FORUMS
Remove All Ads from XDA

[SECURITY] [APP][WIP] IMSI Catcher/Spy Detector

1,451 posts
Thanks Meter: 2,184
 
By E:V:A, Recognized Developer on 2nd January 2012, 03:30 AM
Thread Closed Email Thread
14th April 2012, 11:17 AM |#21  
mai77's Avatar
Senior Member
Thanks Meter: 580
 
More
Question no SIM mode
to clarify, there are two prerequisites which are often not met:

- the baseband processor has to support the command
- even then, to be successful, the bit has to be changeable on the SIM
----------------------------------------------------------------------------------------------------------

separate questions:

how does ciphering work, when the phone is in emergency mode w/o SIM ?
is it poss to detect "ciphering indication" while in emergency mode ?
 
 
18th April 2012, 06:01 PM |#22  
Junior Member
Thanks Meter: 9
 
More
happily i found your thread last night!
I am searching about this topics (Catcher,silentSMS,cliphering indicator...) for the last 5 month.
And the catcher-catcher project is the best i could find in the net. There is a lot of expirience, how to catch'em.
(i think they have the best strategy)

... than I asked the guys of OpenSignalMaps if it is possible to catch the catcher with CellID and other informations. He said it could be possible, to identify a faked-station - but not shure how good it works.

Anyway there is another use of Maps like this...
see openBmap(openbmap.org), Open CellID(opencellid.org) -

1. to be able to find the location.
With 3 Smartphones it is possible to get the exact position.
2. to tell others about the fake-station, so they simple dont communicate with it.
3. in the german Wiki (de.wikipedia.org/wiki/IMSI-Catcher) the point "Nachweisbarkeit" - you see this diagram - you need 2 cellphone to measure the signals. Some kind of community would be great to collect important data.

And maybe this would help people in certain countries?
what do you think?

There are many links and infos i would share with you, but right now its only a bunch of bookmarks and .pdf - i need to clean up first.


..............
I will start with my diploma soon and i am still looking for the right
theme. I have 6 - 9 month for that final "big"-work, then i will be finished! Maybe i should examine the "Androids development against IMSI-Catcher and other vulnerabilities."- as my diploma theme.
..............


E:V:A! you did some really googd work with collecting information and find the right questions - especially the part of "how can you help"!


It does not sound so easy, to get it working on a android phone.
I was working with java for another project, but i am not a very fast programmer. But maybe we can work together on the code, on github?
I am also not shure how to link to the pdf's i have on my harddisk.
If we had a closed area i would upload it.

have a good time,
21st April 2012, 02:34 PM |#23  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,184
 
More
Quote:
Originally Posted by mai77

a) the baseband processor has to support the command
b) even then, to be successful, the bit has to be changeable on the SIM
c) how does ciphering work, when the phone is in emergency mode w/o
d) SIM is it poss then to detect "ciphering indication" ?

a) Not sure what you mean with this, but all BP's can read this, whether this info is implemented in firmware is another story, but since at least ciphering "method" must be implemented, there should be a way to read these registers/results. Remember that ciphering "method" can (usually) be found on some service menu (on most phones).

b) Normally yes..., but if one can get a way to run code in the BP, then you could just read the ciphering from the appropriate register.

c) It is very unlikely there is any ciphering in emergency mode. In fact due to the "enhanced" E911 emergency-call standard recommendation, your phone also need to provide the exact location data like this:

"Wireless network operators must provide the latitude and longitude of callers within 300 meters, within six minutes of a request by a PSAP."

... very spooky!

d) Everything is possible! Especially when companies like Qualcomm have a special governmental development section (QGOV) that offers to develop anything the government wants [link]:

"In seeking to empower government agencies to access and share information anywhere at anytime to fulfill their missions of protecting our Nation, QGOV serves as the federal and state government portal to Qualcomm technologies and services. We adapt and modify Qualcomm commercial products to provide specialized capabilities for the government. QGOV is considered a trusted partner and can apply substantial research and development resources and enlist industry partners to help various government agencies meet their challenges. We offer products and engineering expertise that meet government needs for classified and unclassified solutions in the areas of wireless broadband data and voice, information sharing and interoperability, tracking, locating, and situational awareness. Government agencies can have confidence when deploying our technology - all of which is designed to increase safety and improve operational effectiveness."


Quote:
Originally Posted by He3556

And maybe this would help people in certain countries? what do you think?

It would help people in ALL countries! It would help prevent local authorities from overstepping their right and/or to go overboard with their surveillance strategies and invasion of privacy.
The Following 2 Users Say Thank You to E:V:A For This Useful Post: [ View ]
25th April 2012, 12:35 PM |#24  
Junior Member
Thanks Meter: 9
 
More
Ok, lets talk about the cipher indicator
1 – There are only old Phones: Sony-Ericsson T610, Siemens M55, Nokia 6300, Nokia 3310, P1300, Netzing NE110. But even most of the old phones have no indicator.

For Android: However, the ciphering mode is available in the _engineering menu_ by dialing: *#32489#. So somehow we should be able to find the right code to display this. (16.01.2012)
Another Project for Secure Android: whispersys.com/ (no cipher ind.)

2 – On the SIM Card settings: data in the "administrative data" field (OFM) is usually switched off by the provider. So we had to change this bit on the SIM Card. But to do it with a cellphone, is not possible - you need more equipment for this.

- What could this indicator show us anyway?
Only if the A5/0 is used (no encryption) – it is interesting.
That could be a IMSI catcher you are connected to.
When A5/1 or A5/2 is used – it only takes seconds to decrypt this data.
(with a pc not with the catcher )
A5/3 is a “littleBit” more secure (takes 2h, if running in standard Mode).

- For what is the indicator useful then ???
For me it looks like there is no way to secure a call made over GSM mobile standard.
So the reason why (we are thinking about cipher ind.), is maybe not making secure calls – but to see if somebody is manipulating your connection.

Alternatives for secure calls:
- use secure VOIP

But , you still won’t see if somebody is trying to attack you.

There should be other possibilities to find out:
- Analyze the original voice-data: If there is no voice encoding it is A5/0
Stream cipher is A5/1 or /2 and block cipher is A5/3
- “GSM fall-back” if the provider kicks you from UMTS to GSM
- Signals of the IMSI catcher + the real Base-Station will overlap (see Wikipedia-IMSI catcher Nachweisbarkeit- de.wikipedia.org/wiki/IMSI-Catcher#Nachweisbarkeit)

I am afraid the cipher-indicator discussion brings nothing useful for us.

have a nice day!
27th April 2012, 01:34 PM |#25  
Member
Thanks Meter: 14
 
More
Quote:

For Android: However, the ciphering mode is available in the _engineering menu_ by dialing: *#32489#. So somehow we should be able to find the right code to display this. (16.01.2012)

This Code doesn't work for me (CM6 on HTC Dream).

Quote:

Another Project for Secure Android: whispersys.com/ (no cipher ind.)

I guess you refer to RedPhone. As I understand it, it's VoIP with SMS to initialize the connection/encryption. Therefore a catcher would at least know who you are calling.
27th April 2012, 01:35 PM |#26  
Senior Member
Thanks Meter: 67
 
More
hmm..downloadin
27th April 2012, 08:29 PM |#27  
Junior Member
Thanks Meter: 9
 
More
yes you are right XdxH62 - RedPhone works with VOIP

... and there is a SDK of the "WhisperCore" - but i can't find something interesting for our "problem" - but still a good projekt. i will download and test, maybe there is something more... if, i will tell you...

This engineering code is also not working on my phone:
HTC HD2, Android 4.0.3 ICS CM9
27th April 2012, 11:49 PM |#28  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,184
 
More
Quote:
Originally Posted by He3556

1 – There are only old Phones: Sony-Ericsson T610, Siemens M55, Nokia 6300, Nokia 3310, P1300, Netzing NE110. But even most of the old phones have no indicator.

Not sure what you were saying here... AFAIK, both T610 and Nokia3310 shows ciphering mode, when enabled in SIM.

Quote:

For Android: However, the ciphering mode is available in the _engineering menu_ by dialing: *#32489#. So somehow we should be able to find the right code to display this. (16.01.2012)

That's correct, and that's what we want to do.


Quote:

Another Project for Secure Android: whispersys.com/ (no cipher ind.)

Unfortunately, the developer of RedPhone, Moxie Marlinspoke, sold (Whispersys) to Twitter, with a short notice (from Twitter) saying that they would soon return, after having pulled RedPhone from every possible trace on internet etc. We never heard from them again! Although TextSecure is available (using the same technology.) EDIT: Both are back on line!!

Quote:

For what is the indicator useful then ??? ...So the reason why (we are thinking about cipher ind.), is maybe not making secure calls – but to see if somebody is manipulating your connection. ... I am afraid the cipher-indicator discussion brings nothing useful for us.

That's correct and not. The CI tell us something about what we can expect from our cellular/mobile service providers. The changes needed to implement encryption is at a minimal cost for them. Thus it is a good indicator whether or not our providers are taking mobile security serious or not. This, together with some kind of IMSI-catcher-catcher will also tell you if someone outside the service provider authority, is spying on you. Yes, you're right, there is nothing a like a secure mobile phone call at the moment, so this is an even greater reason to push this issue. A successful and widespread use of the CI, is just a first academic step toward developing a more high tech, anti-spy application.
28th April 2012, 05:21 PM |#29  
Junior Member
Thanks Meter: 9
 
More
I just don’t want to develop things for an old mobile – like Siemens M55 (I used this phone 8 years ago)
There have to be a solution for all Android users – without changing anything on the SIM card.
And I don’t want to depend on the information from the provider - if they show an indicator or not.

I read about GSM-Dm-Channels (www2.informatik.hu-berlin.de/~goeller/isdn/GSMDmChannels.pdf):
“Location Update” and “Paging Response” sends information about the CI in layer 2 and layer 3 of the GSM protocol !
So we need to get this management signals and we know which CI is used.
+ we could show, if a “CI mode request command” was send from the BS.
(if this is not right, pls tell me)
… but how can we get this data – on the net I found a SAGEM trace-mobile OT 460 to do this job.
So it must be possible to do it with Android, too. But still didn’t find anything like a API-call for that.

so, I keep searching and reading…

have a nice weekend!
30th April 2012, 10:41 AM |#30  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,184
 
More
Thanks, that was a nicely presented document!

There's no Java API for doing any of this work, AFAIK, although it may be possible to do it indirectly via modem IPC communication, whose commands are available in a (private?) API. However, if we can locally speak AT-commands directly to modem there may be way to get/intercept/inject (or whatever), to get to the relevant radio parameters as presented in the ServiceMode app. A BP Kernel log would also be extremely useful!
2nd June 2012, 01:13 AM |#31  
Junior Member
Thanks Meter: 0
 
More
This is what I get on my service mode on Galaxy S2:

Is_connected: 0
Is_enciphered: 0 (it changes from 0 to 1 regularly, like YES or NO)

Key Stauts: 2 (What does this mean?)
Key_context: 2 (What does this mean?)
RAT: 2 (What does this mean?)

Maybe some of the info means that a5/2 is used?

I remember before there were some phones showing a warning sign on the main menu when encryption was not in use, but that seems rare now.
Thread Closed Subscribe to Thread

Tags
catcher, ciphering, detector, imsi, osmocom, spy
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes