top of page

Mobile Hacking: How the Mexican Drug Cartels Built their Own Cellular Infrastructure to Avoid Surveillance

Writer's picture: otwotw

Updated: 13 hours ago

Welcome back, my aspiring cyberwarriors!


Mobile hacking can take many forms. Most novices focus on the handset, but in reality, there are multiple paths.


Mobile hacking can entail any of the following and more;


(1) a hack against a singular phone such Pegasus and many other IoS and Android malware,


(2) an attack against the mobile infrastructure such as SS7 (Chinese hackers have recently compromised the entire US telecom system using SS7),


(3) employ social engineering to get the target to click on a malicious link or download a malicious graphic or document,


(3) you can build your own entire mobile telecom system. In this way, you can perform a MiTM attack (similar to the law enforcement Stingray) against the target or use it to avoid surveillance and detection.







Recent developments in Software Defined Radio (SDR) have made it relatively inexpensive and simple to develop your own mobile telecom system (see our upcoming SDR Hacking for Mobile Networks). These SDR-based systems enable the attacker to connect to the larger mobile network for internet access (thereby becoming truly anonymous) but not access the SMS or voice calls (these are exclusively telecom services) on the broader network. It also enables the enterprising organization to build their own private mobile telecom network at relatively low-cost and avoid surveillance.


A few years ago, the Mexican drug cartels did something similar. After a new government threatened to shut down their operations or face criminal prosecution, they were faced with government officials listening into their conversations and messages. In addition, metadata from the mobile telecom system could be used for tracking their precise location. To avoid detection and criminal prosecution, they built their own cellular infrastructure to avoid message interception and location tracking.


Even with an organization flush with cash from selling various drugs into the US (the cartels have been known to bribe high government officials with hundreds of millions of US dollars), the plan to build a separate cellular telecom system was audacious and expensive. Recent technological developments have reduced the cost by a factor of 1000x. This will likely lead to other legal and illegal organizations building their own private cellular telecom networks to guarantee privacy.


Let's take a look at how the Mexican drug cartels did this last decade.


How Mexican Drug Cartels Built Their Own Cellular Infrastructure


In the complex topography of Mexico's borderlands, criminal organizations have developed telecommunications infrastructure that rivals military-grade communications systems in sophistication. This article examines the technical evolution, implementation, and operational characteristics of these networks, drawing from documented discoveries and forensic analysis of seized equipment.


Origins and Motivation


The emergence of cartel telecommunications can be traced to a pivotal moment in Mexican history. In 2007, President Felipe Calderón's administration launched an unprecedented offensive against drug trafficking organizations. A cornerstone of this strategy was the enhanced surveillance of commercial communications networks, aimed at disrupting cartel operations.


The strategy's effectiveness became starkly evident in December 2009, when Mexican authorities tracked and arrested Arturo Beltrán Leyva, one of the country's most powerful drug lords, using his commercial cell phone. Leveraging Harris Corporation's Gossamer system for real-time cellular location tracking, authorities exploited vulnerabilities in the A5/1 encryption standard used by GSM networks. This enabled them to intercept communications and pinpoint location data with remarkable precision, accurate to within 50 meters.


The compromise of commercial communications networks exposed critical vulnerabilities that cartels could no longer ignore. In response, Los Zetas, a cartel founded by former military special forces operators, spearheaded the development of an independent communications infrastructure.


Technical Architecture


At the physical layer, these networks primarily operate in the 700 MHz and 850 MHz frequency bands, chosen for their superior propagation characteristics in mountainous terrain. A system discovered in Sinaloa in 2019 demonstrated the use of TETRA (Terrestrial Trunked Radio) protocols, typically used in emergency services communications, modified to work with commercial cellular hardware.



TETRA

The base stations, often built around modified Motorola MotoTRBO DR3000 repeaters and Harris RF-7800W broadband terminals, implement a hybrid protocol stack. At the lower layers, they utilize modified GSM protocols for basic cellular functionality, while the upper layers employ custom protocols for security. Notably, a network dismantled in Tamaulipas in 2021 revealed the use of OpenBTS (Open Base Transceiver Station) software running on software-defined radio platforms, specifically the Ettus USRP N210 models.


Signal processing in these networks employs sophisticated spread spectrum techniques. A system uncovered near Ciudad Juárez implemented Frequency-Hopping Spread Spectrum (FHSS) using a proprietary algorithm that generated hopping patterns based on geographical coordinates and time of day.


The frequency hopping occurred across 200 channels in the 700-800 MHz range, with dwell times as short as 10 milliseconds, making interception extremely difficult.


Encryption and Security Protocols


The encryption architecture in modern cartel networks implements multiple layers of security. At the link layer, networks typically employ modified A5/3 encryption, the protocol originally developed for 3G networks, but with custom modifications to the key generation algorithm. This is supplemented by application-layer encryption using a combination of AES-256 in GCM mode and custom elliptic curve cryptography.


A particularly sophisticated system discovered in 2022 in Michoacán implemented a novel approach to key distribution using a modified version of the Diffie-Hellman key exchange protocol. The system generated temporary encryption keys based on multiple factors including geographic location, time of day, and atmospheric conditions measured by integrated weather sensors. This environmental keying system, dubbed "GeoLock" by investigating authorities, made decryption practically impossible without access to the exact environmental conditions at the time of transmission. This was brilliant.


Hardware Implementation and Modifications


The physical infrastructure of these networks reveals ingenious modifications to commercial equipment. Base stations typically consist of modified BTS (Base Transceiver Station) units, often built around Huawei DBS3900 or Nokia Flexi Multiradio hardware. These units undergo extensive modification, including the replacement of standard firmware with custom software and the addition of hardware encryption modules.


A particularly notable example was found in a 2021 raid in Sonora, where engineers had modified Nokia Ultrasite base stations to operate with custom-built RF amplifiers. These amplifiers, based on the Freescale MRF6V10010N LDMOS technology, could deliver up to 1000W of output power, far exceeding commercial specifications. The amplifiers were coupled with custom-designed antenna arrays that implemented Multiple-Input Multiple-Output (MIMO) technology for improved coverage and resistance to jamming.


Network Topology and Routing


The network topology implements a hybrid mesh architecture that combines elements of traditional cellular networks with ad-hoc networking capabilities. The backbone typically consists of point-to-point microwave links operating in the 11 GHz and 18 GHz bands, using modified DragonWave Horizon Compact+ radios. These links implement adaptive modulation and coding (AMC) with proprietary modifications to standard protocols.


Routing in these networks employs a modified version of the OSPF (Open Shortest Path First) protocol, adapted to handle the unique requirements of the cartel's operations. The routing algorithm incorporates factors such as terrain features, signal strength, and threat levels in different areas. A system discovered in 2023 near Guadalajara implemented a sophisticated traffic engineering system based on the MPLS (Multiprotocol Label Switching) protocol, modified to include encryption at the label level.


Counter-Surveillance and Electronic Warfare


The electronic warfare capabilities of these networks have evolved to include sophisticated signal detection and analysis systems. Recent discoveries have revealed the use of modified Rhode & Schwarz PR100 portable receivers for signal intelligence gathering, coupled with custom software for automated threat assessment. These systems can detect and classify various types of surveillance equipment, including law enforcement surveillance drones and cell-site simulators (commonly known as "Stingrays").


The counter-surveillance systems employ a range of electronic warfare techniques, including:


Digital Radio Frequency Memory (DRFM) jamming systems, capable of capturing, modifying, and re-transmitting hostile radar signals Precision Direction Finding (PDF) equipment based on modified KN-DS-10 modules Cognitive radio systems that can automatically detect and avoid interference or jamming attempts


The Human Element


The technical expertise required to build and maintain these networks reveals another dark aspect of cartel operations. The case of José González (name changed for security), uncovered in 2018, provides a window into how cartels acquire their technical workforce. González, a former Telcel engineer, was kidnapped and forced to serve as a technical advisor for the Gulf Cartel. His eventual escape and testimony revealed the inner workings of these networks, including the extensive training programs developed for new technical recruits and the sophisticated maintenance protocols that kept the systems operational.


The most extensive documented case emerged in 2020 when Mexican authorities uncovered a massive network operated by the Jalisco New Generation Cartel (CJNG). The operation centered around a fully functioning telecommunications company that served as a front for the cartel's communications infrastructure. This network spanned four states and employed over 50 technical specialists, many of whom had been recruited from legitimate telecommunications companies through a combination of coercion and financial incentives.


Summary


This story of the Mexican cartel communication networks represents more than just a technological achievement – it demonstrates the extraordinary lengths to which criminal organizations will go to maintain operational security (OPSEC). As these networks continue to evolve, they pose significant challenges for law enforcement and telecommunications policy.


With the advent of Software Defined Radio (SDR) and open-source cellular software such as OpenBTS and srsRAN, we will likely see a proliferation of private cellular networks by organizations seeking to guarantee their privacy.


For more on Software Defined Radio check out our SDR for Hackers and Advanced SDR for Hackers. In 2025, we will be teaching our first SDR for Mobile Systems where many of these techniques will be taught.



bottom of page