CatcherCatcher » History » Revision 7
« Previous |
Revision 7/8
(diff)
| Next »
Linus, 12/23/2013 05:55 PM
CatcherCatcher¶
The CatcherCatcher tool detects mobile network irregularities hinting at fake base station activity.
Requirements¶
- Osmocom phone
- Osmocom cable
- Linux computer
Download:¶
- We recoomend using our Live System
- Source Code is available in the OSMOCOM repository. See Tutorial for manual installation instructions.
git clone git://git.osmocom.org/osmocom-bb.git git checkout luca/catcher
Instructions¶
- Download GSM Map Live System
- Install Image to Stick
- run: From the main menu, choose "Run a test -> FakeBTS"
Mailing list¶
A public mailing list discussion is here
Background & Development information¶
OsmocomBB software¶
Currently, the IMSI Catcher detector is available only for the OsmocomBB platform.
If you'd like to test it, you can find all the needed information in our Tutorial
Please upload improvements as patches to this site or post to the mailing list until a Git is set up.
Implementation on other platforms¶
While Osmocom provides access to most detailed GSM data, other platforms could, too, provide useful information for detecting IMSI catcher attacks.
Folks with insights into phone programming APIs, please help fill out this list:
Available on | ||||
Evidence | Blackberry | Android | iOS | Symbian |
Cipher indication | [1] *#32489# // OEM_SM_TYPE_SUB_CIPHERING_PROTECTION_ENTER | |||
LAC | [1a] getLac() | |||
Cell ID | [1a] getCid() | |||
Retransmission counters | ||||
TMSI | ||||
Send power | [1] LISTEN_SIGNAL_STRENGTHS ? | |||
Silent call | [1] | |||
Silent SMS | [1] | [2] | ||
Remote install | [1c] // INSTALL_ASSET | |||
Network Roaming | [1b] getRoaming() | |||
[1] TODO: Reference / API call needed
[1a]: android.telephony.gsm.GsmCellLocation
[1b]: android.telephony.ServiceState
[1c]: GTalkService
[2] TODO: Reference / API call needed
Preliminary information for developing an Android based Catcher can be found on the Android page.
IMSI catcher detection¶
For IMSI catchers to achieve their goals they will need to show behavior different from normal base stations. We distinguish between yellow, red, and black flags. Yellow flag are an indication that you might have been caught; red flags are a very strong indication; and black flags tell you: "You are being tracked down; throw away your phone and run."
# | Flag | Evidence | Implementable in Osmocom |
Setup: | |||
S1 | R | No encryption after using encryption with the same operator before | done |
S2 | Y | Cipher mode complete message is sent more than twice | wip |
S3 | R | … more than four times | wip |
S4 | Y | IMEI not requested in Cipher Mode Complete message | done |
S5 | Y | Cell is not advertising any neighbor cells | todo |
S6 | Y | Cell reselection offset > 80db | todo |
Location updating (for information gathering, MITM): | |||
L1 | Y | The LAC of a base station changes | done |
L2 | R | The LAC changes more than once | done |
L3 | Y | The LAC differs from all neighboring cells | wip |
L4 | Y | The network queries the phones IMEI during location update | done |
L5 | Y | The registration timer is set to a value < 10 minutes | wip |
L6 | Y | The "IMSI attach procedure" flag is set | wip |
(when locating a victim): | |||
L7 | Y | Receive a silent text message | done |
L8 | R | You are paged, but do not enter any transaction | done |
L9 | R | Being assigned a traffic channel but not entering call control state/receiving a text message for 2 seconds | wip |
L10 | B | ... 10 seconds | wip |
L11 | Y | You do not receive a call setup message while already being on a traffic channel for 2 seconds | done |
L12 | R | ... 10 seconds | done |
L13 | Y | Your phone sends at the highest possible power | wip |
Updated by Linus almost 11 years ago · 7 revisions