CatcherCatcher » History » Version 4
Linus, 12/23/2013 05:33 PM
| 1 | 1 | Linus | h1. CatcherCatcher |
|---|---|---|---|
| 2 | |||
| 3 | The CatcherCatcher tool detects mobile network irregularities hinting at fake base station activity. |
||
| 4 | |||
| 5 | h3. Requirements |
||
| 6 | |||
| 7 | * Osmocom phone |
||
| 8 | * Osmocom cable |
||
| 9 | * Linux computer |
||
| 10 | |||
| 11 | h3. Download: |
||
| 12 | |||
| 13 | 4 | Linus | * "Live System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live |
| 14 | 3 | Linus | * Source Code is available in the OSMOCOM repository |
| 15 | <pre>git clone git://git.osmocom.org/osmocom-bb.git |
||
| 16 | 2 | Linus | git checkout luca/catcher</pre> |
| 17 | 1 | Linus | |
| 18 | 4 | Linus | |
| 19 | 1 | Linus | h3. Instructions |
| 20 | |||
| 21 | 4 | Linus | # Download "GSM Map Live System":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live |
| 22 | # "Install Image to Stick":https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/GSMmap-live#Instructions |
||
| 23 | # run: From the main menu, choose "Run a test -> FakeBTS" |
||
| 24 | 1 | Linus | |
| 25 | h3. Mailing list |
||
| 26 | |||
| 27 | A public mailing list discussion is "here":https://lists.srlabs.de/cgi-bin/mailman/listinfo/catchercatcher |
||
| 28 | |||
| 29 | 4 | Linus | h2. Background & Development information |
| 30 | 1 | Linus | |
| 31 | 4 | Linus | h3. OsmocomBB software |
| 32 | 1 | Linus | |
| 33 | Currently, the IMSI Catcher detector is available only for the OsmocomBB platform. |
||
| 34 | If you'd like to test it, you can find all the needed information in our [[Tutorial]] |
||
| 35 | Please upload improvements as patches to this site or post to the "mailing list":http://lists.srlabs.de/cgi-bin/mailman/listinfo/catchercatcher until a Git is set up. |
||
| 36 | |||
| 37 | 4 | Linus | h3. Implementation on other platforms |
| 38 | 1 | Linus | |
| 39 | While Osmocom provides access to most detailed GSM data, other platforms could, too, provide useful information for detecting IMSI catcher attacks. |
||
| 40 | |||
| 41 | Folks with insights into phone programming APIs, please help fill out this list: |
||
| 42 | |||
| 43 | | |\4.*Available on* | |
||
| 44 | | *Evidence* | Blackberry | [[Android]] | iOS | Symbian | |
||
| 45 | | Cipher indication | |[1] *#32489# // OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER | | | |
||
| 46 | | LAC | |[1a] getLac() | | | |
||
| 47 | | Cell ID | |[1a] getCid() | | | |
||
| 48 | | Retransmission counters | | | | | |
||
| 49 | | TMSI | | | | | |
||
| 50 | | Send power | |[1] LISTEN_SIGNAL_STRENGTHS ? | | | |
||
| 51 | | Silent call | |[1]| | | |
||
| 52 | | Silent SMS | |[1]|[2]| | |
||
| 53 | | Remote install | |[1c] // INSTALL_ASSET| | | |
||
| 54 | | Network Roaming | |[1b] getRoaming()| | | |
||
| 55 | | | | | | | |
||
| 56 | |||
| 57 | [1] TODO: Reference / API call needed |
||
| 58 | [1a]: android.telephony.gsm.GsmCellLocation |
||
| 59 | [1b]: android.telephony.ServiceState |
||
| 60 | [1c]: GTalkService |
||
| 61 | |||
| 62 | [2] TODO: Reference / API call needed |
||
| 63 | |||
| 64 | Preliminary information for developing an Android based Catcher can be found on the [[Android]] page. |
||
| 65 | |||
| 66 | h1. IMSI catcher detection |
||
| 67 | |||
| 68 | |||
| 69 | For IMSI catchers to achieve their goals they will need to show behavior different from normal base stations. We distinguish between yellow, red, and black flags. Yellow flag are an indication that you might have been caught; red flags are a very strong indication; and black flags tell you: "You are being tracked down; throw away your phone and run." |
||
| 70 | |||
| 71 | | # | *Flag* | *Evidence* | *Implementable in Osmocom* | |
||
| 72 | | Setup: | |
||
| 73 | | S1 | R | No encryption after using encryption with the same operator before | done | |
||
| 74 | | S2 | Y | Cipher mode complete message is sent more than twice | wip | |
||
| 75 | | S3 | R | … more than four times | wip | |
||
| 76 | | S4 | Y | IMEI not requested in Cipher Mode Complete message | done | |
||
| 77 | | S5 | Y | Cell is not advertising any neighbor cells | todo | |
||
| 78 | | S6 | Y | Cell reselection offset > 80db | todo | |
||
| 79 | | Location updating (for information gathering, MITM): | |
||
| 80 | | L1 | Y | The LAC of a base station changes | done | |
||
| 81 | | L2 | R | The LAC changes more than once | done | |
||
| 82 | | L3 | Y | The LAC differs from all neighboring cells | wip | |
||
| 83 | | L4 | Y | The network queries the phones IMEI during location update | done | |
||
| 84 | | L5 | Y | The registration timer is set to a value < 10 minutes | wip | |
||
| 85 | | L6 | Y | The "IMSI attach procedure" flag is set | wip | |
||
| 86 | | (when locating a victim): | |
||
| 87 | | L7 | Y | Receive a silent text message | done | |
||
| 88 | | L8 | R | You are paged, but do not enter any transaction | done | |
||
| 89 | | L9 | R | Being assigned a traffic channel but not entering call control state/receiving a text message for 2 seconds | wip | |
||
| 90 | | L10 | B | ... 10 seconds | wip | |
||
| 91 | | L11 | Y | You do not receive a call setup message while already being on a traffic channel for 2 seconds | done | |
||
| 92 | | L12 | R | ... 10 seconds | done | |
||
| 93 | | L13 | Y | Your phone sends at the highest possible power | wip | |