IMSI Catchers and Mobile Security
EAS499Honors-IMSICatchersandMobileSecurity-V18F-1
EAS499Honors-IMSICatchersandMobileSecurity-V18F-1
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4 COUNTERMEASURES<br />
4.1 Detection Indicators<br />
As the design <strong>and</strong> production of <strong>IMSI</strong> catchers has historically been kept secret, not much<br />
information is publicly available about how specific models of <strong>IMSI</strong> catchers work. However,<br />
based on investigative research <strong>and</strong> working prototypes such as Chris Paget’s homebuilt <strong>IMSI</strong><br />
catchers, there are some unusual behaviors of <strong>IMSI</strong> catchers that can be used to differentiate them<br />
from legitimate base stations. Some of these have been identified as proposed heuristics <strong>and</strong> are<br />
laid out below, following the material in [27].<br />
These detection indicators can be monitored on either the user’s mobile phone (see Sections<br />
4.2 <strong>and</strong> 4.3) or on separate hardware (see Section 4.4). Such apps or devices may be called “<strong>IMSI</strong><br />
catcher catchers” or “<strong>IMSI</strong> catcher detectors”. Implementation of these indicators has also been<br />
limited by access to baseb<strong>and</strong> chip functions, which has typically been restricted by chipmakers 7 .<br />
4.1.1 Off-b<strong>and</strong> Frequency Usage<br />
In order to increase signal quality <strong>and</strong> reduce noise, <strong>IMSI</strong> catchers may choose to operate<br />
on an unused frequency, such as channels reserved for testing or buffer channels between different<br />
operators. The drawback of using these frequencies is that the mobile stations may prefer<br />
neighboring cell frequencies (as advertised by the original base station they are connected to)<br />
instead, reducing the probability of the mobile station connecting to the <strong>IMSI</strong> catcher.<br />
Alternatively, the <strong>IMSI</strong> catcher can operate on an advertised frequency that is not actually in use<br />
at that time in the vicinity.<br />
This behavior can be detected by cross-checking the operating frequencies of the cell<br />
towers in the vicinity against the current frequency b<strong>and</strong> plan as designated by local authorities.<br />
According to [27], “radio regulatory bodies <strong>and</strong> frequency plans are available for almost all<br />
countries.”<br />
4.1.2 Unusual Cell ID<br />
GSM Cell IDs (CIDs) are unique numbers identifying each base station within a Location<br />
Area Code (LAC) in a GSM network. Valid CIDs range from 0 to 65535 (i.e. 2 16 -1) for GSM <strong>and</strong><br />
CDMA networks. In order to avoid protocol mismatch with the real base stations <strong>and</strong> to elicit a<br />
Location Update request from mobile phones, <strong>IMSI</strong> catchers usually introduce a new CID<br />
previously unused within the operating geographic region.<br />
This behavior can be detected by cross-checking the base station CIDs in the vicinity with<br />
a database of registered base stations, their CIDs, <strong>and</strong> their registered geographic locations. These<br />
databases are available from government sources, for example, the Federal Communications<br />
7<br />
In his presentation of SnoopSnitch, Nohl explains that the development team would have implemented detection<br />
measures for additional heuristics if they could, but were instead limited by restricted access to information from the<br />
Qualcomm baseb<strong>and</strong> chip [18].<br />
18