Jul 262013

LMG’s researchers have created the world’s first proof-of-concept cellular intrusion detection system (CIDS), which will enable enterprise security professionals to detect hacked smartphones cheaply and effectively, even in BYOD environments. Click here to download the full whitepaper with details.


  • Hacked smartphones pose extreme risks to national security. Infected
    smartphones can record surrounding audio, intercept text messages,
    capture location and usage data, and send all that stolen data back to
    an attacker.
  • For less than $300, LMG created a CIDS by modifying a Verizon Samsung femtocell and redirecting traffic to a server running the open-source intrusion detection software (Snort).
  • LMG then infected a smartphone with the Android.Stels malware and developed custom-written Snort rules to detect it.
  • LMG’s CIDS successfully detected and alerted upon the infection and the malware’s subsequent command-and-control (C&C) communications with the attacker’s server.
  • No software needs to be installed on the smartphone itself.
  • LMG also found a weakness in the Android.Stels malware’s C&C channel and remotely took control of the bot over the network.
  • LMG’s project demonstrates that low-cost cellular intrusion detection systems (CIDSs) are not only possible, they are an inexpensive and effective way to combat mobile malware.

Click here for the whitepaper with full details on how to build your own DIY Cellular IDS.

UPDATE: Source code released! Check out the CellularIDS repository on SourceForge.

More info:
** Full details were released Thursday, August 1 2013 at the Black Hat Conference: https://www.blackhat.com/us-13/briefings.html#Davidoff
** Email research@lmgsecurity.com for questions and interviews.
** Video demonstration to follow– check back soon!

Share and Enjoy

  11 Responses to “Do-It-Yourself Cellular IDS is Here”

  1. Best session @ the conference.

  2. Are the binaries going to be released for this?


    Have you guys done any work to see if patched units can be ‘downgraded’ possibly on a bench?

    Great work guys!

    • Yep, we’ll be releasing the source code today. I’ll post a message here when that’s up.

      We haven’t needed to “downgrade” a unit. I can tell you that other researchers have gained root shell access on Samsung femtocells running the latest updates. Google around and you should find more info…


      • “To overcome this challenge, LMG purchased several additional Samsung femtocells via eBay. Upon receipt, each femtocell was booted. Femtocells which were running an updated version of the software were returned, and only the older versions which allowed autoboot interrupts were retained.”

        still not sure how lmg managed to defeat the CAVE auth, and use their units on a live network (as any unit failing to upgrade is ban from Verizon network). Their DEFCON presentation did NOT use a live demo, but a video. cool stuff, good team, but lots of unknowns.

  3. […] The LMG Security blog has a post up with links to the white paper and source code from the Sherri Davidoff/Randi Price/David Harrison/Scott Frethem ta…. […]

  4. Hey,

    When are you posting the answers to the Network Forensics challenge?

  5. […] DEF CON last weekend, a team of researchers demonstrated an inexpensive cellular intrusion detection system (CIDS) built with a commercial femtocell, commodity hardware, and the open source Snort IDS. The […]

  6. Great post! Been reading a lot about different security systems recently. Thanks for the info!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>