Do-It-Yourself Cellular IDS is Here

LMG’s researchers have created the world’s first proof-of-concept cellular intrusion detection system (CIDS), which will enable enterprise security professionals to detect hacked smartphones cheaply and effectively, even in BYOD environments. Click here to download the full whitepaper with details.


  • Hacked smartphones pose extreme risks to national security. Infected
    smartphones can record surrounding audio, intercept text messages,
    capture location and usage data, and send all that stolen data back to
    an attacker.
  • For less than $300, LMG created a CIDS by modifying a Verizon Samsung femtocell and redirecting traffic to a server running the open-source intrusion detection software (Snort).
  • LMG then infected a smartphone with the Android.Stels malware and developed custom-written Snort rules to detect it.
  • LMG’s CIDS successfully detected and alerted upon the infection and the malware’s subsequent command-and-control (C&C) communications with the attacker’s server.
  • No software needs to be installed on the smartphone itself.
  • LMG also found a weakness in the Android.Stels malware’s C&C channel and remotely took control of the bot over the network.
  • LMG’s project demonstrates that low-cost cellular intrusion detection systems (CIDSs) are not only possible, they are an inexpensive and effective way to combat mobile malware.

Click here for the whitepaper with full details on how to build your own DIY Cellular IDS.

UPDATE: Source code released! Check out the CellularIDS repository on SourceForge.

More info:
** Full details were released Thursday, August 1 2013 at the Black Hat Conference:
** Email for questions and interviews.
** Video demonstration to follow– check back soon!

11 thoughts on “Do-It-Yourself Cellular IDS is Here

  1. Are the binaries going to be released for this?


    Have you guys done any work to see if patched units can be ‘downgraded’ possibly on a bench?

    Great work guys!

      1. “To overcome this challenge, LMG purchased several additional Samsung femtocells via eBay. Upon receipt, each femtocell was booted. Femtocells which were running an updated version of the software were returned, and only the older versions which allowed autoboot interrupts were retained.”

        still not sure how lmg managed to defeat the CAVE auth, and use their units on a live network (as any unit failing to upgrade is ban from Verizon network). Their DEFCON presentation did NOT use a live demo, but a video. cool stuff, good team, but lots of unknowns.

  2. Pingback: DEFCON 21 update: August 5, 2013. « Whipped Cream Difficulties
  3. Pingback: Inexpensive Cellular IDS Allows for Inspection of Cell Traffic « Cyber Security Aid
  4. Great post! Been reading a lot about different security systems recently. Thanks for the info!

Leave a Reply

Your email address will not be published. Required fields are marked *