iParanoid: an IMSI Catcher - Stingray Intrusion Detection System


Published on

The goal is the research and development of Intrusion Detection System related with Cell Networks.
Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).

Published in: Technology, Business

iParanoid: an IMSI Catcher - Stingray Intrusion Detection System

  1. 1. Bootcamp 2012 – University of Luxembourg Luca Bongiorni – 20/09/2012
  2. 2. The GSM or 2G, even if outdated (1987), is the most popular radio communication standard around the world. It is widely deployed! It counts more than 4.4 billion of subscribers spread across more than 200 countries. 2
  3. 3. 3
  4. 4. “… police had been detecting unauthorized IMSI catchers being used across the country, though had not been able to catch any of the perpetrators. … Former Czech intelligence agency chief A. Sandor said that businesses could be using them to spy on one another. … it’s possible that criminal gangs could be using them for extortion” • What happens if competitors use it to take advantage of your company? • What happens if someone intercept you and then extorts you money? Think about it… 4
  5. 5. In the last years many Practical Attacks have been publicly disclosed! Using Cell Phones is no longer safe for Private Life or for Business. Some of the Threats that You should be aware:  IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN Interception, Highjacking Emergency Calls, User Impersonation, etc.)  Passive Sniffing / Cracking (If the operator uses a weak encryption algorithm your data, calls, SMS can be easily intercepted by everyone!) 5
  6. 6. • Lack of Mutual Authentication o The MS auths the network, not viceversa • Subcribers Mobility o The Stronger signal Wins (Cell Selection & Reselection) o Forced Location Update (if LACPLMN != LACIMSI-Catcher then swtich to IMSI-Catcher) • Encryption is NOT Compulsory o A5/0 No Encryption 6
  7. 7. Location Disclosure CallerID vittima Lista Città ed IMSI Local Area Catch-and-Relay 7
  8. 8. • Spoofing CallerID • Eavesdropping Outgoing Calls & SMS • Highjacking Emergency Calls 8
  9. 9. Don’t worry! Are vulnerable as well! What happens if we JAM the UMTS & LTE frequencies?! Le UE: “Nice to meet you again sir GSM” Le GSM: “Welcome back my dear” 9
  10. 10. 10
  11. 11. 11
  12. 12. 12
  13. 13. “GPRS Intercept Wardriving phone networks” by Nohl & Melette, 2011 http://tinyurl.com/gprs-nohl-slides Many operators does NOT encrypt communications!!! 13
  14. 14. 14
  15. 15. How can we Mitigate the Problem? 15
  16. 16. A Mobile Cell Networks Intrusion Detection System iParanoid is an Android App (and soon also for iPhone) that acts as a sort of Real Time IDS (Intrusion Detection System), that alerts the subscriber in case is happening something strange and reacts in order to prevent attacks or data loss:      Man In The Middle Attacks (Phone Interception) No Encryption adopted by the operator Impersonation Attacks Denial of Services Silent Calls or SMS 16
  17. 17. iParanoid has two Operative Modes: s Offline Mode: The App should be able to show which encryption level is used from the Cell Network and alert the user in case that encryption level is changed (e.g. A5/1 -> A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too. Online Mode: The App should retrieve the list of all Trustable BTSes (related on the area where the user is located thanks to the GPS) from the remote server. ** ** High Encryption Level needed (e.g. GPG) Both operative modes can be ran as deamon from the boot of the phone (without user interaction) or launched by the users as a usual app. 17
  18. 18. The App should use the Android’s APIs to retrieve some important variables from the Cell Network, like: MNC, MCC, LAC, CID, Cipher indicator A5 (eventually also CRO, T3212 and Neighbours Cells). Then, once retrieved also the GPS position, all datas are evaluated and sent to a remote server that will further analyze the Security Level and report eventual malicious behaviours. In case of alerts the user will be notified and He/She will have the possibility to spread them through Social Networks or the iParanoid’s webserver (anonymously). 18
  19. 19. 19
  20. 20. The Server should use TWO DBs: ●Trustable BTS Towers DataBase (e.g. http://www.opencellid.org) ●Anonymous Users Alerts (GPS position, Timestamp & Type of Risk) The Server Should be able to: Analyze and Correlate the informations between the first DB and the ones that have been sent from iParanoid. In case of malicious behaviour, It should notify the user with an Alert. 20
  21. 21. 21
  22. 22. 22