[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Android IMSI Catcher detection



On Mon, Dec 9, 2013 at 2:31 PM, Cathal Garvey (Phone)
<[email protected]> wrote:
> IDD, I've searched for an Android API for detecting crypto algo for ages and
> turned up empty.

i feel your pain...

(~_~;)



> However, you can get the tower ID, so a distributed,
> communally (cantenna?) verified whitelist of 'good' towers is doable, with
> automatic disconnection if an unwhitelisted tower connects..?

sort of; there are some interesting attacks using a force-pushed
silent PRL update (see DC19/DC20 cell attacks threads) which would be
observable by tower ID oddities, not to mention decremented or zero
PRL version.  however, you'd have to be paying attention (who checks
their PRL regularly? :).

if you simply check if a tower is in
http://www.opencellid.org/cell/list for example, you're open to
attacks spoofing a legitimate but remote (out of range) tower.

using direction finding techniques to cross reference the transmitter
location against the expected GPS coordinates in a tower database
relative to your position would also detect these tower impersonators,
but requires more hardware than a mobile baseband...



> Can/do IMSI systems spoof tower id: is there anything in GSM to make towers
> self-verifying? I'm guessing no, in which the above would be very poor.

the expensive, limited distribution kit will be hard to distinguish
without a high performance software defined radio.  if you're able to
detect an identically spoofed tower using OsmocomBB with high
confidence i'd love to know how you did it!



> Also of note is API for signal strength, so a mapping of known towers to
> expected strength at location XYZ could be used to detect systems used to
> home in on phones, which usually max out on signal and tell your phone to do
> likewise. Indeed, a strong signal tower which still asks your phone to dial
> up the juice should be regarded as an attack.

truth.  also, an inversion of observed data link capacity (suddenly
seeing receive bandwidth drop in half or more while transmit rate
doubles) is no bueno.


best regards,