Discovering and Triangulating Rogue Cell Towers CON 24/DEF CON 24...What’s the IMSI in “IMSI...
Transcript of Discovering and Triangulating Rogue Cell Towers CON 24/DEF CON 24...What’s the IMSI in “IMSI...
DiscoveringandTriangulatingRogueCellTowers
EricEscobar,PESecurityEngineer
Whatisaroguecelltower?• Adevicecreatedbygovernmentsorhackersthathastheability
totrickyourphoneintothinkingit’sarealcellphonetower.
• AlsoknownasIMSIcatchers,interceptors,cell-sitesimulators,Stingrays,andprobablyafewmore.
• Roguecelltowershavetheabilitytocollectinformation aboutyouindirectlythroughmetadata (calllength,dialednumbers)
• Insomeconditionscancollectcontentofmessages, calls,anddata.
Howarecellsimulatorsusedtoday?AtHome(IntheUnitedStates):• IMSI-catchersareusedbyUSlawenforcementagenciestohelp
locate,track,andcollectdataonsuspects.
• ACLUhasidentified66agenciesand24statesthatownstingrays.• UsedtomonitordemonstrationsintheUS
• UsedinChicagopoliticalprotests
• It’spossibletomakeanIMSI-catcherathome• DEFCON18:PracticalCellphoneSpying - ChrisPaget
Howarecellsimulatorsusedtoday?Abroad:• ReporteduseinIreland,UK,China,Germany,Norway,
SouthAfrica
• Chinesespammerswerecaughtsendingspamandphishingmessages.
• Usedbygovernmentsandcorporationsalike.
What’stheIMSIin“IMSI-catcher”?• IMSIstandsforInternationalMobileSubscriberIdentity.• Isusedasameansofidentifyingadeviceonthecellnetwork.
• Typically15digitslong
• Containsgeneralinformationaboutyoudevice(Country&Carrier)• MobileCountryCode– MCC
• MobileNetworkCode– MNC• MobileSubscription IdentificationNumber– MSIN
What’sanIMSI?
IMSI=Uniqueidentifiertoyourdevice
SampleIMSI:
310 26 0123456789MCC MNC MSIN
USA AT&T UniqueIdentifier
Why you should care?• Yourphonewillconnectautomaticallytocellsitesimulators.• Thievescanstealyourpersonalinformation.
• Hacker’scantrackwhereyougo,whoyou’retalkingto,andgraballsortsofotherdataaboutyou.
• Yourdigitallifecanbesniffedoutoftheairbyanyonewithsometechnicalchops,andalaptop.
• Yourcompanycouldbeleaking tradesecrets.
• Yourprivacyisatrisk.
Whybuildadetector?• TherearesomegreatappsforAndroidphonesandthathavethe
abilitytodetectcelltoweranomalies.
• Youneedspecificphonemodels&rootforthistowork
• Iwantedadevicethatmetthefollowingconditions:• Cheap~$50/device
• Iwantedtosetitandforgetit.• Iwantedtobealertedtoanyanomalies.
• Iwantedtheabilitytonetworkmultipledevicestogether.
Howdoyoudetectaroguecelltower?• Everycelltower(BaseTransceiverStation,BTS)beaconsout
informationabout itself
• ARFCN– Absoluteradiofrequencychannelnumber
• MCC– MobileCountryCode• MNC– MobileNetworkCode
• CellID– Unique identifier(withinalargearea)• LAC– Locationareacode
• Txp – Transmitpowermaximum
• Neighboring cells
Howdoyoudetectaroguecelltower?• Typicallythesevaluesremainconstant:
• ARFCN– Absoluteradiofrequencychannelnumber
• MCC– MobileCountryCode
• MNC– MobileNetworkCode• CellID– Unique identifier(withinalargearea)
• LAC– Locationareacode• Txp – Transmitpowermaximum
• Neighboring cells
• Powerlevel
Howdoyoudetectaroguecelltower?• Ifvaluesdeviatefromwhat’sexpecteditcanmeanthatthereis
maintenancetakingplace.
• Itcanmeanchangesarebeingmadetothenetwork.
• Itcouldalsomeanthatthereisaroguecelltowerisnearby!• Theideaistogetabaselineofyourcellularneighborhood overa
periodoftime.• Itwouldbelikekeepinganeyeonthecarsthatcomeinandout
ofyourneighborhood, afterawhileyoubegintoknowwhichdoesn’tbelong.
Howdoyoudetectaroguecelltower?• Examples:
• Anewtower(UnknownCellID),hightransmissionpower
• Mobilecountrycodemismatch
• Mobilenetworkcodemismatch• Frequencychange
• LocationAreaCodemismatch
Howdoyoulocateatower?• Combineuniquecelltowerdata,receivepower,and location.• Onedetectorcanbemovedaround withanonboardGPS
• Readingsofuniquetoweridentifiers,powerlevelandGPScoordinatesallowforasingledetectortocreateamap.
• Somemath,opensourceGISsoftware,andprettycolorscanapproximatelocationsoftowersorpossibleroguetowers
Howdoyoulocateatower?
Howdoyoulocateatower?• Multipledetectorswithknownlocationsallowfortrilaterationof
thesuspectedroguetower.
• Receivepoweranddistancearenotinverselyproportional
• Regressionformulaswererequiredtobecalculatedinordertofinetunetheresults.
• Lessaccuratebutstillprettygood
Howdoyoulocateatower?
What’sthebuild?• RaspberryPi3,poweradapter,SDcard(runningstockRaspbian)• SIM900GSMModule
• SerialGPSmodule
• TVtunersoftwaredefined radio• Scrapwood&hotglue
Braceyourself…thisisquiteliterallyahack.
SIM900CellModule
Scrap wood& hot glue
Raspberry Pi
GPSModule
SerialtoUSB
Softwaredefinedradio(USBTVTuner)
SIM900• SIM900Engineeringmode
• Seventowerswiththehighestsignal
• Givesyouatonofinformationvia
aserialconnection• NoSIMcardisrequiredfor
engineeringmode
GPSSerial• Adafruit UltimateGPSmodule
• Fixespositionquickly.
• Good indoorreception
• Worksexactlyhowyouwouldexpect
RaspberryPi3• StockRaspbian OS(debian forpi)
• Pi3hasenoughpowertorunaSDR
• HasfourUSBportsforserialadapters• EasilypoweredbyaUSBbatterypack
• $20Softwaredefinedradio
• Widerangeoffrequencies
• Github:Gr-Gsm• CanlistentorawGSMtraffic
• Seealltherawframes• Notnecessaryforlocatingcelltowers
• Providesdeeperinsights
TVTuner
Datacollection:• Everythingdumps toaSQLitedatabase forlateruse
Questions?