Some time ago I wrote about IMSI-Catching attacks on 3G and on another previous article the different studies regarding these attacks in 4G networks, but I finally found enough time to write about these attacks in 4G and of course, detection.

When looking for SDR solutions to implement our 4G network, we currently have 3 options for our laboratory; OpenLTE, OpenAirInterface and srsLTE. In this case, I created a laboratory using the USRP B200 with srsLTE:

The EPC (srsepc) has a modified version of the code to allow client devices to send their “Attach” request, being identified with their IMSI, as we can see in the following image :

Once we have obtained the IMSI of our victim, as we saw in the previous article about these attacks in 3G, we could continue modifying the 4G SDR based network code to degrade the 4G service completely forcing the mobile to look for another cell in the 3G frequencies or 2G. Or just do nothing else and collect more IMSI identities from new victims, a typical fast and effective IMSI Catch attack.

Detection:

How could we detect these intrusions?  I continue using the active approach, instead of the 2G passive sniffing. Using 4G modems and capturing the signaling we are able to analyze all these situations and in the same hand, we can monitor our mobile operator security parameters, but this requires using a valid SIM card in the modem. Xgoldmon or SCAT (Signaling Collection and Analysis Tool) are also valid candidates.

CellAnalysis 3G & 4G will be released soon, so stay tuned.

It doesn’t looks like an IMSI-Catch attack, much more it seems to be a miss configuration, someone playing around with YateBTS in his/her laptop plugged with a BladeRF, completely forgotten to disable or modify source to avoid the SMS welcome, so everyone who walks in the RSA conference close to this YateBTS station received a welcome SMS as showed above.

@s7ephen tweet about this message:

David Burgess (the man who started the OpenBTS project time ago with Harvind Samra) wrote his own note from YateBTS web page regarding this extrange rogue tower:

The ‘rogue GSM tower’ episode and Cambridge Analytica: why ethics matters to technology

Probably this RSA edition will be remembered for the attendees data leak (article from theregister.co.uk), but is also quite interesting this GSM station broadcasting welcome SMS.

Pedro