We are proud to announce, that our paper “IMSI-Catch Me If You Can: IMSI-Catcher-Catchers” has been accepted to the 2014 Annual Computer Security Applications Conference (ACSAC).
In this paper, we identify and describe multiple methods for detecting artifacts in the mobile network produced by IMSI Catchers. IMSI Catchers are used in mobile networks to identify, track, attack, spam, reconfigure, and eavesdrop on phones. The first IMSI Catchers date back as early as 1993 and were big, heavy, and expensive. Only a few manufacturers existed and the economic barrier limited the device’s use mostly to governmental agencies.
In the recent years prices for these devices dropped and the number of vendors increased. Even self-made devices have been demonstrated for about US$ 1,500. However, today, it is not ensured, that these devices are solely in the hand of authorized domestic authorities.
In brief, these devices exploit the phone’s behavior to prefer the strongest cell phone tower signal in vicinity to maximize the signal quality and minimize its own power consumption. Additionally, the original Telco model assumes dumb end user devices and all intelligence to be in the network. In short: The cell tower is always right – the phone has to comply. We present two independent implementations of an IMSI Catcher Catcher (ICC) to detect this threat against everyone’s privacy.
STATIONARY
The first implementation employs a network of cheap and small stationary (sICC) measurement units installed in a geographical area and constantly scanning all frequency bands for cell announcements and fingerprinting the cell network parameters. These rooftop-mounted devices can cover large areas. These devices can form a kind of protective shield against an specific area (e.g. a building complex or a city district). In a field test we deployed four of these devices in various locations in Vienna, Austria.
MOBILE
The second implementation is an app for standard consumer grade mobile phones (mICC), without the need to root or jailbreak them. Its core principle is based upon geographical network topology correlation, facilitating the ubiquitous built-in GPS receiver in today’s phones and a network cell capabilities fingerprinting technique. The latter works for the vicinity of the phone by first learning the cell landscape and than matching it against the learned data. While a rooted phone and fixation for a specific baseband chipset would increase the accuracy, we aim to support as many devices as possible by only using standard Android API.
We implemented and evaluated both solutions for digital self-defense and deployed several of the stationary units for a 10 month field-test.
FUTURE PLANS
The Android app is planed to go into public beta sometime in fall to allow us to fine tune the rule set. It will eventually be open sourced. We aim to make this application to be usable for average smart-phone users. If you are an experienced user and like to help, please contact us at icc@sba-research.org.
For the stationary IMSI Catcher Catcher we like to find enough places to build a gapless aera for another field test. Ideally we like to cover the inner districts of Vienna – which demands for about 20-30 stations. If you can offer a rooftop place or penthouse veranda with a free field of view, please contact us at icc@sba-research.org.