Catching IMSI Catchers
Geoffrey Vaughan@mrvaughan
Security Engineer
What you will learn today1. What IMSI Catchers do and how they work2. Detection Strategies3. Hear an exciting tale of adventures in Vegas4. Learn how to avoid being caught up in an IMSI Catcher
Whoami• Geoffrey Vaughan @MrVaughan• Security Engineer @SecurityInnovation• Appsec pentesting/advisory at all areas of SDLC• Former High School/Prison/University Teacher• Occasionally I’m let out of my basement• Travelled from Toronto to be here with you today
IMSI Catchers / StingraysIMSI Catcher:
Can be any rogue cellular device designed to capture cell phone data or traffic
Often used by police/governmentsStingray - Most popular brand of IMSI Catcher sold to police/governments made by Harris Corp
IMSI:International mobile subscriber identity
Your unique cell phone ID.Privacy constraints:
Strict NDA’s often prevent users from disclosing the device capabilities or naming the device publically (even in case of warrants)
IMSI Catcher Specs• Can intercept 2G, 3G, 4G communication
simultaneously as well as CMDA/GSM networks• Devices can launch attacks requesting devices connect
over weaker channels (2G)• Operates in either passive or active mode• Passive mode – Simply captures all available traffic in
the area• Active mode – Acts as a full duplex proxy forcing all
traffic through the device then onward to a normal cellular tower
How they are used• Confirming presence of a device in a target’s home prior to a search thereof• Identifying an individual responsible for sending harassing text messages• Locating a stolen mobile device as a precursor to searching homes in the vicinity• Locating specific individuals by driving around a city until a known IMSI is found• Mounted on airplanes by the United States Marshall Service to sweep entire cities for a
specific mobile device• To monitor all devices within range of a prison to determine whether prisoners are using
cell phones• Reportedly at political protests to identify devices of individuals attending• To monitor activity in the offices of an independent Irish police oversight body
Source: https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report-Gone_Opaque.pdf
Where they are used• 1400+ cases confirmed use in Baltimore mapping show
disproportionate use in predominately black neighborhoods'• http://www.citylab.com/crime/2016/10/racial-disparities-in-poli
ce-stingray-surveillance-mapped/502715/?utm_source=feed
• Thousands of times in Florida since 2007 for crimes as small as 911 hang ups • http://arstechnica.com/tech-policy/2016/08/Baltimore-police-a
ccused-of-illegal-mobile-spectrum-use-with-stingrays/
Manual LeakThe Intercept acquired a device manual and published it:
https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/
Where to buy• Only sold to governments, police, and military• Alibaba: Good luck (mostly 2G only), Import laws, buyer
assumes risk• But for ~1400USD you can build your own:http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for-4glte-networks-track-phones-precise-locations/ • Or hide one in a printer and make it call to say I love
youhttps://julianoliver.com/output/stealth-cell-tower
How to find and detect an IMSI CatcherCurrent Detection Methods are entirely anomaly based1. War walk your neighborhood and make note of all Cell
Tower ID’s you find and their locations2. Repeat this until you are sure you have all known
devices cataloged3. Constantly monitor your area to see if any new
devices are added4. Go find the new device
Tools to help you outOpenCellID.org – Database of mostly user reported cellular tower devices, their location, and their identifiersAISMICD – Android IMSI Catcher Detector app. Tool used to collect cell data. It also reports/syncs with OpenCellID (sometimes).• https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector Rooted Android Device – Required for AISMICD - Means you need a dedicated device for detectionEric Escobar – Detecting Rogue Cell Towers, built a 50$ device to better triangulate devices (Presented this year) • https
://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf
Story Time
How hostile is it for your devices at Def Con?
• Def Con = “Most hostile network on earth” ????• Sure don’t use the hotel Wi Fi but how bad is it for your
cell phones?• Personal experiment to see if I could find any IMSI
Catchers
Setup
• AIMSICD App• Burner Android Phone
(rooted)• Next time: Pre-install
opencellid.org dataWar Driving the Strip in style
Don’t Freak out!Pre Def Con War Walk Post Def Con Data
Lots of false positives• Devices on multiple floors?• Multiple redundant devices in same location• Potential issues with GPS accuracy
Still Unknown Devices
Red dots represent devices that I did not see in my preliminary walk and were not already known to opencellid.org
Caesar’s• 3 Nights in Caesar’s
before Def Con• Lots of towers picked up• Suggest a sort of ‘drive by
attack’• Also observed a lot of LTE
to GSM downgrade attacks, my device was hopping networks quite frequently
Caesar’s• At least 4 of these devices
were previously not known to opencellid.org• There were a couple
others that had only been seen once before
Defense• Depends on your personal threat model• Don’t use your device• Wi Fi calling with vpn?• Signal / OpenWhisper app for calling/SMS, although you
would still be tracked• If all Wireless Carriers published the tower id’s you could at
least know if an id did not match. • Device spoofing would still be possible
• Pressure Wireless Carriers to implement mutual authentication between devices
Conclusions• The devices are very hard to detect, this is part of what
makes them so dangerous• You rarely know when you are connected to these
devices
All data collected is available on my Github Pagehttps://github.com/MrVaughan/Defcon2016GSMData
Shameless Plug• CMD+CTRL CTF Saturday
Night• Accessible web app CTF
for beginners and pros a like • Lots of challenges to keep
you busy• Prizes
Thank youGeoffrey Vaughan@mrvaughan@SecurityInnovation
Top Related