Skip to main content
SpringerLink
Log in

The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection

  • Conference paper
  • First Online:
Book cover Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

An IMSI Catcher, also known as Stingray or rogue cell, is a device that can be used to not only locate cellular phones, but also to intercept communication content like phone calls, SMS or data transmission unbeknown to the user. They are readily available as commercial products as well as do-it-yourself projects running open-source software, and are obtained and used by law enforcement agencies and criminals alike. Multiple countermeasures have been proposed recently to detect such devices from the user’s point of view, but they are limited to the nearby vicinity of the user.

In this paper we are the first to present and discuss multiple detection capabilities from the network operator’s point of view, and evaluate them on a real-world cellular network in cooperation with an European mobile network operator with over four million subscribers. Moreover, we draw a comprehensive picture on current threats against mobile phone devices and networks, including 2G, 3G and 4G IMSI Catchers and present detection and mitigation strategies under the unique large-scale circumstances of a real European carrier. One of the major challenges from the operator’s point of view is that cellular networks were specifically designed to reduce global signaling traffic and to manage as many transactions regionally as possible. Hence, contrary to popular belief, network operators by default do not have a global view or their network. Our proposed solution can be readily added to existing network monitoring infrastructures and includes among other things plausibility checks of location update trails, monitoring of device-specific round trip times and an offline detection scheme to detect cipher downgrade attacks, as commonly used by commercial IMSI Catchers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Except for the very first initial registration.

  2. 2.

    Nokia Lumia 920.1, E71, 6310, 6150, 3210, 3710A-1, LG Nexus 4, Nexus 5, Apple IPhone 4, IPhone 6, Nexus One, Motorola Moto G2, Moto G XT1032, Samsung Galaxy Nexus, Galaxy S3, Galaxy Xcover2, Galaxy S5, Sony Xperia Z2-SCR10, BG Aquaris E4.5 Ubuntu Phone, Kyocera Torque KS-701, Sony Ericsson ST17I.

  3. 3.

    All Nokia models introduced before 2000.

  4. 4.

    Technically, this is an Location Update Request with Origin LAC set to the current LAC and an optional GRPS header with the Attach-Bit set.

  5. 5.

    A5/0 < A5/2 < A5/1 < A5/3.

  6. 6.

    The attacker has to brute-force the 48-bit sequence number, though.

  7. 7.

    TAC are the first 8 digits of an IMEI that encode the manufacturer and phone model. Popular models might end up with multiple assigned TACs. This is somewhat similar to the assigned OUI prefix in Ethernet MAC addresses: they encode the manufacturer.

  8. 8.

    See Sects. 7.3 and 7.4 for further discussion and possible mitigations.

References

  1. Digital cellular telecommunications system (Phase 2+); Interworking between Phase 1 infrastructure and Phase 2 Mobile Stations (MS). http://www.etsi.org/deliver/etsi_ts/101600_101699/101644/05.01.00_60/ts_101644v050100p.pdf

  2. GSM security map. http://gsmmap.org/

  3. How the NSA pinpoints a mobile device. http://apps.washingtonpost.com/g/page/world/how-the-nsa-pinpoints-a-mobile-device/645/. Accessed 30 Oct 2015

  4. Digital cellular telecommunications system (Phase 2+); Location Services (LCS); Mobile Station (MS) - Serving Mobile Location Centre (SMLC) Radio Resource LCS Protocol (RRLP), 3GPP TS 04.31 version 8.18.0 (2007). http://www.etsi.org/deliver/etsi_ts/101500_101599/101527/08.18.00_60/ts_101527v081800p.pdf

  5. Egypt tries to control the use of GPS by banning except with individual licences (2008). http://www.balancingact-africa.com/news/en/issue-no-429/top-story/egypt-tries-to-contr/en

  6. Emergency Communications (EMTEL); European Public Warning System (EU-ALERT) using the Cell Broadcast Service (2012). http://www.etsi.org/deliver/etsi_ts/102900_102999/102900/01.01.01_60/ts_102900v010101p.pdf

  7. Digital cellular telecommunications system (Phase 2+); Universal Mobile Telecommunications System (UMTS); Numbering, addressing and identification (2014). http://www.etsi.org/deliver/etsi_ts/123000_123099/123003/12.04.01_60/ts_123003v120401p.pdf

  8. 3rd Generation Partnership Project: Non-Access-Stratum (NAS) Functions related to Mobile Station (MS) in Idle Mode, 3GPP TS 23.122 v8.2.0

    Google Scholar 

  9. 3rd Generation Partnership Project: Technical Specification Group Core Network and Terminals; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS), 3GPP TS 24.301

    Google Scholar 

  10. Barkan, E., Biham, E., Keller, N.: Instant ciphertext-only cryptanalysis of GSM encrypted communication. J. Cryptol. 21(3), 392–429 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  11. Briceno, M., Goldberg, I., Wagner, D.: An implementation of the GSM A3A8 algorithm. (Specifically, COMP128.). http://www.scard.org/gsm/a3a8.txt. Accessed 24 Jun 2016

  12. Briceno, M., Goldberg, I., Wagner, D.: GSM Cloning. http://www.isaac.cs.berkeley.edu/isaac/gsm.html. Accessed 24 Jun 2016

  13. van den Broek, F., Verdult, R., de Ruiter, J.: Defeating IMSI catchers. In: 22nd ACM Conference on Computer and Communications Security (CCS 2015), pp. 340–351. ACM (2015)

    Google Scholar 

  14. Paget, C. (Kristin Paget): Practical Cellphone Spying. In: DEFCON 19 (2010)

    Google Scholar 

  15. Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.: IMSI-Catch me if you can: IMSI-catcher-catchers. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2014). ACM, December 2014

    Google Scholar 

  16. van Do, T., Nguyen, H.T., Momchil, N., et al.: Detecting IMSI-catcher using soft computing. In: Berry, M.W., Mohamed, A.H., Yap, B.W. (eds.) Soft Computing in Data Science. CCIS, vol. 545, pp. 129–140. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  17. Dunkelman, O., Keller, N., Shamir, A.: A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony. IACR Cryptology ePrint Archive 2010, 13 (2010)

    Google Scholar 

  18. Ekdahl, P., Johansson, T.: Another attack on A5/1. IEEE Trans. Inf. Theor. 49(1), 284–289 (2003)

    Article  MathSciNet  MATH  Google Scholar 

  19. Engel, T.: SS7: Locate. Track. Manipulate, at 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/events/6249.html. Accessed 30 Oct 2015

  20. Ettus Research: Universal Software Radio Peripheral. https://www.ettus.com/product

  21. Farivar, C.: Apple removes GPS functionality from Egyptian iPhones (2008). http://www.macworld.com/article/1137410/Apple_removes_GPS_func.html

  22. Gamma Group: 3G-GSM Interctiopn and Target Location. Sales brochure. https://info.publicintelligence.net/Gamma-GSM.pdf. Accessed 2 Nov 2015

  23. Goldberg, I., Wagner, D., Green, L.: The (Real-Time) Cryptanalysis of A5/2. In: Rump Session of Crypto 1999 (1999)

    Google Scholar 

  24. GSM Association: IR.50 2G 2.5G 3G Roaming v4.0 (2008). http://www.gsma.com/newsroom/all-documents/ir-50-2g2-5g3g-roaming/. Accessed 25 Sep 2015

  25. Prohibiting A5/2 in mobile stations and other clarifications regarding A5 algorithm support. http://www.3gpp.org/ftp/tsg_sa/TSG_SA/TSGS_37/Docs/SP-070671.zip

  26. Güneysu, T., Kasper, T., Novotny, M., Paar, C., Rupp, A.: Cryptanalysis with COPACOBANA. IEEE Trans. Comput. 57(11), 1498–1513 (2008)

    Article  MathSciNet  Google Scholar 

  27. Steve, H.D.: Cracking GSM. In: Black Hat DC, March 2008 (2008)

    Google Scholar 

  28. Joachim, F., Rainer, B.: Method for identifying a mobile phone user or for eavesdropping on outgoing calls, patent, Rohde & Schwarz, EP1051053 (2000)

    Google Scholar 

  29. SR Labs: Kraken: A5/1 Decryption Rainbow Tables. via Bittorent (2010). https://opensource.srlabs.de/projects/a51-decrypt. Accessed 12 Nov 2015

  30. Liu, J., Yu, Y., Standaert, F.X., Guo, Z., Gu, D., Sun, W., Ge, Y., Xie, X.: Small tweaks do not help: differential power analysis of MILENAGE implementations in 3G/4G USIM cards. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 468–480. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  31. Malette, L.: Catcher Catcher. https://opensource.srlabs.de/projects/mobile-network-assessment-tools/wiki/CatcherCatcher. Accessed 12 Nov 2015

  32. Muncaster, P.: Chinese cops cuff 1,500 in fake base station spam raid. The Register, 26 March 2014. http://www.theregister.co.uk/2014/03/26/spam_text_china_clampdown_police/

  33. Nohl, K.: Rooting SIM cards. In: Blackhat (2013)

    Google Scholar 

  34. Nohl, K.: Mobile self-defense, 31C3 (2014). https://events.ccc.de/congress/2014/Fahrplan/events/6122.html. Accessed 30 Oct 2015

  35. Osipov, A., Zaitsev, A.: Adventures in Femtoland: 350 Yuan for invaluable fun. In: Black Hat USA 2015, August 2015

    Google Scholar 

  36. Pell, S.K., Soghoian, C.: Your secret stingray’s no secret anymore: the vanishing government monopoly over cell phone surveillance and its impact on national security and consumer privacy. Harvard J. Law Technol. 28(1) (2014)

    Google Scholar 

  37. SecUpwN (Pseudonym, Maintainer): Android IMSI-Catcher Detector. https://secupwn.github.io/Android-IMSI-Catcher-Detector/. Accessed 12 Nov 2015

  38. Shaik, A., Borgaonkar, R., Asokan, N., Niemi, V., Seifert, J.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems (2015). http://arxiv.org/abs/1510.07563

  39. Solnik, M., Blanchou, M.: Cellular exploitation on a global scale: the rise and fall of the control protocol. In: Blackhat 2014, Las Vegas (2014)

    Google Scholar 

  40. SR Labs: Snoopsnitch, December 2014. https://opensource.srlabs.de/projects/snoopsnitch. Accessed 12 Nov 2015

  41. Tu, G., Li, Y., Peng, C., Li, C., Raza, M.T., Tseng, H., Lu, S.: New threats to sms-assisted mobile internet services from 4G LTE networks (2015). http://arxiv.org/abs/1510.08531

  42. Welte, H.: OpenBSC - running your own GSM network, talk at Hacking at Random, August 2009. https://openbsc.osmocom.org/trac/raw-attachment/wiki/FieldTests/HAR2009/har2009-gsm-report.pdf

Download references

Acknowledgments

We want to thank the whole crew of the core network security team and radio access network team at T-Mobile. They have been a great help. We are very grateful for the reviewers’ comments and help to improve the quality of the paper and point to new interesting future work opportunities. This research was partially funded by the COMET K1 program through the Austrian Research Promotion Agency (FFG).

Author information

Authors and Affiliations

  1. SBA Research, Vienna, Austria

    Adrian Dabrowski & Edgar R. Weippl

  2. T-Mobile Austria, Vienna, Austria

    Georg Petzl

Authors
  1. Adrian Dabrowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Georg Petzl
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Edgar R. Weippl
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adrian Dabrowski .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Dabrowski, A., Petzl, G., Weippl, E.R. (2016). The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation