
SeaGlass – Enabling City-Wide IMSI-Catcher Detection - risk
https://seaglass.cs.washington.edu/
======
sasas
You could possibly achieve interesting results with a single handset to keep
in your pocket as you go about your day. The Samsung Galaxy S3 is ideal due to
the fact that Android apps are written to access low level data from it's
baseband which is normally not available to end-user applications.

In fact there is a company that sells re-modded S3's at a decent price for
this exact purpose [1].

Save some money and find an old handset and load on free IMSI catcher
detection software. [2]

EDIT: It seems SnoopSnitch [3] which is used in the SeaGlass project works on
rooted Android phones with that use Qualcomm chipsets.

[1] [https://www.wired.com/2014/09/cryptophone-firewall-
identifie...](https://www.wired.com/2014/09/cryptophone-firewall-identifies-
rogue-cell-towers/)

[2] [https://cellularprivacy.github.io/Android-IMSI-Catcher-
Detec...](https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/)

[3]
[https://opensource.srlabs.de/projects/snoopsnitch](https://opensource.srlabs.de/projects/snoopsnitch)

~~~
rsync
"You could possibly achieve interesting results with a single handset to keep
in your pocket as you go about your day. The Samsung Galaxy S3 is ideal due to
the fact that Android apps are written to access low level data from it's
baseband which is normally not available to end-user applications."

I don't understand why this is done with apps on mobile phones. It seems to me
that all of the "metrics" that we use to determine an IMSI catcher are easily
obtained with an SDR - even a cheap RTL-SDR.

Take a look at the scoring system for snoopsnitch:

[https://opensource.srlabs.de/projects/snoopsnitch/wiki/IMSI_...](https://opensource.srlabs.de/projects/snoopsnitch/wiki/IMSI_Catcher_Score)

Almost all of those indicators can be easily seen with an SDR and various
tools like kal/kalibrate, airprobe, gr-gsm, and so on ... further, I suspect
there are many more deeper indicators (think nmap, but for GSM stations) that
would be seen with an SDR that could not be with a mobile phone, although that
is just conjecture...

~~~
ChuckMcM
Almost entirely because cell phones are both a radio _and_ a computer platform
in one battery powered unit. No additional work, and they are small. And
generally they get thrown away alot so there are cheap ones on the market.

But to your point, it would be straight forward to build imsi catcher catchers
(ic^2 :-) with an SDR setup and with something like the ADALM-PLUTO[1] it
would be reasonably cost effective.

[1] [http://www.analog.com/en/design-center/evaluation-
hardware-a...](http://www.analog.com/en/design-center/evaluation-hardware-and-
software/evaluation-boards-kits/adalm-pluto.html#eb-overview)

~~~
rsync
"Almost entirely because cell phones are both a radio and a computer platform
in one battery powered unit."

Well, sure - but what I am looking at in the article is a phone connected to a
rPi, right ?

snoopsnitch does indeed provide a phone-only solution, which is very nice, but
the solution in the article does not.

My own testbed is a gigabyte BRIX with a BladeRF attached, but obviously you
could go much smaller with a Pi-sized device and an RTL-SDR dongle ...

------
rootsudo
This can also be done on CDMA via Qualcomm QXDM and qCAT for logging, enabling
you to just have a single cell phone, a laptop and some scripting in QXDM to
log.

Of course this would mean you have access to unlicensed Qualcomm software,
know a bit about interfacing with the radio of CDMA phones and qCAT will
correctly parse it to meaningful data.

On the other hand, you can also log numbers being actively dialed and even
intercept text messages on the SMS paging channel if you happen to have the
correct UM/AN on the phone (ESN/MEID not needed)

But with the eventual shut down of CDMA, this sort of phreaking is long lost
and over.

------
jimnotgym
It would be interesting to push this out to the crowd of people interested in
privacy. Maybe we could put a setup like this in our own cars, or at least run
an app on our phones. It would really harm their surveillance efforts if
1000's of people were contributing to a global map.

~~~
nmstoker
Excellent idea, but one step further would be to find some amenable Uber /
taxi drivers to drive them around. They'd be likely to get coverage of a
fairly broad area for a more continuous period than a private driver

~~~
gruez
I thought thats what they were already doing?

>Partnering with ride-sharing drivers allowed us to collect millions of
measurements across both cities.

------
samstave
Awesome - I actually saw this idea posed on Reddit recently:

" __ _> So there are factory methods in each cellphoe where you can get the
tower ID and RSSI and other data from the tower... what is needed is an app
that actively logs ALL that data with the GPS location of the phone regularly
and pushes it to a DB in AWS - and you keep capturing all that data, and you
compare geo-loc from al the phones and the towers they see/connect to when
within that cells signal domain - the app should be able, after time, to
"know" which tower it should be connected to based on GPS as it moves into and
out f each cell... you get an alert if the phone connects to the non-predicted
cell signature.

Simple._ __"

------
pm24601
It would be nice if there was a way for cellphones to reject connection with
the anomalous "base towers"

~~~
awqrre
It would also be nice if they could get sued/jailed for the use of stingrays

------
Scoundreller
Are they really running a DC->AC inverter, and then plugging SMPS AC->DC
converters into it?

~~~
boxcardavin
Multiple stable 2.5amp sources for a Pi and other devices is important and not
always reliable with many 12v->5v converters or even with (how I would
probably do it) with a power bank that acts as a buffer and is charged via
12v.

It's messy but it works, if that bothers you then you should read about how
inefficient compilers can be.

~~~
flamedoge
compilers are pretty dumb, but it's inching towards perfection every second.

------
bicubic
Are the collected datasets available publicly?

------
1001101
Clone that github repo while you can.

------
JumpCrisscross
How come there hasn't been a serious hack or heist involving criminals with
IMSI catchers?

------
nafizh
Wow, this feels like something similar to the mechanism Batman uses to find
Joker at the end of the dark knight movie. Instead of Joker, it's IMSI-
Catchers.

It would be interesting to see how they validate their findings which should
be a challenge I guess.

~~~
rosser
I think that would be more them packaging their algorithms into a (preferably
free) smartphone app, which (optionally) silently collects "anomaly
signatures" until it's on a trusted network, where it uploads its findings for
analysis. (It's probably dangerous in some places to do anything that might
overtly indicate you're onto "them"...)

EDIT: Based on another top-level comment, someone's already running with a
similar idea.

------
IshKebab
Off-topic, but I'm so sick of this website theme. Can you please make more
than one sentence fit on the screen?

~~~
tdy721
I really do despise iOS for removing the "zoom" feature from the browsers. Not
really sure about Android...

Also, IOS is the name for the switch OS by Cisco,,, amirite?

