Abstract
An IMSI Catcher, also known as Stingray or rogue cell, is a device that can be used to not only locate cellular phones, but also to intercept communication content like phone calls, SMS or data transmission unbeknown to the user. They are readily available as commercial products as well as do-it-yourself projects running open-source software, and are obtained and used by law enforcement agencies and criminals alike. Multiple countermeasures have been proposed recently to detect such devices from the user’s point of view, but they are limited to the nearby vicinity of the user.
In this paper we are the first to present and discuss multiple detection capabilities from the network operator’s point of view, and evaluate them on a real-world cellular network in cooperation with an European mobile network operator with over four million subscribers. Moreover, we draw a comprehensive picture on current threats against mobile phone devices and networks, including 2G, 3G and 4G IMSI Catchers and present detection and mitigation strategies under the unique large-scale circumstances of a real European carrier. One of the major challenges from the operator’s point of view is that cellular networks were specifically designed to reduce global signaling traffic and to manage as many transactions regionally as possible. Hence, contrary to popular belief, network operators by default do not have a global view or their network. Our proposed solution can be readily added to existing network monitoring infrastructures and includes among other things plausibility checks of location update trails, monitoring of device-specific round trip times and an offline detection scheme to detect cipher downgrade attacks, as commonly used by commercial IMSI Catchers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Except for the very first initial registration.
- 2.
Nokia Lumia 920.1, E71, 6310, 6150, 3210, 3710A-1, LG Nexus 4, Nexus 5, Apple IPhone 4, IPhone 6, Nexus One, Motorola Moto G2, Moto G XT1032, Samsung Galaxy Nexus, Galaxy S3, Galaxy Xcover2, Galaxy S5, Sony Xperia Z2-SCR10, BG Aquaris E4.5 Ubuntu Phone, Kyocera Torque KS-701, Sony Ericsson ST17I.
- 3.
All Nokia models introduced before 2000.
- 4.
Technically, this is an Location Update Request with Origin LAC set to the current LAC and an optional GRPS header with the Attach-Bit set.
- 5.
A5/0 < A5/2 < A5/1 < A5/3.
- 6.
The attacker has to brute-force the 48-bit sequence number, though.
- 7.
TAC are the first 8 digits of an IMEI that encode the manufacturer and phone model. Popular models might end up with multiple assigned TACs. This is somewhat similar to the assigned OUI prefix in Ethernet MAC addresses: they encode the manufacturer.
- 8.
References
Digital cellular telecommunications system (Phase 2+); Interworking between Phase 1 infrastructure and Phase 2 Mobile Stations (MS). http://www.etsi.org/deliver/etsi_ts/101600_101699/101644/05.01.00_60/ts_101644v050100p.pdf
GSM security map. http://gsmmap.org/
How the NSA pinpoints a mobile device. http://apps.washingtonpost.com/g/page/world/how-the-nsa-pinpoints-a-mobile-device/645/. Accessed 30 Oct 2015
Digital cellular telecommunications system (Phase 2+); Location Services (LCS); Mobile Station (MS) - Serving Mobile Location Centre (SMLC) Radio Resource LCS Protocol (RRLP), 3GPP TS 04.31 version 8.18.0 (2007). http://www.etsi.org/deliver/etsi_ts/101500_101599/101527/08.18.00_60/ts_101527v081800p.pdf
Egypt tries to control the use of GPS by banning except with individual licences (2008). http://www.balancingact-africa.com/news/en/issue-no-429/top-story/egypt-tries-to-contr/en
Emergency Communications (EMTEL); European Public Warning System (EU-ALERT) using the Cell Broadcast Service (2012). http://www.etsi.org/deliver/etsi_ts/102900_102999/102900/01.01.01_60/ts_102900v010101p.pdf
Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); Numbering, addressing and identification (2014). http://www.etsi.org/deliver/etsi_ts/123000_123099/123003/12.04.01_60/ts_123003v120401p.pdf
3rd Generation Partnership Project: Non-Access-Stratum (NAS) Functions related to Mobile Station (MS) in Idle Mode, 3GPP TS 23.122 v8.2.0
3rd Generation Partnership Project: Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS), 3GPP TS 24.301
Barkan, E., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of GSM encrypted communication. J. Cryptol. 21(3), 392–429 (2008)
Briceno, M., Goldberg, I., Wagner, D.: An implementation of the GSM A3A8 algorithm. (Specifically, COMP128.). http://www.scard.org/gsm/a3a8.txt. Accessed 24 Jun 2016
Briceno, M., Goldberg, I., Wagner, D.: GSM Cloning. http://www.isaac.cs.berkeley.edu/isaac/gsm.html. Accessed 24 Jun 2016
van den Broek, F., Verdult, R., de Ruiter, J.: Defeating IMSI catchers. In: 22nd ACM Conference on Computer and Communications Security (CCS 2015), pp. 340–351. ACM (2015)
Paget, C. (Kristin Paget): Practical Cellphone Spying. In: DEFCON 19 (2010)
Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.: IMSI-Catch me if you can: IMSI-catcher-catchers. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2014). ACM, December 2014
van Do, T., Nguyen, H.T., Momchil, N., et al.: Detecting IMSI-catcher using soft computing. In: Berry, M.W., Mohamed, A.H., Yap, B.W. (eds.) Soft Computing in Data Science. CCIS, vol. 545, pp. 129–140. Springer, Heidelberg (2015)
Dunkelman, O., Keller, N., Shamir, A.: A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. IACR Cryptology ePrint Archive 2010, 13 (2010)
Ekdahl, P., Johansson, T.: Another attack on A5/1. IEEE Trans. Inf. Theor. 49(1), 284–289 (2003)
Engel, T.: SS7: Locate. Track. Manipulate, at 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/events/6249.html. Accessed 30 Oct 2015
Ettus Research: Universal Software Radio Peripheral. https://www.ettus.com/product
Farivar, C.: Apple removes GPS functionality from Egyptian iPhones (2008). http://www.macworld.com/article/1137410/Apple_removes_GPS_func.html
Gamma Group: 3G-GSM Interctiopn and Target Location. Sales brochure. https://info.publicintelligence.net/Gamma-GSM.pdf. Accessed 2 Nov 2015
Goldberg, I., Wagner, D., Green, L.: The (Real-Time) Cryptanalysis of A5/2. In: Rump Session of Crypto 1999 (1999)
GSM Association: IR.50 2G 2.5G 3G Roaming v4.0 (2008). http://www.gsma.com/newsroom/all-documents/ir-50-2g2-5g3g-roaming/. Accessed 25 Sep 2015
Prohibiting A5/2 in mobile stations and other clarifications regarding A5 algorithm support. http://www.3gpp.org/ftp/tsg_sa/TSG_SA/TSGS_37/Docs/SP-070671.zip
Güneysu, T., Kasper, T., Novotny, M., Paar, C., Rupp, A.: Cryptanalysis with COPACOBANA. IEEE Trans. Comput. 57(11), 1498–1513 (2008)
Steve, H.D.: Cracking GSM. In: Black Hat DC, March 2008 (2008)
Joachim, F., Rainer, B.: Method for identifying a mobile phone user or for eavesdropping on outgoing calls, patent, Rohde & Schwarz, EP1051053 (2000)
SR Labs: Kraken: A5/1 Decryption Rainbow Tables. via Bittorent (2010). https://opensource.srlabs.de/projects/a51-decrypt. Accessed 12 Nov 2015
Liu, J., Yu, Y., Standaert, F.X., Guo, Z., Gu, D., Sun, W., Ge, Y., Xie, X.: Small tweaks do not help: differential power analysis of MILENAGE implementations in 3G/4G USIM cards. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 468–480. Springer, Heidelberg (2015)
Malette, L.: Catcher Catcher. https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/CatcherCatcher. Accessed 12 Nov 2015
Muncaster, P.: Chinese cops cuff 1,500 in fake base station spam raid. The Register, 26 March 2014. http://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/
Nohl, K.: Rooting SIM cards. In: Blackhat (2013)
Nohl, K.: Mobile self-defense, 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/events/6122.html. Accessed 30 Oct 2015
Osipov, A., Zaitsev, A.: Adventures in Femtoland: 350 Yuan for invaluable fun. In: Black Hat USA 2015, August 2015
Pell, S.K., Soghoian, C.: Your secret stingray’s no secret anymore: the vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy. Harvard J. Law Technol. 28(1) (2014)
SecUpwN (Pseudonym, Maintainer): Android IMSI-Catcher Detector. https://secupwn.github.io/Android-IMSI-Catcher-Detector/. Accessed 12 Nov 2015
Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems (2015). http://arxiv.org/abs/1510.07563
Solnik, M., Blanchou, M.: Cellular exploitation on a global scale: the rise and fall of the control protocol. In: Blackhat 2014, Las Vegas (2014)
SR Labs: Snoopsnitch, December 2014. https://opensource.srlabs.de/projects/snoopsnitch. Accessed 12 Nov 2015
Tu, G., Li, Y., Peng, C., Li, C., Raza, M.T., Tseng, H., Lu, S.: New threats to sms-assisted mobile internet services from 4G LTE networks (2015). http://arxiv.org/abs/1510.08531
Welte, H.: OpenBSC - running your own GSM network, talk at Hacking at Random, August 2009. https://openbsc.osmocom.org/trac/raw-attachment/wiki/FieldTests/HAR2009/har2009-gsm-report.pdf
Acknowledgments
We want to thank the whole crew of the core network security team and radio access network team at T-Mobile. They have been a great help. We are very grateful for the reviewers’ comments and help to improve the quality of the paper and point to new interesting future work opportunities. This research was partially funded by the COMET K1 program through the Austrian Research Promotion Agency (FFG).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Dabrowski, A., Petzl, G., Weippl, E.R. (2016). The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-45719-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45718-5
Online ISBN: 978-3-319-45719-2
eBook Packages: Computer ScienceComputer Science (R0)