It looks like you're using an Ad Blocker.

Please white-list or disable in your ad-blocking tool.

Thank you.


Some features of ATS will be disabled while you continue to use an ad-blocker.


Elgin AFB exploring setting up a GSM test range

page: 1

log in


posted on Jun, 7 2013 @ 02:38 AM

2G-3G Mobile Network Range Requirements

I. INTRODUCTION The 2G-3G Mobile Network Range (Mobile Network Range) will be a testing environment for third party applications. The subjects under test are the third party applications not the network. The testing environment must be configurable to emulate a carrier network. Instrumentation will be placed at various access and core network interfaces to collect data on application performance so all core and access network interfaces must be accessible.

The Mobile Network Range access network components shall be delivered in a ruggedized rack mount case.

14. The Mobile Network Range access network components plus ruggedized case lifting requirement shall not exceed those of a 2 man lift. . 15. The core network may be mounted in either a ruggedized rack mount case or may be designed for a fixed installation capable of remote trunking. 16. .

Full text

Well I can see two uses for this cell phone test range. One, the base is developing applications and wants to see if they are hackable. I suppose this could be done on an existing network, but maybe they are going to do hacking that involves transmitting on the network with something other than a phone. That is, they don't want to interfere with a commercial network and make headlines in the newspaper.

On the other hand, perhaps they are training to monitor cell phones, i.e. stingray, or practice silent ping direction finding.

If this ever becomes operational, there are phone appications to see the Mobile Country Code (MCC) and Mobile Network Code (MNC). It will show up on any GSM phone that supports manual scans as some weird network.

For those not familiar with silent pinging, you can send a text message to a phone without it showing up as a message as far as the recipient is concerned. The phone will acknowledge this message, i.e. you have forced the phone to transmit at will, and then you can "direction find" (DF) the phone by a number of means. At one time you could overload the phone with a number of rapid silent pings, but most networks filter this kind of attack. The silent ping is used by law enforcement, mostly outside the US.

In the US, the hacking tool of choice by law enforcement is the Stingray.
Stingray on wiki

The silent ping phone location scheme is quite legal. The Stingray is a bit suspect since it involves creating what looks like a cell tower to the subject's phone, but in reality the phone is talking to your tower. You then lower the encryption level and hack the phone.

posted on Jun, 7 2013 @ 05:21 AM
The EC-130 is routinely used to broadcast over television and radio during psyops in other countries. One thing they found in some countries is that while not everyone has a radio or television for them to broadcast over, just about everyone in the country had a cell phone.

Some networks are fairly open, others not so much. This is a good way for the EC-130 crews to learn how to quickly get into various networks and be able to broadcast text messages or even mass phone calls. Or even just eavesdrop listening for insurgent activity.

posted on Jun, 7 2013 @ 06:25 AM
reply to post by Zaphod58

Wow I´m curious, sounds very interesting. Could you share some more information about that, or give me a keyword to boost my own search, please? U2U is also fine

posted on Jun, 7 2013 @ 08:18 AM
reply to post by verschickter

Check out this link, should give you some more info on it.


posted on Jun, 7 2013 @ 09:27 AM
reply to post by Stealthbomber

You could add the RC-135 and MC-12 to the list.

But sniffing cell phones can be done from just about any aircraft they want to equip. Just put the gear in a PC-12 or Cessna Caravan. Or a UAV for that matter. The Stingray is suitcase sized.

Since the proposed "test" cellular network is portable in the strict sense of the word (as in you can move the racks), I have to assume it will be moved around the country to act as a target in training exercises. JEFX for example.

I really don't understand how this new cellular network can coexist with networks already operating. That is, they are using the same frequencies as existing networks. But it does seem to be possible. I have long suspected such a cellphone test range existed and sniff for networks when I am near military bases. I did find a network pop up out of the blue in Tonopah, but it turned out to be a company that specializes in rural cellphone networks. That is, they own the network and sell service to AT$T, T-Mobile, etc. You can do an internet search on MCC MNC and find all sorts of companies you never heard of providing cellular service. The US alone has three MCC codes.

posted on Jun, 7 2013 @ 02:44 PM
We got the pubs from some of those jets. Ima do a little research on those pubs for the jets mentioned and see what I come up with. Unless zaphod is way ahead of me. Lol

posted on Jun, 7 2013 @ 04:34 PM
reply to post by gariac

Actually I was just reading an article on the aviationist about the MC-12W, ill give you the link it also has a video from onboard the aircraft aswell. You may have already seen it though but here's the link anyway.


posted on Jun, 7 2013 @ 07:50 PM
I did this thread on the MC-12W:

MC-12W at Beale

Like I always say, in the US, you are more likely to be snooped on by a C-12, PC-12, or Cessna than a drone.

posted on Jun, 15 2013 @ 08:05 PM
Still nothing on this cellular test range. I found this resume on LinkedIn. Interesting they have a phone expert and former NSA employee at JT3.

Telephony Systems Supv, Field Engineer IV JT3, LLC Privately Held; 1001-5000 employees; Defense & Space industry
September 1997 – Present (15 years 10 months) Las Vegas, Nevada Area
Telephony Switching and Cellular Systems
- CDMA 2000

Electronic Communications and Cryptographic Systems United States Air Force
Government Agency; 10,001+ employees; Defense & Space industry
August 1976 – November 1997 (21 years 4 months) Elgin AFB, Kunsan AB, Buckley ANGB, Osan AB, Onizuka AFS, Yokota AB, NSA

posted on Jul, 4 2013 @ 12:09 AM
The Elgin GSM range solicitation has received a dose of mission creep. They want it capable of all email and sms, plus 4G upgrade. The link below has all the relevant details.

new soliciation

Oh, if Elgin is reading this post (and of course they are), you might want to rethink this statement:

The antenna input impedance shall not exceed 50 Ohms

Looking at this solicitation again, I noticed a key point: they only want one tower (antenna) in the system. This means they probably don't have any interest in playing games that a cellular provider could do such as triangular on a radio based on multi-tower use. So whatever they are planning seems to me to be targeted towards what could an outsider do to/with a cellular system rather than cooperate with the wireless provider. That would include decrpyting voice and data, triangulation using receivers "off the grid", and planting viruses on phones.

The Mobile Network Range shall provide an instrumentation suite to analyze mobile subscriber MS/UEs.

MS wiki

Now this line is subject to interpretation, but the way I read it, Elgin wants a "service monitor". Since that phrase will drag all sorts of crap up in a google search, an example would be:
Anritsu monitor

posted on Jul, 4 2013 @ 10:02 PM
Argh, I keep typing Elgin instead of Eglin. Elgin is that spot east of Nellis. [Or I could have some latent dyslexia.] Anyway, this post is to hopefully get Eglin in the thread for search engines.

I'm still amazed no mainstream aviation press has picked up on this cellular test range. I swear Aviation Leak and such just print press releases.

posted on Sep, 12 2013 @ 01:09 AM
The contract was awarded to

I found this article about G3:

The U.S. Border Patrol intends to purchase about $160,000 worth of “signal processing equipment” from G3 Technologies, Inc., of Columbia, MD, to enhance the agency’s “tactical situational awareness, surveillance assessment and spectrum management.” The Border Patrol’s published announcement did not make clear precisely what this newly-acquired gear will be expected to accomplish, but a review of the company’s Website suggests that it may involve specialized network-based products. “G3T offers extensive network monitoring capability for wireless providers,” explains the Website. “This includes fraud detection and advanced network analysis.”


OK, come on USAF, just come out and say it. This range is to hack cell phones. Your vendor is an obvious spook company.

posted on Sep, 12 2013 @ 02:07 AM
Interesting find mate.

Do you think that they are going to be actively using it as a platform to hack live phones or more as an offline test facility for GSM jamming/hacking capabilities?

posted on Sep, 12 2013 @ 02:17 AM

Interesting find mate.

Do you think that they are going to be actively using it as a platform to hack live phones or more as an offline test facility for GSM jamming/hacking capabilities?

I think both your scenarios are likely. What needs to be determined next is what band they will use. I don't see how they can just set up a GSM site and not cause interference.

I suppose next up is searching the FCC database too see what G3 has done in the past. The FCC database is not indexed by google. That means you are at the mercy of the FCC search engine.

I'm certain they are sniffing phone at the US border. That could be a passive (RF that is) operation, or they might be spoofing a cell tower and just not licensing the transmitter. The cops certainly don't license their stingrays.

posted on Sep, 12 2013 @ 02:29 AM


Interesting find mate.

Do you think that they are going to be actively using it as a platform to hack live phones or more as an offline test facility for GSM jamming/hacking capabilities?

I think both your scenarios are likely. What needs to be determined next is what band they will use. I don't see how they can just set up a GSM site and not cause interference.

My knowledge is pretty minimal on this but couldn't they just set it up on one of the unused bands say, the 900 or 1800MHz bands as they aren't used within the US?

posted on Sep, 12 2013 @ 03:38 AM
reply to post by AussieNutter

In the US, they sell spectrum. Finding unused civilian spectrum seems pretty unlikely. But maybe some company of dubious scruples (cough cough AT&T cough cough) could give Eglin a sliver of their spectrum. But then for jamming, they would have to move the equipment, which is possible since it is just a rack. When you own a fleet of cargo planes, the definition of portable isn't like what you or I think of something being portable.

I only found one item for G3 in the FCC database. They were trying to install a GPS repeater, and the FCC said no. But that is just for a license in their name. Probably studying the G3 gear at the border would yield useful information.

new topics

top topics


log in