Digital Self-Defense in Mobile Networks

Adrian Dabrowskiadabrowski@sba-research.org

2014-03-18

Related paper to be published at ACSAC 2014, December 8-12“IMSI-Catch me if you can: IMSI-Catcher-Catchers”Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl

A Mobile Network

A Mobile Network with a Mobile Station

Location Areas

A Wild IMSI Catcher Appeares...

Use GSM Protocol – not very effective!

A Real Network

Source: Let me answer that for you, Golde et al., TROOPERS & USENIX

Cell tower density

Source: Sendekataster.at

“IMSI Catchers”

Identification only

● Retrive IMSI / IMEI / TMSI

● Reject Location Update

● Tracking

Traffic Man-in-the-Middle

● Hold in Cell

● Actively intercept traffic

● Relay to real network

● Active or passive decryption

Hold but intercept passively

● Imprison in cell, so phone is not lost to a neighbor cell

UMTS downgrade

● Blocking UMTS transmission

● Spoofing System messages

“IMSI Catchers”

Source: Verfassungsschutz (via DuD 26, 2006)ISBN 6220-2845-4832-5932-9228

IC: Car Installation

Source: Gamma Group

IC: Car Installation

Source: Gamma Group

Car Installation

Source: Gamma Group

IC: Car Installation

Source: Gamma Group

IC: Car Installation

Source: Gamma Group

Body IMSI Catcher

Source: Gamma Group

Only for Law Enforcement?

● Known Producers● Rohde & Schwarz● Gamma Group● Ability● IAI Elta● Septier● Meganet● NeoSoft● Proximus● Cyttek● …

● DIY● Kirstin Paget

– DEFCON 19– US$1,500

● D. Werhle– Master's Thesis– Freiburg

● B. Postl– Master's Thesis– Vienna

How to catch an IMSI Catcher?

Artifact: Frequency

● Unused or guard channel

– Only found in Full Scan

● Announced neighbor freq., but unused

– Careful not to create interference

● Detactability● Frequency plans

– e.g. radio regulatory

– Self created

Artifact: Cell ID

● New CID/LAC needed● To provoke

“Location Update Request”

● Random?● Use real one not

used in that geographical region

● Detectability● Cell IDs are very

stable● Cell Database

(local)– Also for

frequencies● Correlation with

GPS coordinates

Artifact: Location Update / Register

● Just providing a better signal Is not enough● Timers, Hysteresis● Unpredictable radio

environment

● RF Jamming?● Forcing full scan

● Detectability:● Watching noise

levels

Artifact: UMTS handling

● Downgrading to GSM● e.g. Mayer and

Wetzel, 2005 [1]– GSM layer in most

deployed UMTS networks

● (selectively) Jamming

● Others...

● Detectability: ● Noise and Signal

levels● Database of

regions where UMTS is available, and GSM usage is unlikely– Cell Database

[1] Mayer and Wetzel, “A man-in-the-middle attack on UMTS”, ACM Workshopon Wireless security, 2005

Encryption

● Older IMSI Catchers: Downgrade encryption to 'none' (A5/0)

● A5/1 and A5/2 can be decrypted with rainbow tables ● In realtime

● A5/3 rolled out at the moment● IC will have to do active

MITM again

● Detectability:● Cipher Indicator

– Feature request in Android, 2009, assigned 2013

● Roaming!

Artifact: Cell Imprisonment

● Networks provides up to 32 neighbor frequencies● MS stores typ. 6+1● Used for hand overs,

LAR, …

● IC will likely provide an empty (eq.) NL● To not loose phone to a

neighbor cell

● Detectability:● Neighbor cell list

Traffic forwarding

a) relay via other MS● Loose caller ID● No incoming calls

b) via SS7 or similar● Caller ID correct● Loose incoming

calls

c) recover secret SIM key

● Impersonate to network with victims identity

● Detectability:● Call tests (?)

Usage Pattern

● Identification Mode● Short living cells

● MITM Mode● Longer living cells

● Both:● Unusual locations

for cells

Cell capabilities and parameter fingerprinting

● Cell capabilities & parameters

● Organization of logical channels on physical channels

● Timeout values

● Can be different on each cell, but typically they are the same over the whole network

● Differ between networks

● Detectability:

● Cell and network database

Network Monitor Mode

9731-3006-8132-3476-9712

Detection Matrix

Two approaches

Mobile IMSI Catcher Catcher

● Standard Android API

● No need to root phone

● No need for a specific chipset (e.g. GoldX)

● Easy Interface

Stationary IMSI Catcher Catcher

● Network of measuring stations

● Good locations, larger coverage

● Cheap – RaspberryPi

based

Two approaches - Features

Mobile IMSI Catcher Catcher

● GPS + Neighbor cell listing– Geographical

correlation– Cell-IDs

● Cell Capabilities● RF and NCL

manipulations● Limited to NCL but

mobile

Stationary IMSI Catcher Catcher

● Cell-ID mapping● Frequency usage● Cell lifetime● Cell capabilities,

network parameters

● Jamming

Mobile IMSI Catcher Catcher

Two approaches - Features

Mobile IMSI Catcher Catcher

● GPS + Neighbor cell listing– Geographical

correlation– Cell-IDs

● Cell Capabilities● RF and NCL

manipulations● Limited to NCL but

mobile

Stationary IMSI Catcher Catcher

● Cell-ID mapping● Frequency usage● Cell lifetime● Cell capabilities,

network parameters

● Jamming

Stationary IMSI Catcher Catcher

3614-1721-8632-7399-7977

Rooftop installation

More Data

Digital Self-Defense in Mobile Networks

Questions?

Adrian Dabrowskiadabrowski@sba-research.org

Related paper to be published at ACSAC 2014, December 8-12“IMSI-Catch me if you can: IMSI-Catcher-Catchers”Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl