have you ever tried to use one of those TTS systems? They can just about read standard international English; anything more interesting, like someone's name, and they fall back to spelling-out the letters.
HMRC also seems to require an SMS-capable device for 2FA. Using the HMRC website is a soul-destroying adventure through severe speed-bumps, short session timeouts, and 72-hour delays. It's the epitome of awful, large-scale British public computer-system acquisition.
You don’t need any key for GSM, since the network/base station only started authenticating itself to the phone/SIM with 3G.
That’s why it would be good to shut down GSM at some point: It would raise the difficulty of such attacks significantly.
What I don’t understand is how they managed to actually intercept any SMS with an IMSI catcher. They’d need to get the network to send these through their infrastructure, so I wonder how that worked?
Update: Ah, they were just sending out texts themselves, not intercepting anything.
