Update 2022: Quectel EC20 has been discontinued by the manufacturer, so it is no longer available.

We know how difficult it is to have time for everything; too many projects and little time for hacking. For this reason, we have thought about offering you a briefcase with everything ready to use CellAnalysis-LTE, a complete installation mounted in a case so that you only have to insert your SIM card to be able to use it and connect the battery.

The set is composed of three major elements:

• RaspberryPi 3 model B, transparent plastic case and heatsinks.
• Power bank to power the equipment (capacity: 12.000 mAh, output: 5V / 3A).
• Quectel modem EC20 (4G, 3G, 2G y GNSS) placed on a Sysmocom miniPCIe WWAN modem USB break-out board.

The little details will make you not have to worry about anything; the necessary connectors will be installed in the case to be able to connect the antennas on the outside of it and we have selected the most suitable antennas for its use:

• SMA 4G, 3G, 2G omnidirectional antenna and SMA active GPS antenna with 5 meters cable, 28dB gain.

Finally, we verify manually that the installation is correct by delivering the documentation of your briefcase with the credentials of the users and the Wi-Fi connection network.

As for the software, the equipment is delivered with the Raspbian OS, as well as the free version of CellAnalysis-LTE and of course everything necessary for its correct operation. To thank you for your contribution to the project, we included in the team a script to generate an HTML map from your output files, so you can see the cells to which your modem has been connected as well as the possible alarms generated in a web browser:

Connecting to the RPi3

Once you receive your briefcase you will receive with it the certificate with the credentials of the generated users, as well as the default Wifi network to which your equipment will be connected. The RaspberryPi3 will use its internal Wi-Fi interface to connect to the configured network.

If you do not want to connect to the device through a Wi-Fi connection, you can also remove the SDcard from the RaspberryPi3 and insert it in a reader to mount the file system and take the necessary actions, but ATTENTION: you must be aware of the changes at all times you are doing, because it can seriously damage the file system. For this reason, we recommend the Wifi method to manipulate the files in the equipment of the case.

If you provide us with the operator of the SIM card that will be used in the briefcase modem, we will adjust the only variable that you should adjust when receiving the briefcase, which is the operator’s APN connection string. If you do so when you receive the briefcase you only have to connect the battery to start analyzing the information.

Heatmaps

As a thank you for your contribution to our project, you will find next to the CellAnalysis-LTE scripts an HTML map generator (maps based on OpenStreetMap). By manually executing this generator you will be able to visualize the cells to which your briefcase has been connected during your journey and the possible alarms that have been generated:

 

In June of this year I announced the participation of CellAnalysis in the project of Sysmocom Accelerate 3g5 program to detect the 3G IMSICatching attacks. This article describes the first steps studying the 3G attacks within the Osmocom infrastructure and the basic principles of detection that are being implemented in CellAnalysis 3G.

Lab infrastructure:

Following the steps in the Getting_Started_with_3G tutorial,  we setup the 3G network but we will modify the MSC node source code. We don’t need to add any subscriber in the HLR/AuC database, since we are not going to deliver a 3G service to our victims. The negotiation procedure of the mobile to register in our 3G network will always be rejected, in order to be able to downgrade to 2G, in the same way as we saw in 4G (4G / LTE IMSI Catchers). In this first article we will use the “Location Update Reject” attack, with the different causes of rejection forcing the mobile to register in the 2G network (the downgrade attack).

Implementation:
3G

1. femtocell nano3G (Sysmocom)

 

1. Osmocom 3G network,  running on Ubuntu 14 (intel core i5 4200U 1,6GHz, 8Gb RAM)

 

2G

BladeRF x40

YateBTS, 2G network running on Ubuntu 16 (intel atom 1.6GHz, 8GB RAM)

Once configured the 3G network following the Getting Started tutorial, it’s better to verify that the cell 3G is transmitting correctly in the UARFCN 9800 (default channel):
To implement our custom reject cause, we must modify the source code of the MSC to overwrite the registration reject cause in the “Location Update Request” response. Usually the reject cause should be “(2) IMSI unknown in HLR” since we have not provisioned any subscriber in our HLR or “(3) Illegal MS” if we only add the victim’s IMSI in the HLR Sqlite db but not the auth values. It’s needed to manipulate the source code of the MSC so that it always returns the cause value of our interest, according to whether we want to do a D.o.S or a 2G downgrade attack:

· Disable the USIM entirely until power-off or USIM removal.

· Attach requests disable the USIM for packets domain until power-off or USIM removal.

· Periodic Location Update requests will trigger the UE to attempt GERAN instead.

Once we choose and implement our attack, switch-on the victim mobile (S2) and activate Tobias Engel xgoldmon to detect the attack. Check the following image, how the response to the registration request (the Location Update Reject) is correctly sent to our victim with our reject cause choosen (this example is #14, “Service option temporarily out of order“):

After the LocUp Reject, the victim mobile connects to the 2G network (YateBTS). See bellow how after the RRC message “Location Update Reject“, the mobile starts to use LAPDm and begins the authentication in the 2G network:

But, before switching to 2G network, the registration procedure has asked the victim mobile to identify, by requesting the IMSI. This is the 3G IMSICatching attack, see the “Identity Response” message (IMSI has been removed in the image):

Detection:

CellAnalysis 3G uses active monitoring solutions (in this article xgoldmon), instead of the passive ones as SDR boards used in the 2G fake stations detection, to monitor 3G attacks.

Advantages using active monitoring;

• ciphering algorithms (UEA) usage
• authentication parameters and rates

But on the other hand, there is a big disadvantage:

• one SIM card and device per operator in order to scan all the 3G fake stations

Of course a regulation compliance check is being carried out to determine wether the 3G radio parameters are used accordingly to each country frequency distribution regulation, as in the 2G detection.

For a few years now I’ve focused on improving the unpublished version of CellAnalysis (currently 0.1.10), using it in security audits and trying to know the best way to protect the algorithms of the code in order to publish in the future the full version.

I recently decided to give a new direction to CellAnalysis to be able also to detect the fake 3G cells used to force the victims to use fake 2G stations (downgrade attacks). As initial tool I’m thinking in Xgoldmon, which will allow us to analyze the signaling of a mobile in an active way (we need a SIM card inside), although the goal that I have marked in the long term is to write a GNURadio tool that will allow to monitor broadcast traffic in 3G passively, without the need of a SIM card , using the standard SDR (BladeRF) boards.

On the other hand, I had the great luck to participate in the project to contribute to Osmocom 3G5 to cover the following objectives:

(Short term) Study how to implement in the Osmocom 3G network the following attacks:

3G IMSI Catching attacks, using RRC Connection Request/Reject (Initial UE identity – IMSI)

2G downgrade attacks, based on “Loc.Up.Req” reject codes and “RRC Connection Reject”

(Short term) Use Xgoldmon software adapting CellAnalysis algorithms in order to detect the two previous attacks.

(Long term) Write GNURadio scripts/blocks to decode 3G broadcast traffic, adapting CellAnalysis to detect previous attacks with SDR boards.

I would like to give special thanks to @sysmocom, Osmocom community and the “Accelerate 3g5 program” for their contributions  to this project.