Project

General

Profile

CatcherCatcher » History » Version 4

Linus, 12/23/2013 05:33 PM

1 1 Linus
h1. CatcherCatcher
2 1 Linus
3 1 Linus
The CatcherCatcher tool detects mobile network irregularities hinting at fake base station activity.
4 1 Linus
5 1 Linus
h3. Requirements
6 1 Linus
7 1 Linus
* Osmocom phone
8 1 Linus
* Osmocom cable
9 1 Linus
* Linux computer
10 1 Linus
11 1 Linus
h3. Download:
12 1 Linus
13 4 Linus
* "Live System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live
14 3 Linus
* Source Code is available in the OSMOCOM repository
15 3 Linus
<pre>git clone git://git.osmocom.org/osmocom-bb.git
16 2 Linus
git checkout luca/catcher</pre>
17 1 Linus
18 4 Linus
19 1 Linus
h3. Instructions
20 1 Linus
21 4 Linus
# Download "GSM Map Live System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live
22 4 Linus
# "Install Image to Stick":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live#Instructions
23 4 Linus
# run: From the main menu, choose "Run a test -> FakeBTS"
24 1 Linus
25 1 Linus
h3. Mailing list
26 1 Linus
27 1 Linus
A public mailing list discussion is "here":https://lists.srlabs.de/cgi-bin/mailman/listinfo/catchercatcher
28 1 Linus
29 4 Linus
h2. Background & Development information
30 1 Linus
31 4 Linus
h3. OsmocomBB software
32 1 Linus
33 1 Linus
Currently, the IMSI Catcher detector is available only for the OsmocomBB platform.
34 1 Linus
If you'd like to test it, you can find all the needed information in our [[Tutorial]]
35 1 Linus
Please upload improvements as patches to this site or post to the "mailing list":http://lists.srlabs.de/cgi-bin/mailman/listinfo/catchercatcher until a Git is set up.
36 1 Linus
37 4 Linus
h3. Implementation on other platforms
38 1 Linus
39 1 Linus
While Osmocom provides access to most detailed GSM data, other platforms could, too, provide useful information for detecting IMSI catcher attacks.
40 1 Linus
41 1 Linus
Folks with insights into phone programming APIs, please help fill out this list:
42 1 Linus
43 1 Linus
|                           |\4.*Available on*                      |
44 1 Linus
| *Evidence*                | Blackberry  | [[Android]] | iOS | Symbian |
45 1 Linus
| Cipher indication         | |[1] *#32489# // OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER | | |
46 1 Linus
| LAC                       | |[1a] getLac() | | |
47 1 Linus
| Cell ID                   | |[1a] getCid() | | |
48 1 Linus
| Retransmission counters   | | | | |
49 1 Linus
| TMSI                      | | | | |
50 1 Linus
| Send power                | |[1] LISTEN_SIGNAL_STRENGTHS ? | | |
51 1 Linus
| Silent call               | |[1]| | |
52 1 Linus
| Silent SMS                | |[1]|[2]| |
53 1 Linus
| Remote install            | |[1c] // INSTALL_ASSET| | |
54 1 Linus
| Network Roaming           | |[1b] getRoaming()| | |
55 1 Linus
|                 | | | | |
56 1 Linus
57 1 Linus
[1] TODO: Reference / API call needed
58 1 Linus
[1a]: android.telephony.gsm.GsmCellLocation
59 1 Linus
[1b]: android.telephony.ServiceState
60 1 Linus
[1c]: GTalkService
61 1 Linus
62 1 Linus
[2] TODO: Reference / API call needed
63 1 Linus
64 1 Linus
Preliminary information for developing an Android based Catcher can be found on the [[Android]] page. 
65 1 Linus
66 1 Linus
h1. IMSI catcher detection
67 1 Linus
68 1 Linus
69 1 Linus
For IMSI catchers to achieve their goals they will need to show behavior different from normal base stations. We distinguish between yellow, red, and black flags. Yellow flag are an indication that you might have been caught; red flags are a very strong indication; and black flags tell you: "You are being tracked down; throw away your phone and run."
70 1 Linus
71 1 Linus
| #   | *Flag* | *Evidence* | *Implementable in Osmocom* |
72 1 Linus
| Setup: |
73 1 Linus
| S1  | R | No encryption after using encryption with the same operator before | done |
74 1 Linus
| S2  | Y | Cipher mode complete message is sent more than twice               | wip  |
75 1 Linus
| S3  | R | … more than four times                                             | wip  |
76 1 Linus
| S4  | Y | IMEI not requested in Cipher Mode Complete message                 | done |
77 1 Linus
| S5  | Y | Cell is not advertising any neighbor cells                         | todo |
78 1 Linus
| S6  | Y | Cell reselection offset > 80db                                     | todo |
79 1 Linus
| Location updating (for information gathering, MITM): |
80 1 Linus
| L1  | Y | The LAC of a base station changes                                  | done |
81 1 Linus
| L2  | R | The LAC changes more than once                                     | done |
82 1 Linus
| L3  | Y | The LAC differs from all neighboring cells                         | wip  |
83 1 Linus
| L4  | Y | The network queries the phones IMEI during location update         | done |
84 1 Linus
| L5  | Y | The registration timer is set to a value < 10 minutes              | wip  |
85 1 Linus
| L6  | Y | The "IMSI attach procedure" flag is set                            | wip  |
86 1 Linus
| (when locating a victim): |
87 1 Linus
| L7  | Y | Receive a silent text message                                      | done |
88 1 Linus
| L8  | R | You are paged, but do not enter any transaction                    | done |
89 1 Linus
| L9  | R | Being assigned a traffic channel but not entering call control state/receiving a text message for 2 seconds | wip |
90 1 Linus
| L10 | B | ... 10 seconds                                                     | wip  |
91 1 Linus
| L11 | Y | You do not receive a call setup message while already being on a traffic channel for 2 seconds | done |
92 1 Linus
| L12 | R | ... 10 seconds                                                     | done |
93 1 Linus
| L13 | Y | Your phone sends at the highest possible power                     | wip  |