Android IMSI Catcher detection

Dan Staples danstaples at disman.tl
Wed Dec 11 06:34:34 PST 2013


This morning's NSA article from WaPo contains some slides mentioning
USRP equipment[1]. It's hard to say without more context whether it's
referring to the GSM equipment from Ettus...anyone care to speculate?
The USRP series doesn't exactly seem like carrier-grade equipment, but
perhaps the NSA has a good reason to use it. Maybe baseband
exploitation, as coderman has previously mentioned? Simply getting cell
tower database dumps from the telcos would suffice for location info, so
I would guess this has a different purpose.


[1]
http://apps.washingtonpost.com/g/page/national/nsa-signal-surveillance-success-stories/647/#document/p3/a135606

On 12/10/2013 05:56 AM, Matej Kovacic wrote:
> Hi,
> 
>> Can/do IMSI systems spoof tower id: is there anything in GSM to make
>> towers self-verifying? I'm guessing no, in which the above would be very
>> poor.
> No, the problem is, that mobile phone authenticates to mobile network,
> but the opposite is not true. Since mobile network does not authenticate
> itself to mobile phone, IMSI Catcher attacks are possible.
> 
> There has been also demonstration of "home-made" IMSI Catcher based on
> Osmocom platform last year at the CCC conference.
> 
> The video of the presentation "Further hacks on the Calypso platform" by
> Sylvain Munaut is here:
> http://media.ccc.de/browse/congress/2012/29c3-5226-en-further_hacks_calypso_h264.html
> 
> So, it is very easy to set up fake cell with any cell ID.
> 
>> Also of note is API for signal strength, so a mapping of known towers to
>> expected strength at location XYZ could be used to detect systems used
>> to home in on phones, which usually max out on signal and tell your
> 
> This would not work, because cells are not static (new cell emerge,
> covered area changes, etc.) and opencellid database is not regularly
> updated. There could also be femtocells used, etc...
> 
> 
> Regards,
> 
> M.
> 

-- 
http://disman.tl
OpenPGP key: http://disman.tl/pgp.asc
Fingerprint: 2480 095D 4B16 436F 35AB 7305 F670 74ED BD86 43A9



More information about the cypherpunks mailing list