When looking for SDR solutions to implement our 4G network, we currently have 3 options for our laboratory; OpenLTE, OpenAirInterface and srsLTE. In this case, I created a laboratory using the USRP B200 with srsLTE:
The EPC (srsepc) has a modified version of the code to allow client devices to send their “Attach” request, being identified with their IMSI, as we can see in the following image :
Once we have obtained the IMSI of our victim, as we saw in the previous article about these attacks in 3G, we could continue modifying the 4G SDR based network code to degrade the 4G service completely forcing the mobile to look for another cell in the 3G frequencies or 2G. Or just do nothing else and collect more IMSI identities from new victims, a typical fast and effective IMSI Catch attack.
How could we detect these intrusions? I continue using the active approach, instead of the 2G passive sniffing. Using 4G modems and capturing the signaling we are able to analyze all these situations and in the same hand, we can monitor our mobile operator security parameters, but this requires using a valid SIM card in the modem. Xgoldmon or SCAT (Signaling Collection and Analysis Tool) are also valid candidates.
CellAnalysis 3G & 4G will be released soon, so stay tuned.
It doesn’t looks like an IMSI-Catch attack, much more it seems to be a miss configuration, someone playing around with YateBTS in his/her laptop plugged with a BladeRF, completely forgotten to disable or modify source to avoid the SMS welcome, so everyone who walks in the RSA conference close to this YateBTS station received a welcome SMS as showed above.
Quote from the article: “After denying use of the controversial technology, documents obtained by the Star show that the Toronto Police Service has used the cellphone data-capturing device known as an IMSI catcher, or Stingray, in five separate investigations.”
This new article from thestar.com rises new use cases from the Toronto Police.
Researchers at the University of Washington uses a sensor box, including a GPS module, a GSM cellular modem, a Raspberry Pi, a cellular hotspot, and an Android phone running SnoopSnitch, to collect 2G cells information and detect IMSI catchers, as you can read in the wired.com article.
They identified and mapped out 1,400 cell towers in Seattle, and 700 in Milwaukee, finding anomalies in the Seattle area.
Is far from the intention of this project focusing on creating attacks or disclosure of the methods to achieve, but it is clear that when you want to detect attacks, You should study them to understand and get ahead or warn them.
By way of introduction I have prepared this short article for those who want to know what a false station (also called BTS or Fake IMSI Catcher). In the DefCon security event 18, Chris Paget we illustrated in his talk entitled “PRACTICAL CELLPHONE SPYING”, how to steal the identity of subscribers to a GSM network by creating a false cell using a USRP as hardware for transmitting and receiving terminals to a Linux computer and OpenBTS and Asterisk to set the cell and allow calls to victims.
This is the video of the talk:
A year later (2011) our compatriots Jose Perez David Stang and exposed at Blackhat DC security conference 2011 how to apply the same attack but networks GPRS / EDGE, afectanto even UMTS / HSPA: