It doesn’t looks like an IMSI-Catch attack, much more it seems to be a miss configuration, someone playing around with YateBTS in his/her laptop plugged with a BladeRF, completely forgotten to disable or modify source to avoid the SMS welcome, so everyone who walks in the RSA conference close to this YateBTS station received a welcome SMS as showed above.
Quote from the article: “After denying use of the controversial technology, documents obtained by the Star show that the Toronto Police Service has used the cellphone data-capturing device known as an IMSI catcher, or Stingray, in five separate investigations.”
This new article from thestar.com rises new use cases from the Toronto Police.
Researchers at the University of Washington uses a sensor box, including a GPS module, a GSM cellular modem, a Raspberry Pi, a cellular hotspot, and an Android phone running SnoopSnitch, to collect 2G cells information and detect IMSI catchers, as you can read in the wired.com article.
They identified and mapped out 1,400 cell towers in Seattle, and 700 in Milwaukee, finding anomalies in the Seattle area.
Is far from the intention of this project focusing on creating attacks or disclosure of the methods to achieve, but it is clear that when you want to detect attacks, You should study them to understand and get ahead or warn them.
By way of introduction I have prepared this short article for those who want to know what a false station (also called BTS or Fake IMSI Catcher). In the DefCon security event 18, Chris Paget we illustrated in his talk entitled “PRACTICAL CELLPHONE SPYING”, how to steal the identity of subscribers to a GSM network by creating a false cell using a USRP as hardware for transmitting and receiving terminals to a Linux computer and OpenBTS and Asterisk to set the cell and allow calls to victims.
This is the video of the talk:
A year later (2011) our compatriots Jose Perez David Stang and exposed at Blackhat DC security conference 2011 how to apply the same attack but networks GPRS / EDGE, afectanto even UMTS / HSPA: