a guest Jan 6th, 2015 7,652 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. IMSI Catchers: Practical Knowledge for Activists
  3. "Not on the phone" -- Stringer Bell
  5. Introduction
  6.         Activists on the streets face threats of State repression ranging from surveillance, arrest, physical violence to start. Technology tools by themselves will not reduce this State power but tools used as part of a _security culture_ can make an impact.  There are already a few excellent guides [0] so this short guide will explore IMSI catchers [1], their capabilities, as well as some practical counter surveillance on the streets. Sections that are technical will be marked with a asterisk for optional reading
  8. ***GSM telephony
  9.         Your phone (MS) connects to a cell phone tower [2]. In order to preserve battery life, it will by design pick the strongest broadcasting tower in your area. When the connection occurs, you connect to a a base transceiver station (BTS) and multiple BTS create a general location area code (LAC).  The BTS your phone connects to determines a large amount of the capabilities of your connection: is it encrypted or not, how is it encrypted, is it 2G/3G etc. So when your phone (MS) makes the _first_ connection to your phone a large amount of information about your phone is handed off
  11. Phones
  12.         _Phone_are_tracking_devices (Never forget this fact!) Your phone will routinely ping your location to a BTS and records of your physical location will be stored in a database somewhere. (Activists consider leaving phones at home if you don't want your location tracked). However to uniquely identify your phone, you need a few key bits of information:
  14.         IMSI    -- International Mobile Subscriber Number
  15.         IMEI    -- Cellphone hardware's unique identifier
  16.         MSISDN  -- Phone number
  18. IMSI Catchers and their capabilities
  19.         When your phone connects to a new base station (BTS), the IMSI that uniquely identifies your phone is broadcast to the BTS. Because IMSIs so uniquely identify a phone, a temporary id is generated for most actual use (TMSI).  But the first connection is what gets exploited by IMSI Catchers. IMSI Catchers work by broadcasting as a cell tower and tricking your phone into handing your IMSI over to it. [3] There are also two modes that Stingrays (a trademarked type of IMSI Catcher) can operate in; a passive and active mode. In the active mode, a phone is constantly ping'ed and tracked. A passive mode will just survey the area and could dump all phone records in the area into a database. (The author suspects that IMSI Catchers in passive mode are used at demonstrations. That way the police can tell *who* might have been in the area for intelligence gathering).
  20.         For 2G, IMSI Catchers can capture your dialed numbers, _content_ of your calls / SMS, metadata, and SMS information can be intercepted and in, some models, content can be modified in real time. PDF pg 7 [4] For 3G and LTE, there is an additional authentication mechanism [5] so content interception isn't possible but IMSI Catching still works. It is also possible to "jam" 3G broadcasting to force your phone to use 2G. (There are other attacks to break GSM encryption for 3G/LTE [6])
  21.         Finally understand that these attacks work on GSM encryption. Activists should also be encrypting their SMS / phone calls separately. A properly implemented end-to-end encryption system will *not* be able to be intercepted. For SMS you can install TextSecure on Android and for Phone calls, Red Phone (android) and Signal (iPhone). This will prevent sms messages from being intercepted and your phone call content will not be possible to get. (IMSI Catching will not be stopped)
  24. tl;dr IMSI catchers uniquely identify *your* phone
  26. Symptoms of IMSI Catchers
  27.         - Very high battery drain (phone transmits at full power) {see note 1 below}
  28.         - Denial of Service (phone can't connect at all without rebooting)
  29.         - Downgrade attacks (3G goes down with 2G only available
  30.         - Rapidly changing LAC / BTS / Tx & Rx
  32. Note to activists:
  33.                 1. Very high battery drain is expected if you're at a demonstration and tweeting / taking pictures etc. It's can also be explained when hundreds of people congregate in close proximity to each other and hit the same BTS
  34.                 2. Every truck parked near a demonstration isn't an IMSI Catcher. Every time your applications won't open
  35.                 doesn't mean you're being tracked. Be cautious but no paranoid ;-)
  37. Counter-Surveillance
  39.         - Look for amberjack antennas [7][8]
  40.         - Turn phone of
  41.         - SnoopSnitch (Android)
  42.         - AIMSICD (Android)
  44. Android
  45.         There exist two good projects for detecting IMSI catchers for Android: SnoopSnitch [9] and AIMSICD[10]. Snoop Snitch is particularly promising because many of the low level GSM controls are hidden away in the proprietary baseband. Some clever engineering by experts in the field allowed them to pull the information into an easy to use application.  The code is open source and provides a very good look into how IMSI Catchers work in the wild. The application also detects SS7 attacks which are outside the focus this article. Snoop Snitch is available in the Android Store [11] for devices which have Qualcomm basebands.
  46.         AIMSICD is another promising application in active development. A coupe of nice features include a local database backup of events that occur in your area for later analysis, an easy to use UI and color coded threat levels. In my own experience, I turn on the application as I walk around town and have passively mapped most of the topography of GSM towers in the city. This baseline is important for when fake towers emerge and disappear quickly. You can download the APK here [12]
  48. Trade-Offs
  49.         The downside to these applications is that they require very low-level access to your cellphone. SnoopSnitch also requires a rooted Android phone.  If you're not comfortable with that being the case, you can purchase a Moto E for $100 USD and use it as a testing device (with the added benefit that your everyday phone number isn't attached to demonstrations).
  50.         Is this all worth it? I'd argue that IMSI Catchers posses a real threat to anonymous political speech. I look at the FBI's
  51. coordinated crackdown on protests in the last few years [13][14] and see a very real need to update our threat models. We know in the past that IMSI Catchers were deployed on US soil [15] against protesters (this was in 2003) and of course local police are only getting more money from DHS under the absurd notion of "counter terrorism".
  53. A Las Barricadas.
  56. Sources:
  58. [0]
  59. [1]
  60. [2]
  61. [3]  
  62. [4]
  63. [5]
  64. [6]
  65. [7]
  66. [8]
  67. [9]
  68. [10]
  69. [11]
  70. [12]
  71. [13]
  72. [14]
  73. [15]
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand