# Lifestyles & Discussion > Privacy & Data Security >  Detect and prevent IMSI-Catcher attacks!

## tangent4ronpaul

This is parts of a thread from the cypherpunks mailing list on GMS (cell tower) spoofing.
https://cpunks.org//pipermail/cypherpunks/

http://secupwn.github.io/Android-IMSI-Catcher-Detector/

Unfortunately it seems that IMSI catchers have been exponentially popular lately, with an explosion of various "bastards" with governments and criminals all the same, using it. Anyone can now buy an IMSI catcher... In addition they can all crack the A5.1-3 encryption on the fly! This is why the original author named "E:V:A" started this project. Let's protect against threats like these!



This project:
Detects IMSI based device location tracking
Provides counter measures for device tracking
Can provide swarm-wise-decision-based cellular service interruption
Can provide secure wifi/wimax alternative data routes through MESH-like networking.
Detect and prevent remote hidden application installation
Detect and prevent remote hidden SMS-based SIM attacks
Prevent or spoof GPS data
Does NOT secure any data transmissions
Does NOT prevent already installed rogue application from full access

Other projects:
Provide full device encryption
Provide secure application sand-boxing
Provide secure data transmission
Provide firewalls

Android-based project to detect and (hopefully one day) prevent fake base stations (IMSI-Catchers) in GSM/UMTS Networks. Project Website: http://secupwn.github.io/Android-IMSI-Catcher-Detector/

Official XDA development thread: http://forum.xda-developers.com/show....php?t=1422969

(more at link)

=========
Unfortunaltely I have no idea how to implement detection of A5/x
ciphering used or detection of silent SMS'es on Android. However, it is
very simple on Osmocom platform.

Anyway, IMSI Catcher detection project needs developers.

P. S. A little more info about GSM hacking is here:
http://matej.owca.info/predavanja/GSM_security_2012.pdf
We also have some nice videos showing identity theft in GSM network... :-))

I have also found out how to completely fake traffic data (data
retention anyone :-)) ) and even how to insert arbitrary voice recording
into eavesdropping database (in case police is eavesdropping to some
mobile phone). Nice to know how "strong" could be computer generated
evidence...

I've searched for an Android API for detecting crypto algo for ages and turned up empty. However, you can get the tower ID, so a distributed, communally (cantenna?) verified whitelist of 'good' towers is doable, with automatic disconnection if an unwhitelisted tower connects..?

Can/do IMSI systems spoof tower id: is there anything in GSM to make towers self-verifying? I'm guessing no, in which the above would be very poor.

Also of note is API for signal strength, so a mapping of known towers to expected strength at location XYZ could be used to detect systems used to home in on phones, which usually max out on signal and tell your phone to do likewise. Indeed, a strong signal tower which still asks your phone to dial up the juice should be regarded as an attack.
======
carrierIQ is good for something 

you're going to have to go ARM native (or ?) to observe use of A0 over
GSM, since android.telephony.gsm screwed us.

this came up on the cryptome list last week: camouflage, jamming,
obfuscation are all useful techniques to apply against unwelcome
observers. c.f. high power infra red LED camera dazzlers and LADAR
jammers, etc.

while equally effective on the cell bands, you'll want to be sure to
check your 20 before emitting with gusto!  ;P

sort of; there are some interesting attacks using a force-pushed
silent PRL update (see DC19/DC20 cell attacks threads) which would be
observable by tower ID oddities, not to mention decremented or zero
PRL version.  however, you'd have to be paying attention (who checks
their PRL regularly? .

if you simply check if a tower is in
http://www.opencellid.org/cell/list for example, you're open to
attacks spoofing a legitimate but remote (out of range) tower.

using direction finding techniques to cross reference the transmitter
location against the expected GPS coordinates in a tower database
relative to your position would also detect these tower impersonators,
but requires more hardware than a mobile baseband...

the expensive, limited distribution kit will be hard to distinguish
without a high performance software defined radio.  if you're able to
detect an identically spoofed tower using OsmocomBB with high
confidence i'd love to know how you did it!

truth.  also, an inversion of observed data link capacity (suddenly
seeing receive bandwidth drop in half or more while transmit rate
doubles) is no bueno.
==========
> Can/do IMSI systems spoof tower id: is there anything in GSM to make
> towers self-verifying? I'm guessing no, in which the above would be very
> poor.
No, the problem is, that mobile phone authenticates to mobile network,
but the opposite is not true. Since mobile network does not authenticate
itself to mobile phone, IMSI Catcher attacks are possible.

There has been also demonstration of "home-made" IMSI Catcher based on
Osmocom platform last year at the CCC conference.

The video of the presentation "Further hacks on the Calypso platform" by
Sylvain Munaut is here:
http://media.ccc.de/browse/congress/...ypso_h264.html

So, it is very easy to set up fake cell with any cell ID.

> Also of note is API for signal strength, so a mapping of known towers to
> expected strength at location XYZ could be used to detect systems used
> to home in on phones, which usually max out on signal and tell your

This would not work, because cells are not static (new cell emerge,
covered area changes, etc.) and opencellid database is not regularly
updated. There could also be femtocells used, etc...
=======
This might be of interest to you guys: https://opensource.srlabs.de/projects/catcher/wiki
(wants password)
=========
This morning's NSA article from WaPo contains some slides mentioning
USRP equipment[1]. It's hard to say without more context whether it's
referring to the GSM equipment from Ettus...anyone care to speculate?
The USRP series doesn't exactly seem like carrier-grade equipment, but
perhaps the NSA has a good reason to use it. Maybe baseband
exploitation, as coderman has previously mentioned? Simply getting cell
tower database dumps from the telcos would suffice for location info, so
I would guess this has a different purpose.


[1]
http://apps.washingtonpost.com/g/pag...ent/p3/a135606
========
the partnership with NGA to deploy them gives a hint: this is putting
USRPs up close and personal to target for exploitation.
(the USRP's are definitely more portable than my favorite SDR, the Noctar[0]!)

given the obtained bits mentioned (WLLids, DSL accounts, Cookies,
GooglePREFIDs) gathered and then handed off to TAO for further QUANTUM
INSERT $#@!ing of target systems it is likely they are doing GSM/cell
MitM to observe identifiers, along with WiFi attacks, and other egress
rather than deploying baseband exploits or deep active attacks
directly against the devices or other networks they're communicating
with.

thus CNE in this case is cell MitM/WiFi pwn with a USRP rogue tower to
get identifiers for TAO.  and TAO is where they get dirty with "remote
exploitation" of the device itself and other targets on networks it
uses.

we've seen how they have a smorgasbord of weaponized exploits to cover
the gamut of target hardware and technical acumen in the QUANTUM
INSERT / TURMOIL / TRAFFICTHIEF / MUTANT BROTH / etc, etc. style
efforts.  it appears they're using this same infrastructure where
possible for mobile; restricting CNE on the ground only to target.
=========
Regarding the CCP FY 2013 goals per
https://peertech.org/dist/nsa-cpp-go...3-unredact.png,

"Make gains in enabling decryption and Computer Network Exploitation
(CNE) access to fourth generation/Long Term Evolution (4G/LTE)
networks via enabling. [CCP_00009]"


i wonder if they upgraded to N210 (pairs?) for good 4G/LTE performance?
https://www.ettus.com/product/details/UN210-KIT




-t

----------

