Professional Documents
Culture Documents
Agenda
Location-tracking
IMSI catcher
Location-tracking
IMSI catcher
Transaction based:
Intercepting
IMSI catcher
CM Service Request
I would like to make a transaction
CM Service accept
OK
Call Setup
I would like to call +49 177
Call Proceeding
Heres your line.
Call Connect
Your call was answered.
Disconnect
Thanks, Im done.
Intercepting
IMSI catcher
Transaction based:
10
Agenda
11
100 000
3G
10 000
2G
2G
1 000
3G
100
10
GSMmap-apk
released
2014-03
SnoopSnitch
-06
-09
-12
4G
2015-03
-06
90
70
50
2014
2015
12
No proper neighbors
Out-of-place location area
High cell reselect offset, low registration timer
Large number of paging groups
Suspicious
cell behavior
Lack of
proper
encryption
SnoopSnitch
assigns a score
to each
heuristic1 and
sums scores to
form catcher
events
13
100%
75%
50%
Near-certain
catcher sightings.
Several heuristics
triggered (3%)
0%
2,7
3,5
7
14
Config
Behavior
Encryption
454
12
13
77
60
21
19
2
356
9
15
No proper neighbors
Suspicious cell
Lonesome location area
configuration
Out-of-place location area
1. Networks often change abruptly; e.g. when entering the subway
False
positive 2. SnoopSnitch cannot directly read the radio channel (ARFCN) from
the baseband. In the few cases its heuristic guesses wrong, an
causes
IMSI catcher event is reported
16
Suspicious cell
behaviour
False
positive
causes
17
Lack of proper
encryption
False
positive
causes
/3
/1
/3
/3
/1
/3
2. Can IMSI catchers really not use A5/3 and other strong crypto?
We are about to find out!
18
Live export of
2G, 3G, 4G traces
19
Agenda
20
21
Brazil
Tim
China
China Mobile
Guangdong Mobile
Shanghai Mobile
Korea
SK Telecom
Korea Telecom
Colombia
Colombia Mvil
USA
NewCore Wireless
Union Cell
Globecomm
271k
302k
826
580
GTP
endpoints
267
267
153
76
65
12
58
54
4
47
47
10
8
1
1
22
SGSNs disclose
current
encryption key
on the Internet!
23
Demoed at
CCC amp
Request auth/encryption
keys over GRX or SS7
GRX: SGSNContextReq
SS7: SendAuthInfo or
SendIdentification
Usually possible over
GRX or SS7 connection
Also possible over the
Internet? (next chapter)
24
Take aways.
Questions?
25