You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: IMSICatchersForActivists.md
+29-9Lines changed: 29 additions & 9 deletions
Original file line number
Diff line number
Diff line change
@@ -7,11 +7,11 @@ _"Not on the phone"_ --Stringer Bell
7
7
8
8
## Introduction
9
9
10
-
Activists on the streets face a multitude of threats of State repression ranging from surveillance, arrest, and physical violence at minimum. Technology tools by themselves will not reduce this State power but tools used as part of a _security culture_ can make an impact. There already exist a few excellent guides [0] on cell phones knowledge for activists. However this short guide will specifically explore IMSI catchers [1], their capabilities, as well as some practical counter-surveillance measure. Sections that are technical, but not required reading, will be marked with a asterisks at the start of the paragraph for optional reading
10
+
Activists on the streets face a multitude of threats of State repression ranging from surveillance, arrest, and physical violence at minimum. Technology tools by themselves will not reduce this State power but tools used as part of a _security culture_ can make an impact. There already exist a few excellent guides <sup>[[0]]</sup> on cell phones knowledge for activists. However this short guide will specifically explore IMSI catchers <sup>[[1]]</sup>, their capabilities, as well as some practical counter-surveillance measure. Sections that are technical, but not required reading, will be marked with a asterisks at the start of the paragraph for optional reading
11
11
12
12
### GSM Technology
13
13
14
-
*****Your phone (MS) connects to a cell phone tower [2]. In order to preserve battery life, it will by design pick the strongest broadcasting tower in your area. When the connection occurs, you connect to a a base transceiver station (BTS) and multiple BTS create a general location area code (LAC). The BTS your phone connects to determines a large amount of the capabilities of your connection: is it encrypted or not, how is it encrypted, is it 2G/3G etc. So when your phone (MS) makes the _first_ connection to your phone a large amount of information about your phone is handed off. The information that is handed off could uniquely places activists at demonstrations, which is the _largest_ concern for activists who wish to remain anonymous.
14
+
*****Your phone (MS) connects to a cell phone tower <sup>[[2]]</sup>. In order to preserve battery life, it will by design pick the strongest broadcasting tower in your area. When the connection occurs, you connect to a a base transceiver station (BTS) and multiple BTS create a general location area code (LAC). The BTS your phone connects to determines a large amount of the capabilities of your connection: is it encrypted or not, how is it encrypted, is it 2G/3G etc. So when your phone (MS) makes the _first_ connection to your phone a large amount of information about your phone is handed off. The information that is handed off could uniquely places activists at demonstrations, which is the _largest_ concern for activists who wish to remain anonymous.
15
15
16
16
### Phones
17
17
@@ -23,9 +23,9 @@ _Phones_ _are_ _tracking_ _devices_ (NEVER forget this fact!) Your phone will ro
23
23
24
24
### IMSI Catchers and their capabilities
25
25
26
-
When your phone connects to a new BTS for the first time, the IMSI that uniquely identifies your phone is broadcast to the BTS. Because IMSIs so uniquely identify a phone, a temporary id (TMSI) is generated for most actual uses. The first connection is what gets exploited by IMSI Catchers. IMSI Catchers work by broadcasting as a fake cell tower and tricking your phone into handing your IMSI over to it. [3] There are also two modes that Stingrays (a trademarked type of IMSI Catcher) can operate in; a passive and active mode. In the active mode, a phone is constantly ping'ed and tracked. In an active attack, the phone will broadcast its location at its full power output which will present as very high battery drain. Passive attackers are much harder to detect because they may be present for weeks or months at a time (say outside of a foreign embassy). Passive mode are more interested in profiling information, namely phone routing information or "metadata" about who was dialing who, duration of calls etc.) A passive attacker could survey andarea and dump all phone records in an area into a database. I suspect that IMSI Catchers in passive mode are used at demonstrations to map social networks. That way the police can tell *who* might have been in the area for intelligence gathering. There also exist so called "hybrid" modes which mix these two properties.
26
+
When your phone connects to a new BTS for the first time, the IMSI that uniquely identifies your phone is broadcast to the BTS. Because IMSIs so uniquely identify a phone, a temporary id (TMSI) is generated for most actual uses. The first connection is what gets exploited by IMSI Catchers. IMSI Catchers work by broadcasting as a fake cell tower and tricking your phone into handing your IMSI over to it. <sup>[[3]]</sup> There are also two modes that Stingrays (a trademarked type of IMSI Catcher) can operate in; a passive and active mode. In the active mode, a phone is constantly ping'ed and tracked. In an active attack, the phone will broadcast its location at its full power output which will present as very high battery drain. Passive attackers are much harder to detect because they may be present for weeks or months at a time (say outside of a foreign embassy). Passive mode are more interested in profiling information, namely phone routing information or "metadata" about who was dialing who, duration of calls etc.) A passive attacker could survey andarea and dump all phone records in an area into a database. I suspect that IMSI Catchers in passive mode are used at demonstrations to map social networks. That way the police can tell *who* might have been in the area for intelligence gathering. There also exist so called "hybrid" modes which mix these two properties.
27
27
28
-
For 2G, IMSI Catchers (depending on the model/manufacturer) can capture your dialed numbers, _content_ of your calls / SMS, metadata, and SMS information can be intercepted and in, some models, content can be modified in real time. PDF pg 7 [4] For 3G and LTE, there is an additional authentication mechanism [5] so content interception isn't possible but IMSI Catching still works. It is also possible to "jam" 3G broadcasting to force your phone to use 2G, so called downgrade attacks. (There are other attacks to break GSM encryption for 3G/LTE [6])
28
+
For 2G, IMSI Catchers (depending on the model/manufacturer) can capture your dialed numbers, _content_ of your calls / SMS, metadata, and SMS information can be intercepted and in, some models, content can be modified in real time. PDF pg 7 <sup>[[4]]</sup> For 3G and LTE, there is an additional authentication mechanism <sup>[[5]]</sup> so content interception isn't possible but IMSI Catching still works. It is also possible to "jam" 3G broadcasting to force your phone to use 2G, so called downgrade attacks. (There are other attacks to break GSM encryption for 3G/LTE <sup>[[6]]</sup>)
29
29
30
30
tl;dr IMSI catchers uniquely identify *your* phone number
31
31
@@ -50,7 +50,7 @@ Note to activists:
50
50
51
51
A small list of counter-surveillance that activists can do on the ground include:
52
52
53
-
* Look for amberjack antennas [7][8]
53
+
* Look for amberjack antennas [7][8]
54
54
* Turn phone off
55
55
* SnoopSnitch (Android)
56
56
* AIMSICD (Android)
@@ -59,21 +59,21 @@ A small list of counter-surveillance that activists can do on the ground include
59
59
60
60
#### Android
61
61
62
-
There exist two good projects for detecting IMSI catchers for Android: SnoopSnitch [9] and AIMSICD[10]. Snoop Snitch is particularly promising because many of the low-level GSM controls (like AT commands) are hidden away in the proprietary baseband. Some clever engineering by experts in the field allowed them to pull the information into an easy-to-use application. The code is open-source and provides a very good look into how IMSI Catchers work in the wild. The application also detects SS7 attacks which are outside the focus this article. Snoop Snitch is available in the Android Store [11] for devices which have Qualcomm basebands.
62
+
There exist two good projects for detecting IMSI catchers for Android: SnoopSnitch <sup>[[9]]</sup> and AIMSICD<sup>[[10]]</sup>. Snoop Snitch is particularly promising because many of the low-level GSM controls (like AT commands) are hidden away in the proprietary baseband. Some clever engineering by experts in the field allowed them to pull the information into an easy-to-use application. The code is open-source and provides a very good look into how IMSI Catchers work in the wild. The application also detects SS7 attacks which are outside the focus this article. Snoop Snitch is available in the Android Store <sup>[[11]]</sup> for devices which have Qualcomm basebands.
63
63
64
-
AIMSICD is another promising application in active development. A coupe of nice features include a local database backup of events that occur in your area for later analysis, an easy to use UI and color coded threat levels. In my own experience, I turn on the application as I walk around town and have passively mapped most of the topography of GSM towers in the city. This baseline is important for when fake towers emerge and disappear quickly. You can download the APK here[12]
64
+
AIMSICD is another promising application in active development. A coupe of nice features include a local database backup of events that occur in your area for later analysis, an easy to use UI and color coded threat levels. In my own experience, I turn on the application as I walk around town and have passively mapped most of the topography of GSM towers in the city. This baseline is important for when fake towers emerge and disappear quickly. [You can download the APK here](https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/releases).
65
65
66
66
#### End-To-End Encryption
67
67
68
-
"Properly implemented strong crypto systems are one of the few things that you can rely on". While cryptography can be relied upon to protect your content, the GSM model is badly broken in many ways. IMSI catchers can still uniquely identify your phone but to protect from _eavesdropping_ you can use SMS encryption with Signal [13] for Android or iOS [15]. Phone calls can be encrypted using Signal as well for either platform. These are free, open-source applications that allow users to communicate with very user friendly applications.
68
+
"Properly implemented strong crypto systems are one of the few things that you can rely on". While cryptography can be relied upon to protect your content, the GSM model is badly broken in many ways. IMSI catchers can still uniquely identify your phone but to protect from _eavesdropping_ you can use SMS encryption with Signal <sup>[[13]]</sup> for Android or iOS <sup>[[15]]</sup>. Phone calls can be encrypted using Signal as well for either platform. These are free, open-source applications that allow users to communicate with very user friendly applications.
69
69
70
70
### Trade-Offs
71
71
72
72
The downside to these applications (SnoopSnitch and AIMSICD) is that they require very low-level access to your cellphone. SnoopSnitch also requires a rooted Android phone. If you're not comfortable with that being the case, you can purchase a low-cost Moto E for $100 USD and use it as a testing device (with the added benefit that your everyday phone number isn't attached to demonstrations). Purchase the Moto E and a pre-paid SIM card with cash and register a new Google Account (not linked to your *real* idenity).
73
73
74
74
Another trade-off with Snoop Snitch is that it will send traffic back to SDR Labs to help build a database of SS7/IMSI Catcher attacks. You may not want this.
75
75
76
-
Is this all worth it? I'd argue that IMSI Catchers posses a real threat to anonymous political speech. There is evidence of coordinated crackdown on protests in the last few years [16][17] and see a very real need to update our threat models. We know in the past that IMSI Catchers were deployed on US soil [18] against protesters in 2003 and local police are only getting more money from DHS under "counter terrorism" grants. It has also been widely reported that IMSI Catchers have been found at demonstrations in Egypt, Germany, Ukraine, etc.
76
+
Is this all worth it? I'd argue that IMSI Catchers posses a real threat to anonymous political speech. There is evidence of coordinated crackdown on protests in the last few years <sup>[[16]]</sup><sup>[[17]]</sup> and see a very real need to update our threat models. We know in the past that IMSI Catchers were deployed on US soil <sup>[[18]]</sup> against protesters in 2003 and local police are only getting more money from DHS under "counter terrorism" grants. It has also been widely reported that IMSI Catchers have been found at demonstrations in Egypt, Germany, Ukraine, etc.
0 commit comments