Hunting the hunter, can you tell if your phone’s being captured by a rogue cell phone tower/ IMSI catcher/ Stingray? Learn strategies to detect rogue cell phone towers and hear stories from adventures war walking Las Vegas during Defcon. Learn about IMSI catchers their capabilities, LTE to GSM downgrade attacks, and ways to protect yourself from these devices. Discover open source projects and other ways you can get involved to help make cellular technologies safer for users.
Video Link: https://www.youtube.com/watch?v=eivHO1OzF5E
2. What you will learn today
1. What IMSI Catchers do and how they work
2. Detection Strategies
3. Hear an exciting tale of adventures in Vegas
4. Learn how to avoid being caught up in an IMSI Catcher
3. Whoami
• Geoffrey Vaughan @MrVaughan
• Security Engineer @SecurityInnovation
• Appsec pentesting/advisory at all areas of SDLC
• Former High School/Prison/University Teacher
• Occasionally I’m let out of my basement
• Travelled from Toronto to be here with you today
4. IMSI Catchers / Stingrays
IMSI Catcher:
Can be any rogue cellular device designed to capture cell
phone data or traffic
Often used by police/governments
Stingray - Most popular brand of IMSI Catcher sold to
police/governments made by Harris Corp
IMSI:
International mobile subscriber identity
Your unique cell phone ID.
Privacy constraints:
Strict NDA’s often prevent users from disclosing the device
capabilities or naming the device publically (even in case of
warrants)
5.
6. IMSI Catcher Specs
• Can intercept 2G, 3G, 4G communication simultaneously as
well as CMDA/GSM networks
• Devices can launch attacks requesting devices connect over
weaker channels (2G)
• Operates in either passive or active mode
• Passive mode – Simply captures all available traffic in the area
• Active mode – Acts as a full duplex proxy forcing all traffic
through the device then onward to a normal cellular tower
7. How they are used
• Confirming presence of a device in a target’s home prior to a search thereof
• Identifying an individual responsible for sending harassing text messages
• Locating a stolen mobile device as a precursor to searching homes in the vicinity
• Locating specific individuals by driving around a city until a known IMSI is found
• Mounted on airplanes by the United States Marshall Service to sweep entire
cities for a specific mobile device
• To monitor all devices within range of a prison to determine whether prisoners are
using cell phones
• Reportedly at political protests to identify devices of individuals attending
• To monitor activity in the offices of an independent Irish police oversight body
Source: https://citizenlab.org/wp-content/uploads/2016/09/20160818-Report-
Gone_Opaque.pdf
8. Where they are used
• 1400+ cases confirmed use in Baltimore mapping show
disproportionate use in predominately black neighborhoods'
• http://www.citylab.com/crime/2016/10/racial-disparities-in-police-
stingray-surveillance-mapped/502715/?utm_source=feed
• Thousands of times in Florida since 2007 for crimes as small as
911 hang ups
• http://arstechnica.com/tech-policy/2016/08/Baltimore-police-accused-
of-illegal-mobile-spectrum-use-with-stingrays/
9. Manual Leak
The Intercept acquired a device manual and published it:
https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-
how-police-can-spy-on-phones/
10. Where to buy
• Only sold to governments, police, and military
• Alibaba: Good luck (mostly 2G only), Import laws, buyer
assumes risk
• But for ~1400USD you can build your own:
http://arstechnica.com/security/2015/10/low-cost-imsi-catcher-for-
4glte-networks-track-phones-precise-locations/
• Or hide one in a printer and make it call to say I love you
https://julianoliver.com/output/stealth-cell-tower
11. How to find and detect an IMSI
Catcher
Current Detection Methods are entirely anomaly based
1. War walk your neighborhood and make note of all Cell Tower
ID’s you find and their locations
2. Repeat this until you are sure you have all known devices
cataloged
3. Constantly monitor your area to see if any new devices are
added
4. Go find the new device
12. Tools to help you out
OpenCellID.org – Database of mostly user reported cellular tower
devices, their location, and their identifiers
AISMICD – Android IMSI Catcher Detector app. Tool used to collect
cell data. It also reports/syncs with OpenCellID (sometimes).
• https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector
Rooted Android Device – Required for AISMICD - Means you need a
dedicated device for detection
Eric Escobar – Detecting Rogue Cell Towers, built a 50$ device to
better triangulate devices (Presented this year)
• https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20pr
esentations/DEFCON-24-Eric-Escobar-Rogue-Cell-Towers-UPDATED.pdf
14. How hostile is it for your devices at
Def Con?
• Def Con = “Most hostile network on earth” ????
• Sure don’t use the hotel Wi Fi but how bad is it for your cell
phones?
• Personal experiment to see if I could find any IMSI Catchers
15. Setup
• AIMSICD App
• Burner Android Phone
(rooted)
• Next time: Pre-install
opencellid.org data
War Driving the Strip in style
17. Lots of false positives
• Devices on multiple floors?
• Multiple redundant devices in same location
• Potential issues with GPS accuracy
18. Still Unknown Devices
Red dots represent devices that I did not see in my preliminary
walk and were not already known to opencellid.org
19. Caesar’s
• 3 Nights in Caesar’s before
Def Con
• Lots of towers picked up
• Suggest a sort of ‘drive by
attack’
• Also observed a lot of LTE to
GSM downgrade attacks, my
device was hopping networks
quite frequently
20. Caesar’s
• At least 4 of these devices
were previously not known to
opencellid.org
• There were a couple others
that had only been seen once
before
21. Defense
• Depends on your personal threat model
• Don’t use your device
• Wi Fi calling with vpn?
• Signal / OpenWhisper app for calling/SMS, although you would
still be tracked
• If all Wireless Carriers published the tower id’s you could at
least know if an id did not match.
• Device spoofing would still be possible
• Pressure Wireless Carriers to implement mutual authentication
between devices
22. Conclusions
• The devices are very hard to detect, this is part of what makes
them so dangerous
• You rarely know when you are connected to these devices
All data collected is available on my Github Page
https://github.com/MrVaughan/Defcon2016GSMData
23. Shameless Plug
• CMD+CTRL CTF Saturday
Night
• Accessible web app CTF for
beginners and pros a like
• Lots of challenges to keep
you busy
• Prizes
-Talk about 911 impact
-Detecting presence
-Can break some of the weaker crypto algorithms used in cellular networks
About Citizen lab: Intersection of Information and Communication Technologies (ICTs), human rights, and global security
‘Cyberwar’
All of these are sourced in Citizen Labs paper
They are used in Other EU Countries as well as Canada, It is tough getting confirmed uses as it often takes years for the information to trickle out of court cases and information requests
Montreal Reporters
I have it on my calendar to build one in January (first chance I’ll get)
Looking at your phone right now you have no idea if it is connected to a real cell phone tower or an IMSI catcher
There are a couple other similar presentations in the last year or 2.
Can you trust the data in openCellId ?
-If I were XXX
-
