With a new active point of view, we are proud to release a new version of CellAnalysis today to detect anomalies in the 4G LTE, 3G UMTS, and 2G GSM / GPRS mobile communications networks.
I want to thank the support of two companies that have collaborated to make this possible:
- Sysmocom for their free nano3G femtocell, that has improved our lab to study the different attacks of 3G networks.
- EthonShield for financing this project.
A big change: active probe.
The first big difference of this new version is a change in software architecture since CellAnalysis-LTE is an active probe. Until now, CellAnalysis collected data from SDR devices capturing the traffic it received through its antennas, which is called a passive probe. This small change reduces computational requirements and software dependencies.
On this occasion, it will be necessary to use a SIM card since an SDR device will not be used. A Quectel modem will be used, which will connect to our operator’s network as any telephone will do. Using the utility “diag-parser” published by moiji-mobile.com we will be able to access all the signaling from the modem.
While the analysis of the information provided by the modem is carried out, the position of the modem is collected using the GPS built-in, to generate a map of the cells to which our modem has been connected, which also allows geo-positioning of the alarms.
CellAnalysis-LTE requirements
For the operation of CellAnalysis-LTE it is necessary to have installed the following programs:
- diag-parser
- wireshark with LTE dissector
- libqmi-utils
It is important to make sure that the compiled wireshark version incorporates the LTE dissector (RRC). Otherwise, your device will not be able to interpret the messages generated by the router. To do a quick check we leave you a test file, the steps to follow are the following:
- Download the test file from the device:
wget https://www.fakebts.com/wp-content/download/test_LTE.pcapng
2. Open the downloaded file using “tshark”:
tshark -r test_LTE.pcapng -T pdml | grep integrityProtAlgorithm
3. If your wireshark has the LTE dissector, you should see the integrity protection algorithm when executing the previous command:
<<field name="lte-rrc.integrityProtAlgorithm" showname="integrityProtAlgorithm: eia2 (2)" size="1" pos="60" show="2" value="20"/>>
Using CellAnalysis-LTE
Once your Linux is configured with all the SW requirements, we can execute CellAnalysis-LTE, which will run as an infinite loop until it is interrupted by pressing Ctrl + C from the command line. To execute the script, it is mandatory to indicate the “mode” parameter, which in this first version can only be “quectel” value:
Usage: ./cell_analysis_lte.sh -m [MODE] {options: -g -o}
-h This help.
-m [MODE] Mandatory, must be: {quectel}.(expected two more modes: xgoldmon and scat)
-g Use a GPS device to add coordinates (requires to configure variables in code: GPS Parameters). Could be one of: {variable or quectel}.
-p Establish Quectel preferred network mode. You have to replug your device every time the preferred network changes. Could be one of: { gsm, umts or lte}.
We can indicate with the “-g” parameter the use of a GPS to incorporate the GPS coordinates of our Quectel modem to the results. Finally, we can indicate our preferred network type by means of the “-p” parameter, to make a preferential use of the 4G or 3G or 2G technology.
Before use, you have to check these 3 variables at lines 45,46 and 53:
line 45 CDCDEV="/dev/cdc-wdm0"
line 46 QUECTELDEV="wwan0"
line 53 APNSTRING="..."
- CDCDEV variable must be your Linux CDC device name, usually /dev/cdc-wdm0 or /dev/cdc-wdm1
- QUECTELDEV variable must be your Linux wwan device name, usually wwan0.
- APNSTRING variable must contain the SIM card network operator APN connection string, usually composed by APN name, APN username, and APN password. Check this website if you don’t know your operator APN settings: https://apnsettings.gishan.net/
Professional VS free version of CellAnalysis-LTE
There are two versions of CellAnalysis-LTE, a free version for personal use and another professional version for business use. The differences are described below:
Free version:
- Analysis of information and results are managed only locally.
- Basic analysis of the cells (PLMN, TAC / LAC, CellID and ARFCN)
- Monitoring of two anomalous situations:
- Attachments requests to the 4G, 3G, 2G networks using the IMSI
- Rejections to registration requests to 4G, 3G, 2G networks
Professional version:
- Comprehensive analysis of signaling based on an EU state machine
- Monitoring of the following anomalous situations:
- Attachments requests to the 4G, 3G, 2G networks using the IMSI
- Rejections to registration requests to 4G, 3G, 2G networks
- Non-recommended or inconsistent configurations of the encryption and information protection algorithms.
- Requests to register 4G, 3G, 2G networks using the IMSI out of place
- Monitoring of temporary identities
- Monitoring of neighboring cells
- The consistency of the signal level received from the cells
- Identity entropy analysis
- Profile of each cell visited to monitor cell kidnappings
- Regulatory compliance analysis of the cells visited (out-of-band cells)
CellAnalysis-LTE outputs
The result of the execution of the program will generate two output files, which will be continuously updated while CellAnalysis-LTE continues to run:
- outputs / cells.log: where you can find the possible alarms if an anomalous situation is detected and the detailed information of the cells that your modem is finding. Each time an alarm is found, a “tshark_files_xxxxxxxx” file with PCAPNG format will be saved in this directory, which can be opened with wireshark to obtain more details of what was reported in the alarm.
- events / app.log: where you can see the status of the execution of the application, if there is any problem with dependencies or hardware status, GPS, etc. Every so often it will be updated so that you know that the main loop is still active.
Download free CellAnalysisLTE
Please, visit our download page. Also, you can check out our ready to go setup.