Project

General

Profile

CatcherCatcher

The CatcherCatcher tool detects mobile network irregularities hinting at fake base station activity.

Requirements

  • Osmocom phone
  • Osmocom cable
  • Linux computer

Download:

  • We recoomend using our Live System
  • Source Code is available in the OSMOCOM repository. See Tutorial for manual installation instructions.
    git clone git://git.osmocom.org/osmocom-bb.git
    git checkout luca/catcher

Instructions

  1. Download GSM Map Live System
  2. Install Image to Stick
  3. run: From the main menu, choose "Run a test -> FakeBTS"

Mailing list

A public mailing list discussion is here

Background & Development information

OsmocomBB software

Currently, the IMSI Catcher detector is available only for the OsmocomBB platform.
If you'd like to test it, you can find all the needed information in our Tutorial
Please upload improvements as patches to this site or post to the mailing list .

Implementation on other platforms

While Osmocom provides access to most detailed GSM data, other platforms could, too, provide useful information for detecting IMSI catcher attacks.

Folks with insights into phone programming APIs, please help fill out this list:

Available on
Evidence Blackberry Android iOS Symbian
Cipher indication [1] *#32489# // OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER
LAC [1a] getLac()
Cell ID [1a] getCid()
Retransmission counters
TMSI
Send power [1] LISTEN_SIGNAL_STRENGTHS ?
Silent call [1]
Silent SMS [1] [2]
Remote install [1c] // INSTALL_ASSET
Network Roaming [1b] getRoaming()

[1] TODO: Reference / API call needed
[1a]: android.telephony.gsm.GsmCellLocation
[1b]: android.telephony.ServiceState
[1c]: GTalkService

[2] TODO: Reference / API call needed

Preliminary information for developing an Android based Catcher can be found on the Android page.

IMSI catcher detection

For IMSI catchers to achieve their goals they will need to show behavior different from normal base stations. We distinguish between yellow, red, and black flags. Yellow flag are an indication that you might have been caught; red flags are a very strong indication; and black flags tell you: "You are being tracked down; throw away your phone and run."

# Flag Evidence Implementable in Osmocom
Setup:
S1 R No encryption after using encryption with the same operator before done
S2 Y Cipher mode complete message is sent more than twice wip
S3 R … more than four times wip
S4 Y IMEI not requested in Cipher Mode Complete message done
S5 Y Cell is not advertising any neighbor cells todo
S6 Y Cell reselection offset > 80db todo
Location updating (for information gathering, MITM):
L1 Y The LAC of a base station changes done
L2 R The LAC changes more than once done
L3 Y The LAC differs from all neighboring cells wip
L4 Y The network queries the phones IMEI during location update done
L5 Y The registration timer is set to a value < 10 minutes wip
L6 Y The "IMSI attach procedure" flag is set wip
(when locating a victim):
L7 Y Receive a silent text message done
L8 R You are paged, but do not enter any transaction done
L9 R Being assigned a traffic channel but not entering call control state/receiving a text message for 2 seconds wip
L10 B ... 10 seconds wip
L11 Y You do not receive a call setup message while already being on a traffic channel for 2 seconds done
L12 R ... 10 seconds done
L13 Y Your phone sends at the highest possible power wip

mobile.cfg (984 Bytes) Linus, 12/23/2013 05:57 PM