Advertisement

The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection

  • Adrian Dabrowski
  • Georg Petzl
  • Edgar R. Weippl
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)

Abstract

An IMSI Catcher, also known as Stingray or rogue cell, is a device that can be used to not only locate cellular phones, but also to intercept communication content like phone calls, SMS or data transmission unbeknown to the user. They are readily available as commercial products as well as do-it-yourself projects running open-source software, and are obtained and used by law enforcement agencies and criminals alike. Multiple countermeasures have been proposed recently to detect such devices from the user’s point of view, but they are limited to the nearby vicinity of the user.

In this paper we are the first to present and discuss multiple detection capabilities from the network operator’s point of view, and evaluate them on a real-world cellular network in cooperation with an European mobile network operator with over four million subscribers. Moreover, we draw a comprehensive picture on current threats against mobile phone devices and networks, including 2G, 3G and 4G IMSI Catchers and present detection and mitigation strategies under the unique large-scale circumstances of a real European carrier. One of the major challenges from the operator’s point of view is that cellular networks were specifically designed to reduce global signaling traffic and to manage as many transactions regionally as possible. Hence, contrary to popular belief, network operators by default do not have a global view or their network. Our proposed solution can be readily added to existing network monitoring infrastructures and includes among other things plausibility checks of location update trails, monitoring of device-specific round trip times and an offline detection scheme to detect cipher downgrade attacks, as commonly used by commercial IMSI Catchers.

Keywords

User Equipment Mutual Authentication Access Technology Location Update Home Location Register 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgments

We want to thank the whole crew of the core network security team and radio access network team at T-Mobile. They have been a great help. We are very grateful for the reviewers’ comments and help to improve the quality of the paper and point to new interesting future work opportunities. This research was partially funded by the COMET K1 program through the Austrian Research Promotion Agency (FFG).

References

  1. 1.
    Digital cellular telecommunications system (Phase 2+); Interworking between Phase 1 infrastructure and Phase 2 Mobile Stations (MS). http://www.etsi.org/deliver/etsi_ts/101600_101699/101644/05.01.00_60/ts_101644v050100p.pdf
  2. 2.
    GSM security map. http://gsmmap.org/
  3. 3.
    How the NSA pinpoints a mobile device. http://apps.washingtonpost.com/g/page/world/how-the-nsa-pinpoints-a-mobile-device/645/. Accessed 30 Oct 2015
  4. 4.
    Digital cellular telecommunications system (Phase 2+); Location Services (LCS); Mobile Station (MS) - Serving Mobile Location Centre (SMLC) Radio Resource LCS Protocol (RRLP), 3GPP TS 04.31 version 8.18.0 (2007). http://www.etsi.org/deliver/etsi_ts/101500_101599/101527/08.18.00_60/ts_101527v081800p.pdf
  5. 5.
    Egypt tries to control the use of GPS by banning except with individual licences (2008). http://www.balancingact-africa.com/news/en/issue-no-429/top-story/egypt-tries-to-contr/en
  6. 6.
    Emergency Communications (EMTEL); European Public Warning System (EU-ALERT) using the Cell Broadcast Service (2012). http://www.etsi.org/deliver/etsi_ts/102900_102999/102900/01.01.01_60/ts_102900v010101p.pdf
  7. 7.
    Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); Numbering, addressing and identification (2014). http://www.etsi.org/deliver/etsi_ts/123000_123099/123003/12.04.01_60/ts_123003v120401p.pdf
  8. 8.
    3rd Generation Partnership Project: Non-Access-Stratum (NAS) Functions related to Mobile Station (MS) in Idle Mode, 3GPP TS 23.122 v8.2.0Google Scholar
  9. 9.
    3rd Generation Partnership Project: Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS), 3GPP TS 24.301Google Scholar
  10. 10.
    Barkan, E., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of GSM encrypted communication. J. Cryptol. 21(3), 392–429 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Briceno, M., Goldberg, I., Wagner, D.: An implementation of the GSM A3A8 algorithm. (Specifically, COMP128.). http://www.scard.org/gsm/a3a8.txt. Accessed 24 Jun 2016
  12. 12.
    Briceno, M., Goldberg, I., Wagner, D.: GSM Cloning. http://www.isaac.cs.berkeley.edu/isaac/gsm.html. Accessed 24 Jun 2016
  13. 13.
    van den Broek, F., Verdult, R., de Ruiter, J.: Defeating IMSI catchers. In: 22nd ACM Conference on Computer and Communications Security (CCS 2015), pp. 340–351. ACM (2015)Google Scholar
  14. 14.
    Paget, C. (Kristin Paget): Practical Cellphone Spying. In: DEFCON 19 (2010)Google Scholar
  15. 15.
    Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.: IMSI-Catch me if you can: IMSI-catcher-catchers. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2014). ACM, December 2014Google Scholar
  16. 16.
    van Do, T., Nguyen, H.T., Momchil, N., et al.: Detecting IMSI-catcher using soft computing. In: Berry, M.W., Mohamed, A.H., Yap, B.W. (eds.) Soft Computing in Data Science. CCIS, vol. 545, pp. 129–140. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  17. 17.
    Dunkelman, O., Keller, N., Shamir, A.: A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. IACR Cryptology ePrint Archive 2010, 13 (2010)Google Scholar
  18. 18.
    Ekdahl, P., Johansson, T.: Another attack on A5/1. IEEE Trans. Inf. Theor. 49(1), 284–289 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    Engel, T.: SS7: Locate. Track. Manipulate, at 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/events/6249.html. Accessed 30 Oct 2015
  20. 20.
    Ettus Research: Universal Software Radio Peripheral. https://www.ettus.com/product
  21. 21.
    Farivar, C.: Apple removes GPS functionality from Egyptian iPhones (2008). http://www.macworld.com/article/1137410/Apple_removes_GPS_func.html
  22. 22.
    Gamma Group: 3G-GSM Interctiopn and Target Location. Sales brochure. https://info.publicintelligence.net/Gamma-GSM.pdf. Accessed 2 Nov 2015
  23. 23.
    Goldberg, I., Wagner, D., Green, L.: The (Real-Time) Cryptanalysis of A5/2. In: Rump Session of Crypto 1999 (1999)Google Scholar
  24. 24.
    GSM Association: IR.50 2G 2.5G 3G Roaming v4.0 (2008). http://www.gsma.com/newsroom/all-documents/ir-50-2g2-5g3g-roaming/. Accessed 25 Sep 2015
  25. 25.
    Prohibiting A5/2 in mobile stations and other clarifications regarding A5 algorithm support. http://www.3gpp.org/ftp/tsg_sa/TSG_SA/TSGS_37/Docs/SP-070671.zip
  26. 26.
    Güneysu, T., Kasper, T., Novotny, M., Paar, C., Rupp, A.: Cryptanalysis with COPACOBANA. IEEE Trans. Comput. 57(11), 1498–1513 (2008)MathSciNetCrossRefGoogle Scholar
  27. 27.
    Steve, H.D.: Cracking GSM. In: Black Hat DC, March 2008 (2008)Google Scholar
  28. 28.
    Joachim, F., Rainer, B.: Method for identifying a mobile phone user or for eavesdropping on outgoing calls, patent, Rohde & Schwarz, EP1051053 (2000)Google Scholar
  29. 29.
    SR Labs: Kraken: A5/1 Decryption Rainbow Tables. via Bittorent (2010). https://opensource.srlabs.de/projects/a51-decrypt. Accessed 12 Nov 2015
  30. 30.
    Liu, J., Yu, Y., Standaert, F.X., Guo, Z., Gu, D., Sun, W., Ge, Y., Xie, X.: Small tweaks do not help: differential power analysis of MILENAGE implementations in 3G/4G USIM cards. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 468–480. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  31. 31.
  32. 32.
    Muncaster, P.: Chinese cops cuff 1,500 in fake base station spam raid. The Register, 26 March 2014. http://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/
  33. 33.
    Nohl, K.: Rooting SIM cards. In: Blackhat (2013)Google Scholar
  34. 34.
    Nohl, K.: Mobile self-defense, 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/events/6122.html. Accessed 30 Oct 2015
  35. 35.
    Osipov, A., Zaitsev, A.: Adventures in Femtoland: 350 Yuan for invaluable fun. In: Black Hat USA 2015, August 2015Google Scholar
  36. 36.
    Pell, S.K., Soghoian, C.: Your secret stingray’s no secret anymore: the vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy. Harvard J. Law Technol. 28(1) (2014)Google Scholar
  37. 37.
    SecUpwN (Pseudonym, Maintainer): Android IMSI-Catcher Detector. https://secupwn.github.io/Android-IMSI-Catcher-Detector/. Accessed 12 Nov 2015
  38. 38.
    Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems (2015). http://arxiv.org/abs/1510.07563
  39. 39.
    Solnik, M., Blanchou, M.: Cellular exploitation on a global scale: the rise and fall of the control protocol. In: Blackhat 2014, Las Vegas (2014)Google Scholar
  40. 40.
    SR Labs: Snoopsnitch, December 2014. https://opensource.srlabs.de/projects/snoopsnitch. Accessed 12 Nov 2015
  41. 41.
    Tu, G., Li, Y., Peng, C., Li, C., Raza, M.T., Tseng, H., Lu, S.: New threats to sms-assisted mobile internet services from 4G LTE networks (2015). http://arxiv.org/abs/1510.08531
  42. 42.
    Welte, H.: OpenBSC - running your own GSM network, talk at Hacking at Random, August 2009. https://openbsc.osmocom.org/trac/raw-attachment/wiki/FieldTests/HAR2009/har2009-gsm-report.pdf

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Adrian Dabrowski
    • 1
  • Georg Petzl
    • 2
  • Edgar R. Weippl
    • 1
  1. 1.SBA ResearchViennaAustria
  2. 2.T-Mobile AustriaViennaAustria

Personalised recommendations