Analysis of the Oslo IMSI-Catcher Radio Surveillance Data
Transcript of Analysis of the Oslo IMSI-Catcher Radio Surveillance Data
Analysis of the Oslo IMSI-Catcher
Radio Surveillance Data
Torjus Bryne Retterstøl
IMSI-Catcher Seminar Simula Research Lab, Aug. 26, 2015
2
Torjus Bryne Retterstøl
• Education: NTNU M.Sc. / Siv.Ing. Communication Technology, Information Security Specialization
• Job: IT security Consultant at Accenture
Master thesis work in spring 2015with supervisor: prof. Stig F. Mjølsnes, Dep. of Telematics
«Base Station Security Experiments Using USRP» (June 2015)– Built an IMSI-catcher and did some experimentations
– Analyzed Aftenpostens investigations
4
Outline
1. Brief Background
o Cell selection/ reselection
o IMSI-catcher behavior
2. Some Data Analysis Results
o LAC Change
o Provider Anomaly
o Large reselection values
5
Cell Selection / Reselection
• ”Camp on a cell”: Connected to selected radio cell
• MS mobility requires selection & reselection of cells:
• Selection Criteria:– Path loss criterion: C1 (Determined by signal strength)
– Camp on the cell with the largest C1 value
• Reselection Criteria:– Cell reselection criteria: C2
Calculated from C1 and values broadcasted by the cell
– Continuously monitoring up to 6 cells with best signal strength, compute C1 and C2
– Reselect to the cell with largest C2 value (given some criterias)
6
C2
𝐶2 = 𝐶1 + 𝐶𝑒𝑙𝑙 𝑅𝑒𝑠𝑒𝑙𝑒𝑐𝑡 𝑂𝑓𝑓𝑠𝑒𝑡 𝐶𝑅𝑂 − TO ∗ H PT − T
Cell Reselect Offset (CRO) = {0,63}
– 2 dbm steps. For example CRO=3 6 dBm
– CRO cannot be odd
Temporary Offset (TO) = {0,7}
– 0…6 represent 0 – 60 dBm, 7 represents infinity
– TO cannot be odd, unless infinity
• C difference (C2-C1) Cannot be an odd value
7
IMSI-Catcher Behavior
• Goal: Retrieve IMSIs
• Boost C2 value – force camping on cell
• Broadcast different LAC than other, nearby cells
• Resulting in Location update including TMSI/IMSI
• MS must send a location update when
– Switch on and selects a cell
– Periodic intervals while camping on a cell
– Reselecting to a new location area/cell
10
Cell/Channel LAC Change
• Only LAC changes, all other values static
• LAC changes only for onemeasurement (seconds)
• RxL does not fluctuate
• Likely same sender
• Observed other days withsimilar RxL and configuration
• LAC changes to anotheroperators LAC
12
Provider Anomaly
• Two Telenor cells appear in
the neighbour list of a
Network Norway cell
• Not typical IMSI-catcher
behavior
• Network Norway and
Telenor roaming
agreement
13
Cell 32478 Myntgata
• «Strongest evidence» of
IMSI-catcher activity
• LAC not used by any
other cell in Oslo
• Abnormal high C2 values
• C difference odd number
– Should not be possible
14
Explanations of Other Anomalies
• Misinterpretations of the data
• Misconfigurations by Norwegian operators
15
Conclusion
• Delma found anomalies, but did not analyze them
• No clear evidence of IMSI-catchers
• Two suspicious measurements
16
Thank you
• Full thesis available at
– http://1drv.ms/1Bx5vMq