X-ONE Stealth Phone

The first 4G XCell Stealth Phone, with an unprecedented special feature: XTerminator

Alerts

Red warning messages are displayed on the home screen when X-ONE detects an unknown cell tower (unknown BTS) that does not have standard GSM encryption enabled (A5/1).

X-ONE Gallery

This type of alert is triggered when the phone connects to a lab device that is used for network testing and can also be used for GSM attacks (MITM). Usually, these devices do not have encryption enabled. Moreover, these devices use unknown values (Cell ID and LAC) because GSM interceptors use known values (Cell ID and LAC) collected from neighboring Cell ID and LAC values. In this way, the phone is forced to connect while using a higher RSSI (higher output power). The above warnings are triggered for SIM 1 (Vodafone), as you can see in the picture above. SIM 2 (Telstra) is still connected to the real network and can be used for secure communication as the green icon is displayed. No calls can be sent or received as there is no connection to the real GSM network. The same applies to SMS. However, a tapping warning is triggered when trying to make a call.

Red warning messages are displayed on the home screen when X-ONE detects a GSM interceptor (other than an unknown BTS) that does not have standard GSM encryption (A5/1) enabled to listen to calls.

Outgoing and incoming calls will work and if SIM 1 is used, an intercept alarm will be triggered. The same is true for SMS. If GSM Interceptor only mimics a cell tower from network 1 (e.g. Vodafone) and not from network 2 (e.g. Telstra), the user can make and receive secure calls using SIM 2. However, nowadays GSM Interceptor can imitate and clone multiple cell towers (up to 5 different networks). In this case, the GSM Interceptor alert looks like this:

Based on our proprietary algorithm, X-ONE is able to detect in real time, network switch based interception also known as SS7 interception.

SS7 Interception and location tracking is not based on disabled network encryption (A5/0), but on network switch exploits. For this reason, the A5/1 indicator remains green (secure) and only the SS7 attack alert is triggered as shown above. Outgoing and incoming calls work and the call intercept alarm is triggered when SIM 1 or SIM 2 is used. The same applies to SMS.

X-ONE is having a C2 Monitoring app which scan phone radiomodem firmware for abnormal network requests as C1/C2 reselection criteria, detecting this way any attempt to force the phone to leave home network (real mobile network) and connect to a GSM Interceptor which perform such attack prior call and SMS interception. For ease of use, C2 attack attempts are also displayed on X-ONE home screen:

The phone will monitor C2 parameter (cell re-selection criterion), which is used by IMSI Catchers / GSM Interceptors in order to force cell phone connection. This is called forced handover. Will also look for neighbor cell towers identity. Once C2 alarm is triggered, you should run C2 Monitoring app to find out more regarding ongoing C2 attack.

Once the phone is receiving a location tracking ping (LTP), an alert will be displayed on home screen.

Please note:

⚠ Red alert will remain on home screen until user reboot the phone.

⚠ Receiving one or more LTP does not mean your X-ONE has been tracked down and your GSM location, exposed! That only means someone (usually law enforcement or intelligence agencies) is interested to find out your (phone) geo location at a certain time. X-ONE will not only warn you regarding LTP received.

⚠ X-ONE is blocking by default the response to LTP: no location data will be sent back to the sender. No need for any extra settings. When facing a large amount of LTP received (over 20/hour) you might take action by deleting SMSC number.

⚠ GPS location tracking is something else than GSM location tracking, and is based on GPS module (found on phone motherboard) that need to be remotely accessed by some govt (or even commercial) grade spyware apps in order to read GPS data and send them (over WIFI or Data connection) back to spyware end user. GPS location tracking does not work without spyware installed on the phone. By default, X-ONE is blocking any software installation, even by the user itself.

⚠ GSM location tracking is based on an LTP sent over the GSM network to a target phone (identified by its IMEI and the SIMs’ IMSIs), triggering an “auto-response” message, which is sent back via SMS (invisible in the list of sent SMS) and contains GSM location data (which is actually the ID of the cell tower the phone is connected to at the time the LTP reached the phone, LAC, MCC, MNC and a list of up to 6 surrounding cell towers that the phone can “see”. This data is needed to perform the GSM triangulation procedure, which in the end results in a geolocation of the phone with an accuracy of +/- 3 meters in urban areas).

⚠ Due to the sensitive nature, all information is available after purchase.

X-ONE Stealth Phone will continuously monitor and scan in background both mobile networks, checking for network anomalies as LAC changing, RSSI increase, C2 reselection. This function might drain your battery faster than normal.

Offensive special functions

XTerminator is designed to attack IMSI Catchers and GSM Interceptors OTA (Over The Air) via available uplink channels by LUR flooding, sending continuous connection requests (LUR) via RACCH – Radio Access Control Channel in a short period of time, similar to DoS network attack.

This attack can not be detected by an IMSI Catcher and GSM Interceptor. XTerminator is highly disrupting for real network and deadly for IMSI Catchers and GSM Interceptors. Use it with precautions and only when really needed.

⚠ Due to the sensitive nature, all information is available after purchase.

The phone comply to the newest legislation changes that occur in more and more countries nowadays, regarding IMEI change prohibition.

Original IMEI can be restored at any time, by pressing “Restore original” button.

⚠ By software means will be changed both IMEIs at once.

This function is transforming your phone in a real sophisticated counterintelligence weapon. IMSI Change function does not require any Internet connection, third party servers or monthly subscription. This special function runs locally on the phone (Sandbox partition), being a unique function which no other phones offer at this time.

IMSI Change function allow user to change IMSI value (SIM registration number stored on the SIM card), by keeping the same phone number (MSISDN).

⚠ This function can generate SIM network rejection (network dependent). Use it carefully.

This is an IMEI Change additional app, which help user to manually insert valid IMEI, on IMEI Change application. Use it in conjunction with IMEI Change app.

This is an additional application which will help you to get correct MCC and MNC values to be used on IMSI Change function.

⚠ This app need data connection to access mcc-mnc.com.

Defensive special functions

Whenever a phone call (outgoing or incoming) is intercepted by any means (GSM Interceptor or SS7), a Call Interception Alert will be triggered right before placing the call or before answering the call. Call Interception Alert is triggered for both IMEIs.

  • Fig. 1: Call Interception Alert, before placing the call
  • Fig. 2: Call Interception Alert during active call

  • Fig. 1: Incoming Call Interception Alert
  • Fig. 2: Call Interception Alert during active call

Will X-ONE alert me if other calling party cell phone is intercepted?

Yes, when other call party involved in conversation is intercepted by any means (GSM Interceptor or SS7), X-ONE will alert you by displaying above alerts, since the phone is checking overall network security and not just locally, at X-ONE level or connected BTS level.

⚠ There is a case when no Call Interception Alert nor SMS Interception Alert will be triggered. If on the other calling party cell phone is installed a spyware, commercial or govt grade. This is because network security is not affected in any way.

Whenever a SMS (outgoing or incoming) is intercepted by any means (GSM Interceptor or SS7), a SMS Interception Alert will be triggered right before sending the message. Incoming intercepted SMSs cannot be flagged as intercepted before arriving on the phone, as intercepted incoming calls are signaled before answering that call. SMS Interception Alert is triggered for both IMEIs.

What is a secure SMS?

That is something else than an encrypted SMS. A secure SMS is the one that has been sent via regular mobile network (which use A5/1 stream cypher by default). SMS itself is not encrypted, but only the network connection (from cell phone up to cell tower), which prevent interception. The same for secure calls.

⚠ Incoming SMS Interception Alert will not be triggered if on sender cell phone is installed a spyware, commercial or govt grade.

Once launched, the function will start checking both Active and Passive Interception, step by step. Regarding interception performed with Active/Semi Active GSM Interceptors, the X-ONE will check:

  • BTS (cell tower) parameters, allocated by real network.
  • RSSI. High GSM RSSI means other signals (jammers, IMSI Catchers) and unwanted interference.
  • Cell ID. Comparing real Cell ID against surrounding network within same LAC.
  • LAC (Location Area Code). Will check for abnormal LAC changes.
  • ARFCN: will check the pair of physical radio carriers used as uplink and downlink frequencies.
  • Ki (ciphering key stored on the SIM card) retrieving attempts.
  • Baseband attack attempts.

Regarding interception performed by Passive GSM Interceptors, the X-ONE will check based on real ARFCN:

• Uplink. The frequency used by the phone to communicate with BTS (cell tower).

• Downlink. The frequency used by the BTS to communicate with cell phone.

The phone will ping HLR/VLR core network, computing network redundancy and abnormal ping delays. In the end, will generate a Network Security Rating. 100 % means that the network is 100% secure.

⚠ [ok] or 0 means no threat.

⚠ [!] means threat detected.

By forcing cell reselection (C2) parameter, Active and Semi Active GSM Interceptors will force any cell phones to disconnect from home network and connect to the rogue BTS impersonated by the equipment. This is called also BCCH manipulation, being used by all modern GSM Interceptors. When launching this function, the X-ONE will:

  1. Extract C1 value, from serving cell. Will compute C2 value by using a special algorithm, the same used by any GSM network.
  2. Will look for at least other 6 neighboring cell towers, ordered by RSSI value. Will compare C1 to C2.
  3. Will trigger alert if no neighboring cells are found (a clear indication that a GSM Interceptor is active within area). Will look for CPICH, RSCP and BCCH.
  4. Will display forced handover attempts (if any).
  5. Will display Channel lock fails (if any).

cryptoTRACER® is a function that can detect lawful interception performed by SS7 Boxes (known as Network Switch Based Interception or interception based on network operator help). cryptoTRACERⓇ use XCell Technologies proprietary algorithm that will trigger interception alert when your calls are being tapped by SS7 means. In order to instantly detect if your X-ONE Stealth Phone is monitored by SS7 means, you don’t have to make any call or send/receive a message. Just run cryptoTRACER® and wait for results.

After checking phone firmware integrity, cryptoTRACERⓇ will start pinging core network at MSC/VLR and AUC/HLR level. Then will calculate network redundancy and compare to standard redundancy. If a ping delay will be detected, SS7 monitoring alert will be triggered by displaying:

  • Network redundancy [!]
  • Ping delay [!]
  • Phone status [!]

Both IMSI engine and IMEI engine and other software components has been moved in a separate partition called Sandbox, in order to make them working faster and smoother. System restarting has been suppressed in case of any abnormal network characteristics (i.e. generated by IMSI Catchers and GSM Interceptors).

Once enabled, Anti Interception application will block all incoming and outgoing phone calls and messages while X-ONE is under active surveillance (call & SMS interception). X-ONE will appear to be connected to mobile network, but silent (no calls and messages).

Mobile phone location tracking is based on the cell towers on which the phone is connected to. A cell phone can “see” 6 neighboring cell towers at a time (or less, depending on the area), and law enforcement is using this info in order to calculate accurately the cell phone location (+/- 5 meters) by using so called GSM triangulation procedures. Despite mainstream thoughts regarding mobile location tracking, a cell phone geo location tracking have nothing to do with GPS phone module, which is only a radio receiver (does not emit/send any data out of the phone but only receiving sat data). GPS phone data can be acquired over the air only if on that particular phone is installed a spyware that allow GPS tracking. Law enforcement and intelligence agencies does not use this tracking method because of multiple technical disadvantages. Instead, are using most common GSM location tracking, based on cell towers location and triangulation procedures.

X-ONE can effectively hide (spoof) the real phone location, by using this special function. The phone will spoof location whenever is static or on the move, by randomly connecting on cell towers. This way, the phone will appear to be 1 to 10 Km away from its real location (depending on the network cell towers density).

⚠ For location spoofing, XCell Stealth Phones does not need to use Internet connection and/or third party servers, being a built-in feature.

You can use X-ONE Stealth Phone to securely conenct other devices (PC, Tablet, other cell phone) to Internet, via Bluetooth connection. ⚠ USB tethering is disabled and cannot be enabled due to USB volatile security filters.

This special function is protecting X-ONE from forensic memory acquisition and data extraction. X-ONE is delivered with hardware volatile filters and software filters. No connection via micro USB port to any other device will be possible. Thus, no data transfer is possible, no file system can be read or copied.

If USB data extraction is forced in any way, trying to bypass USB security filters or using JTAG procedures, self-destruction mechanism will be triggered. All data will be erased and phone and whole motherboard will be destroyed. No chances for unlock, phone motherboard need replacement.

⚠ Do not connect X-ONE to any forensic device or service box!