Hackaday Prize Entry: Catch The IMSI Catchers

An IMSI catcher is an illicit mobile phone base station designed to intercept the traffic from nearby mobile phones by persuading them to connect to it rather than the real phone company  tower. The IMSI in the name stands for International Mobile Subscriber Identity, a unique global identifier that all mobile phones have. IMSI catchers are typically used by government agencies to detect and track people at particular locations, and are thus the subject of some controversy.

As is so often the case when a  piece of surveillance technology is used in a controversial manner there is a counter-effort against it. The IMSI catchers have spawned the subject of this post, an IMSI catcher detector app for Android. It’s a work-in-progress at the moment with code posted in its GitHub repository, but it is still an interesting look into this rather shadowy world.

How them you might ask, does this app hope to detect the fake base stations? In the first case, it will check the identity of the station it is connected to against a database of known cell towers. Then it will try to identify any unusual behaviour from the base station by analysing its traffic and signal strength. Finally it will endeavour to spot anomalies in the implementation of the cell phone protocols that might differentiate the fake from the real tower.

They have made some progress but stress that the app is in alpha stage at the moment, and needs a lot more work. They’re thus inviting Android developers to join the project. Still, working on projects is what the Hackaday Prize is all about.

16 thoughts on “Hackaday Prize Entry: Catch The IMSI Catchers

  1. It will be interesting to see how they implement their database. It probably would have to be a distributed encrypted database that is maintained by majority trust relationships so that NSA don’t just walk in with a “shut up and do as I say” order so that NSA could add their fake towers to the trusted list.

    1. This is the problem i see. If the security/reliability relies heavily on a data base this is a week point. The NSA will probably have little trouble to manipulate this, especially if the data base is in the US. It reminds me the SSL-certificates-stuff, you have to rely on somebody saying “this is safe/true/…”. Yeah…

      Completely of topic: There is still a lot of spam on hackaday.io, from what i see (almost) always with chinese characters in the title. Why not refuse projects with chinese characters in the title? Of course there could be some false positives but this is an english webpage so maybe it’s a simple fix?

    2. place it somewhere outside the us, there is a whole world out here and most of us don’t particularly care what the NSA wants us to do.
      combine that with some proper encryption and distributed storage and there is a good chance any illicit action to change the data would be discovered, 3 letters agencies seem to be allergic to others knowing what they do, that in itself might be protection enough.

    3. A phone should be making its own observations and log entries, and the app should be written to trust those entries above anything in the public database. People running an anti-IMSI catcher need to get in the habit of continually surveying their surroundings so they have a clear “before” picture to draw from. In the case of your own home, you should be periodically war-driving your cellular surroundings to get away from any cell catchers and keep your personal data up to date.

      We now know from the leaked Harris documentation that Stingray operators are advised to emulate the weakest tower visible in the vicinity. So if a formerly weak tower suddenly becomes the strongest signal, that should be a blinking red light warning.

    1. Have you looked at setting up an OpenBTS instance? That ideally would trip the detector,
      Towers asking for null encryption or down-rated encryption (4G tower asking for 2G style encryption)

      1. even FBI and local police already uses 4G stingrays. This is where all the homeland ‘security’ funds go to.
        What we need is proper SDR sniffing all traffic and spotting patterns of unusual BSS traffic, like constantly prodding MS for signal strength data etc.

  2. feature creep! Please add the functionality to upload the information to a central database and render in google maps so we can have one of those huge moonshot monitors on our walls showing the location of every van :-)

  3. How does the existing SnoopSnitch software fit with this idea? Is this an alternative to SnoopSnitch? Competitor to SnoopSnitch? Something that would work alongside SnoopSnitch? Something totally different?

  4. After reviewing the source code, I see you’re relying on the Android network messages. In order to TRULY make this project work – you need to implement a method of getting the Qualcomm Diagnostic Messages (DM) through the interface. Start googling QXDM and the such to figure out a proper DM interface to Adnroid. The AT messages reported through the RIL are not enough to do what you’re trying to do. After that, you need to look for differences in the network setup between a ‘real’ network vs an ‘IMSI-grabbing’ network. A properly set-up network is almost indistinguishable from a ‘real’ network. A good indication would be reception of ‘rejection’ messages from the network which indicate that you’re phone is being released back to a real network. Also, look for blank neighbor lists – these usually are blank in test networks to prevent handing you back off to real networks.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.