AirCell Scanning Overview

Modified on Mon, Mar 23, 2020 at 11:46 AM

Traditional cellular networks are made up of numerous distributed "cell sites" with multiple antennas radiating different frequencies and network identifications using bands typically allocated by local government regulators. These cell sites join together to provide a cellular network that is spread across a geographical location.

802 Secure's AirCell Scanner collects information about all nearby advertised cellular frequencies and networks for cataloging and analysis. It does this by regularly listening to the broadcasts from nearby cellular towers across the frequency bands. This information is collected and delivered to the 802 Secure Cloud for further analytics and historical data collection.

The results are visible in a dashboard sensor map or in list format.

Depending upon the network technology used this data may include:

Column	Description
Threat Level	An 802 Secure calculated Threat Level from 0 (none) to 100 (severe)
Reasons	Reasons why the Threat Level was calculated
Tower ID	A unique identification number of the radio. Combined with other fields it create a Cell Global Identity.
Band ID	The LTE cellular band number - https://en.wikipedia.org/wiki/LTE_frequency_bands
Carrier	Name of the network provider
Technology	Cellular network technology for the identified tower (GSM, LTE or 5G)
MCC	Mobile Country Code - Identifies a country. Combined with MNC this uniquely identifies a network operator as a Public Land Mobile Network (PLMN).
MNC	Mobile Network Code - Identifies a network. Combined with MCC this uniquely identifies a network operator as a Public Land Mobile Network (PLMN).
LAC	Location Area Code identifies a group of base stations together in an area
EARFCN	E-UTRA Absolute Radio Frequency Channel Number - Primarily LTE based but also reported for GSM towers
RSSI	Received Signal Strength Indicator - A measurement of the Radio Frequency (RF) power present in a received radio signal at the AirShield
RSRP	Reference Signal Receive Power - The average power of Resource Elements (RE) that carry cell specific Reference Signals (RS) over the entire bandwidth
RSRQ	(Reference Signal Received Quality - A calculated quality based on the received reference signal

Classification

Cellular towers observed by an AirShield are classified and a Threat Level is created based on this knowledge. 802 Secure uses a number of sources and algorithms to determine the threat level of a cellular tower.

Possible Cellular Tower Reasons

Reason	Description
Unclassified Cellular Tower	Cellular tower is not known to 802 Secure's multiple data sources. This may be due to a gap in the available data sets due to a new tower being installed or an attacker standing up a radio receiver.
Known tower is <X> miles from AirShield location	A cellular tower is known in 802 Secure's multiple data sources but is geographically distant from the known AirShield location. This reason is only added when the distances is great than 5 miles. If all towers have this reason then check the geolocation of the AirShield sensor to ensure it's correct.
Unknown MCC/MNC Country	The cellular tower is advertising an unknown MCC or MNC
MCC/MNC registered in <X> but AirShield is in <Y>	The cellular tower is advertising an MCC/MNC that is reportedly located in country <X> but the AirShield is located in country <Y>

Threat Level Calculations

Based upon the number of reasons a calculated Threat Level is generated between 0 and 100. Any tower with a Threat Level of 50 or higher should be viewed with skeptical eyes. A threat of 70 or higher is most likely a malicious actor advertising an invalid tower.

As operations continue the threat level calculation may change. At any time the user may reset the level to 0 at which time the platform will recalculate on the next observation process.