Project

General

Profile

IMSI Catcher Score » History » Version 10

Philipp, 08/26/2015 05:46 PM

1 1 Alex
h1. IMSI Catcher Score
2
3 3 Philipp
The IMSI catcher heuristic calculates an overall score out of a number of sub-scores. If this overall score exceeds a specified maximum value, an alarm is raised in the app. In the detailed event view the sub-scores are displayed together with the overall score to allow the user to derive more details from an incident. The following sections outline all sub-scores used in SnoopSnitch.
4 1 Alex
5
{{>toc}}
6
7 10 Philipp
8
9 6 Philipp
h2. A1 - Different LAC/CID for the same ARFCN (Removed)
10 1 Alex
11
The LAC/CID recently seen on a frequency suddenly changed.
12
13
h4. Rationale
14
15
An IMSI catcher may use the frequency of an existing base station that has a weak signal in the area the catcher operates. To force the mobile into a location update, a LAC different from all neighboring stations is chosen by the IMSI catcher.
16
17
The change of the LAC on a given frequency can be detected. Note, that for resource efficiency, GSM reuses frequency in different geographic areas very frequently. Hence, changes of the LAC/CID for a given frequency are specific to the geographic location of the cell.
18
19
As associating an frequency/LAC/CID combination with a precise location reliably can be challenging, a simpler approach is taken. The frequency and LAC/CID is recorded together with a time stamp. If the same frequency is used with a different LAC/CID within a certain time frame, this is considered an attack.
20
21
h4. False Positives
22
23
Multiple base stations operating on the same frequency may be receivable in the same locations, e.g. in elevated places. Furthermore, an operator may reconfigure the cell to use a different LAC/CID.
24
25 10 Philipp
26
27 4 Philipp
h2. A2 - Inconsistent LAC
28 1 Alex
29
The LAC of the current base station differs from the LAC of many neighboring cells.
30
31
h4. Rationale
32
33
A mobile will only perform a normal location update when changing to a different area, i.e. a base station with a different LAC. An IMSI catcher needs to force a location update to be able to interact with the phone and derive the desired information. Therefore, it must span a cell with a LAC different to all neighboring cells, but with a much better signal strength than the other cells. For an IMSI catcher announcing realistic neighboring cells, this difference between the LAC of the serving cell and all neighboring cell can be detected.
34
35
h4. False Positives
36
37
Femto cells may or may not announce a LAC different from all their neighboring cells. Their may be other special situations, like in-house cells where this is the case.
38
39 10 Philipp
40
41 5 Philipp
h2. A4 - Same LAC/CID on different ARFCNs
42 1 Alex
43
A cell is received on different ARFCNs within a short time.
44
45
h4. Rationale
46
47
To avoid leaving traces of a new, non-existent cell, an IMSI catcher may choose to reuse the cell ID and LAC of an existing cell in an area, but using a different frequency. The IMSI catcher must have a location area different from the current serving cell, such that the MS performs a location update once it close enough. The use of the cell ID on different frequencies may be detected by the analysis if system information of the original cell was received earlier.
48
49
h4. False Positives
50
51
A cell may be reconfigured to use a different frequency, but this should happen very rarely.
52
53 10 Philipp
54
55 5 Philipp
h2. A5 - Lonesome location area
56 1 Alex
57
A cell is the only cell observed in its location area
58
59
h4. Rationale
60
61
A mobile will only perform a normal location update when changing to a different area, i.e. a base station with a different LAC. An IMSI catcher needs to force a location update to be able to interact with the phone and derive the desired information. Therefore, it must span a cell with a LAC different to all neighboring cells, but with a much better signal strength than the other cells. An IMSI catcher creating a new LAC for its fake cell will be the only cell operating in this location area. The lack of system information for other cells of this location area can be detected.
62
63
h4. False Positives
64
65
When traveling at high speeds or in areas with poor coverage the mobile may record system information for only a single cell of location area. 
66
_"Unexpected neighbors also do happen often with subway cells. In some cases the BTS is in a central place, and the RF heads are far away, connected with optical fiber. In these cases cell IDs and LACs are carried over many kilometers into places where they usually do not belong, and often not all neighbors are set correctly, due to restrictions in neighbor list size. I can imagine that such circumstances could trigger a false positive."_ ("source":https://lists.srlabs.de/pipermail/gsmmap/2015-March/001272.html)
67
68 10 Philipp
69
70 5 Philipp
h2. K1 - No neighboring cells
71 1 Alex
72
The serving cell is not advertising any neighbor cells.
73
74
h4. Rationale
75
76
Active IMSI catchers which record voice and data will try to prevent an MS from transitioning back to a regular cell. For that reason an IMSI catcher might announce no neighboring cells such that the MS will use the cell spawned by the IMSI catcher until its signal level is too low.  Note, that less suspicious options exist for an IMSI catcher to solve that problem. It could announce a normal amount of neighboring cells, but choose frequency not used by any base station in that area.
77
78
h4. False Positives
79
80
Only few regular situations, like small islands with only a single call, are thinkable where no neighboring cells may be announced.
81
82 10 Philipp
83
84 5 Philipp
h2. K2 - High cell reselect offset
85 1 Alex
86
The cell reselect offset is high.
87
88
h4. Rationale
89
90
The goal of announcing a large CELL RESELECT OFFSET is similar to K1. The CELL RESELECT OFFSET is used to calculate the reselection criterion C2. Together with the path loss criterion parameter C1 it is ”used to ensure that the MS is camped on the cell with which it has the highest probability of successful communication on uplink and downlink.” [GSM 05.08, 6.4] In cases where an IMSI catcher e.g. announces real, available neighboring cells, it might choose to announce a CELL RESELECTION OFFSET that would require the signal quality of any neighboring cell to be impossibly good to consider it as an alternative to the cell spawned by the IMSI catcher. This makes the MS camp on that cell until the desired information has been collected.
91
92
h4. False Positives
93
94
Networks may announce a high CELL RESELECTION OFFSET in areas with poor coverage.
95
96 10 Philipp
97
98 5 Philipp
h2. C1 - Encryption Downgrade
99 1 Alex
100
After using an encryption algorithm with a cell previously, encryption got downgraded to a weaker algorithm.
101
102
h4. Rationale
103
104
Encryption may be disabled completely (A5/0) or limited to a deliberately weakened algorithm (A5/2) due to legal restrictions in some countries. Furthermore, an operator may not yet have the technical capabilities to use the more secure A5/3 algorithm in all of his cells in favor of the broken A5/1 one.
105
106
If a weaker encryption algorithm is observed for the same cell at a later time, this may be an indication for an attacker forcing the MS into an encryption mode that she can attack (more easily). The most likely situation for an active IMSI catcher is a downgrade to A5/0, i.e. null encryption. A downgrade from A5/3 to A5/1 is expected to be rare, as for an active attacker it is much easier to disable encryption all together instead of cracking A5/1.
107
108
This metric is relevant and applicable only when an existing LAC/CID is reused for an IMSI catcher. This is not very common, though, as IMSI catchers usually create a new cell with different LAC to force the MS into a location update. However, if an encryption downgrade happens, this is a very strong sign for an attack.
109
110
h4. False Positives
111
112
An operator may mis-configure some of its base stations to use a weaker encryption algorithm. In rare cases A5/0 transaction are observed, most likely caused by hardware faults.
113
114 10 Philipp
115
116 8 Philipp
h2. C2 - Delayed CIPHER MODE COMPLETE ack.
117 1 Alex
118
In the CIPHER MODE COMMAND message from the network no IMEISV was requested and subsequent CIPHER MODE COMPLETE messages are acknowledged with significant delay.
119
120
h4. Rationale
121
122
The absence of an IMEISV makes the CIPHER MODE COMPLETE message – the response to the CIPHER MODE COMMAND message – fully predictable. This enables an IMSI catcher to mount a known-plaintext attack against the crypto algorithm. Consequently, IMSI catchers may
123
direct the mobile to omit the IMSISV in its response.
124
125
When an active IMSI catcher mounts an attack against the A5/1 algorithm it takes a significant amount of time to break the encryption (up to a couple of seconds). During this period, the CIPHER MODE COMPLETE message is retransmitted by the mobile until an acknowledgment is received, assuming a previous message has not reached the base station. Both can be detected, the increase delay and a higher retransmission count.
126
127
h4. False Positives
128
129
Lost CIPHER MODE COMPLETE packets due to bad network reception.
130
131
Not requesting the IMEISV is normal behavior in some networks, as the IMEI may be retrieved through a subsequent IDENTITY REQUEST at any later time.
132 7 Philipp
133
134 10 Philipp
135 7 Philipp
h2. C3 - CIPHER MODE CMD msg. without IMEISV (removed)
136
137
IMEISV is not requested during the encryption handshake.
138
139
h4. Rationale
140
141
The IMEISV is different for each phone. When it is not requested within the encryption handshake, the encryption handshake becomes fully predictable. This simplifies cracking of the encryption keys.
142
143
h4. Notes
144
145
The metric has been moved into C2, because the fact that no IMEISV is requested is not conclusive if no other parameters are taken into account.
146
147
148 5 Philipp
149 1 Alex
h2. C4 - ID requests during location update
150
151
The network queries identity information (like IMSI and IMEI) after a LOCATION UPDATE REQUEST and then rejects that request.
152
153
h4. Rationale
154
155
This is a fingerprint of an IMSI catcher in identification mode, which ends the transaction as soon as the identity of the MS has been recorded. In a sound network setup, one can assume that an identity request only happens when encryption is in place, i.e. after a CIPHER MODE COMPLETE.
156
157
A mobile has to perform a cell reselection when a LOCATION UPDATE REQUEST has been rejected with a ”location area not allowed”. This may be used by the IMSI catcher to force the MS so select a different cell after the desired information was collected.
158
159
h4. False Positives
160
161
Unknown.
162
163 10 Philipp
164
165 1 Alex
h2. C5 - Cipher setting out of average
166
167 10 Philipp
A cell does not offer encryption in a network that normally encrypts
168
169
h4. Rationale
170
171
An IMSI-Catcher usually is unaware of the subscriber keys and because of this, not able to offer encryption of any sort. A cell with encryption turned off, in a network that is known to encrypt, is suspicious.
172
173
h4. False Positives
174
175
Unknown.
176
177
178 2 Karsten
179 5 Philipp
h2. T1 - Low registration timer
180 1 Alex
181
The initial value of the registration timer T3212 is low.
182
183
h4. Rationale
184
185
The registration timer T3212 controls the interval a mobile performs a periodic LOCATION UPDATE, i.e. one that is performed regularly when the location area of the MS does not change. The T3212 of a mobile is initialized from the time-out value in the Control Channel Description which is broadcast as part of SI3 on the serving cells BCCH. It can be set at a granularity of decihours (6 minutes) and supports a maximum value of 25.5 hours (255 decihours). The value of 0 disables periodic location updates completely.
186
187
An IMSI catcher might broadcast an initialization value for the registration timer that causes the phone to updates its location with the catcher very often, e.g. every 6 minutes. This allows for rather precise presence tracking.
188
189
h4. False Positives
190
191
Common value for T3212 are 1-4 hours. Operators may lower T3212 to e.g. 30 minutes to reallocate subscribers from one MSC/VLR to another for maintenance or upgrade.
192
193 5 Philipp
h2. T3 - Paging without transaction
194 1 Alex
195
The MS is paged without entering a transaction.
196
197
h4. Rationale
198
199
Paging by IMSI and subsequently releasing the transaction without SMS or call data being transmitted may be a pattern of a tracking IMSI catcher trying to detect whether a particular user is in the area of the catcher.
200
201
h4. False Positives
202
203
A similar pattern occurs when a MS is called, but the caller releases the call quickly enough such that the MS is paged, but no ALARM is signaled.
204
205 5 Philipp
h2. T4 - Orphaned traffic channel
206 1 Alex
207
A traffic channel is assigned, but no call control state is entered or text message received for a long time.
208
209
h4. Rationale
210
211
When a traffic channel is assigned, the MS is constantly sending (idle messages) until the channel is released. This constant transmission can be exploited by an IMSI catcher to perform a more accurate localization of the MS.
212
213
h4. False Positives
214
215
Unknown.
216
217 5 Philipp
h2. R1 - Inconsistent neighbor list
218 1 Alex
219
The neighbor list of most neighboring cells does not contain serving cell.
220
221
h4. Rationale
222
223
In a regular network one can assume that the majority of neighboring cells of the current serving cell also announce the current cell as one of their neighboring stations.
224
225
A strategy of an IMSI catcher to prevent an MS that was already connected to register again, is to send a neighbor list over the BCCH that contains only neighboring cells which do not have the frequency of the IMSI catcher in their own neighbor list [EP20000107879, 0027]. When the MS selects one of those neighboring cells, it will not consider the IMSI catcher at least for the next cell reselection.
226
227
h4. False Positives
228
229
Unknown.
230
231 5 Philipp
h2. R2 - High number of paging groups
232 1 Alex
233
The cell is configured in a way that maximizes the number of paging groups.
234
235
h4. Rationale
236
237
When an IMSI catcher uses the technique described in [EP20000107879, 0027] to force the mobile back into a regular network, invalid data is sent on the PCH of the respective paging group of that MS until the MS performs a cell reselection. This has the side effect that any other MS on the same paging group also selects a different cell. Hence, the cell spawned by an IMSI catcher using this technique will try to maximize the number of paging groups in that cell to increase the granularity at which mobiles can be disconnected.
238
239
h4. False Positives
240
241
Unknown.
242 9 Philipp
243
h2. F1 - Few paging requests (removed)
244
245
Rate of paging requests suddenly drops.
246
247
h4. Rationale
248
249
A cell phone network that is in normal operation is usually used by many subscribers at the same time. This causes a constant load of paging requests (broadcast traffic). An IMSI-Catcher is a small network for itself. It will only serve its interception target, but not anybody else. This means that the rate of paging requests inside the catcher cell will be lower by orders of magnitude.
250
251
h4. False Positives
252
253
The metric was discarded because the required information could not be gathered reliably.