Android-based project to detect and avoid fake base stations (IMSI-Catchers) in GSM/UMTS Networks. Feel free to read the Press Releases about us, spread the word with our Media Material and help us solving current challenges!
- Introduction
- IMSI-Catchers
- Project Goals
- Limitations
- Roadmap
- DOWNLOADS
- Requirements
- Installation
- Documentation
- Papers
- Bugs
- FAQ
IMSI-Catchers are creepy devices used by both law enforcement agencies and criminals. They are false mobile towers (base stations) acting between the target mobile phone(s) and the real towers of service providers. As such they are considered a Man-In-The-Middle (MITM) attack. This specific MITM attack was patented and first commercialized by Rohde & Schwarz in 2003, although it would be hard to maintain such a patent, since in reality it is just a modified cell tower with a malicious operator. On 24 January 2012, the Court of Appeal of England and Wales held that the patent is invalid for obviousness. But ever since it was first invented, the technology has been used and "improved" by many different companies around the world. Other manufacturers (like Anite) prefer to refer to this spying and tracking equipment in glossy brochures using cozy marketing words like "Subscriber Trackers". IMSI-Catcher manufacturers are abusing your mind by disguising their spying products as "life saving equipment". Their real purpose is surveillance and to kill people. Don't get fooled by their unobtrusive product naming or heart-wrenching stories that may go along with it!
In the USA the IMSI-Catcher technology is known under the name "StingRay", often mounted out of sight on top of cars. The FBI or local police regularly deploys IMSI-Catchers hidden in vehicles at a protest to obtain a record of everyone who attended with a cell phone (leave your phones at home by all means if you really have to attend). IMSI-Catchers also allow adversaries to intercept your conversations, text messages, and data. Police can use them to determine your location, or to find out who is in a given geographic area at what time. Identity thieves can use freely available tools to monitor GSM communications from a parked car in your residential neighborhood, stealing passwords or credit card information from people nearby who make purchases on their phones.
Why are IMSI-Catchers exponentially popular lately? Because without our App you would not even notice that you're under attack! IMSI-Catchers, StingRays, GSM/UMTS Interceptors (or whichever names they invent) are perfectly stealth spying devices, crafted from the wet dreams of bastards like governments and criminals all alike. You think you have "nothing to hide"? Think again! Anyone can now buy an IMSI-Catcher or build a cheap one on their own. Sending spam and phishing SMS via fake base stations is already a lucrative underground market), particularly in Russia, China and Brazil. In addition, all IMSI-Catchers can crack A5/1 encryption, which is most commonly used for GSM traffic, on the fly (passively)! A5/3 encryption which is used for securing 3G and is offered as new security standard for GSM encryption remains secure in practice while susceptible to theoretical attacks. Although 3G and 4G offer sufficient protection from eavesdropping, the security measures can be bypassed by IMSI-Catchers forcing a mobile device into 2G mode and downgrade encryption to A5/1 or disable it. For further reading on the algorithms, check out the Cryptome GSM Files.
There are almost no phones on the market which offer an option to check what kind of encryption is used to "secure" GSM traffic (which is in fact already broken beyond repair). The ones you may find are very expensive and not open source. And although the Issue of not having a convenient display of the Ciphering Indicator has been assigned to Google since 2009, it seems they're getting paid (or are forced to) blatantly ignoring it. The open source project "Android-CipheringIndicator-API" aims to craft an API which fixes this Issue and merge the resulting API into the Android AOSP branch. But currently, the only way to protect a mobile device from downgrade attacks is to disable 2G if this option is available. In this case, the phone will not be able to receive or make calls in areas without 3G coverage. This is why we started development on this App: To protect YOU. Use our App and join development on GitHub - even the smallest pull requests are very welcome!
They come in uncountable shapes and sizes:
- Current IMSI-Catchers can be as tiny as the portable Septier IMSI-Catcher Mini.
- The smartphone takes up the most space. IMSI-Catchers will even get smaller!
- Below photograph has been taken during the riots on Taksim Square in Instanbul.
- Note: It is way too conspicuous and you'll likely never encounter one of these.
- Todays IMSI-Catchers can be body-worn or are hidden in GSM Interceptor vehicles:
Search for "GSM Interceptor", "IMSI-Catcher", "StingRay" or any combination thereof.
- Detect IMSI based device location tracking
- Detect and prevent the use of false BTS towers used for illegal interception
- Detect and prevent the use of broken ciphering algorithms (A5/1) during calls
- Detect and prevent remote hidden application installation
- Detect and prevent remote hidden SMS-based SIM attacks
- Provide counter measures against tracking
- Prevent leakage of sensitive GPS data
- Provide swarm-wise-decision-based cellular service interruption
- Provide secure wifi/wimax alternative data routes through MESH-like networking
- Aims to be recommended and added to the Guardian Project's list of secure Apps
- Aims to be recommended by the SSD Project of the Electronic Frontier Foundation
- Aims to be recommended by Privacy International (and like-minded organizations)
- Provide full device encryption
- Provide secure data transmission (VPN, Tor)
- Provide secure phone calls (we recommend: RedPhone)
- Provide secure SMS (we recommend: TextSecure)
- Provide secure application sand-boxing
- Provide application permission control (we recommend: XPrivacy)
- Provide firewalls (we recommend: AFWall+)
- Prevent already installed rogue applications from full access and spying
- Provide ROOT and remove bloatware (we recommend: search XDA)
In order to accomplish the goals set above, we'll need to overcome some of the deeply worrying and unfounded AOS limitations, as imposed by Googles API, in regard to relevant network variables and data. These include highly relevant and important things such as displaying the SIM/phone Ciphering Indicator, which tells you if your calls are being encrypted or not. This has been a required 3GPP feature for the last 15 years, but which Google and most Mobile Network providers have choosen to mostly ignore, although it has been requested by users since 2009. Another is finding the Timing Advance (TA) and various Network Timers, like those used in Radio Resource Control (RRC), that can give very useful information regarding the status of the connections your phone is making.
All this can be fairly easily accomplished, given that we can have access to some of the lower level radio related information coming from the Baseband Processor (BP). But that is exactly our challenge. All the software and information about the interfaces providing this, is hidden from the user and developers by a huge amount of proprietary OEM Non Disclosure Agreements (NDA). But in the last years, there has been great progress in reverse enginering these protocols and interfaces. The use of these open source tools are the basis of our successful development of this App.
Summary of the main development stages:
A. Using all available network data, implement the correct detection matrix consisting of a number of items, that each participate in detection of abnormal or abusive network bahaviour. This is the application Beta stage.
B. Using all possible interfaces to obtain the many variables in (A). These interfaces include:
- QMI/Sahara protocols for using on Qualcomm based devices (Gobi3000, qmilib)
- Samsung IPC protocol for using on Intel XMM (XGOLD) based devices (xgoldmon, Replicant)
- Direct use of AOS standard RIL interfaces (/dev/rild and /dev/rild-debug)
- SIM ICC interface for accessing SIM EF filesystem to provide deep access (SEEK)
- Scraping Service Mode menus for relevant radio info
- Scrape
logcat -b radiofor relevant radio info - Use AT Command Processor (ATCoP) interface to get/set network parameters/bahaviour
C. Make (A) and (B) transparent across as many Android devices as possible.
Make a baseline App that contains the basic functionality for collecting and presenting all available network variables and the detection results.
- a. Collects relevant RF related variables using public AOS API calls. (LAC, CID, TA etc)
- b. Collects detailed BTS information from a pulic database such as OpenCellID or Mozilla Location Services
- c. Save everything in our SQLite database
- d. Detect hidden/silent (Type-0) SMS's
- e. Detect hidden App installations (Googles INSTALL/REMOVE_ASSET)
Improve ALPHA for leveraging and tune our detection matrix/algorithm.
- f. Implement any of the detection schemes we have
- g. Implement any of the interfaces in (B)
- h. Test AIMSICD in a real IMSI-catcher environment
- i. Fine-tune our detection matrix
- j. Implement our first counter interception measures
- k. Planning alternative data routes through MESH-like networking, when cellular services have been interrupted
- l. Planning swarm-wise decision-based cellular service analysis (advanced BTS statistics)
This stage is essentially the completion of this project. However, we expect that long before this happens, the entire network industry will have changed to such a degree that many new privacy and security issues will have arised. Thus, we will likely have more things to add and maintain in this project. We are of the current understanding that this project is a never ending story, all for the peoples benefit and a more privacy oriented future.
- m. Implement all of the detection schemes we have
- n. Implement all of the interfaces in (B)
- o. Test AIMSICD in a real IMSI-catcher environment
- p. Continue Fine-tune our detection matrix
- q. Complete alternative data routes using MESH-like networking, when cellular services have been interrupted
- r. Complete advanced statistical analysis of fake BTS towers
Safety first: Here's our Disclaimer.
Please follow how to correctly submit Issues!
Although this project is fully Open Source, developing AIMSICD is a lot of work and done by enthusiastic people during their free time. If you're a developer yourself, we welcome you with open arms! To keep developers in a great mood and support development, please consider making a (fully anonymous) donation. We are currently resonsidering donations in Issue 74. Join the discussion!
All collected donations shall be split into appropriate pieces and directly sent to developers who contribute useful code. The amount of donation each developer receives will vary with the value of each merged commit. To be perfectly clear: We will NOT reward junk, only awesome stuff. Additionally, donations will be used to support these organizations (contact us if you are a like-minded organization):
If you are unsure how to donate, visit our WIKI-Page on Anonymous Donations.
This project is completely licensed GPL v3+.
Our project would not have been possible without these awesome people. HUGE THANKS!
Our gratitude flies out to our great Sponsors:
| Developer | Task |
|---|---|
| E:V:A | Project Initiator |
| Ueland | Bug Smashing Hammer |
| tobykurien | Code-Monkey |
| He3556 | Vulnerability Analyzer |
| Sgt-Obst | Graphical Designer |
| andr3jx | Chief Cook and Bottle Washer |
| SecUpwN | Public Speaker |