
Who catches the IMSI catchers? Researchers demonstrate Stingray detection kit - brakmic
https://techcrunch.com/2017/06/02/who-catches-the-imsi-catchers-researchers-demonstrate-stingray-detection-kit
======
sctb
Previous discussion:
[https://news.ycombinator.com/item?id=14474956](https://news.ycombinator.com/item?id=14474956)

------
payne92
Underlying paper with all of the tech details: [https://seaglass-
web.s3.amazonaws.com/SeaGlass___PETS_2017.p...](https://seaglass-
web.s3.amazonaws.com/SeaGlass___PETS_2017.pdf)

And the web site with all of the software:
[https://seaglass.cs.washington.edu/](https://seaglass.cs.washington.edu/)
(most interesting section: algorithms)

------
cbanek
The tricky part would be eliminating non-stingray signals.

T-Mobile's HQ is in Bellevue, and I'm sure they have some test towers probably
set up in their building. These signals can easily "get away from you."

I worked on Windows Phone, and we had a faraday cage setup with various
different cellular networks coming in over the wire, which we would set up
with different attenuation to test cellular radio handoff. One time someone
left the door open, and the whole floor of the building roamed over to the UK.
It was not a good day for international roaming charges.

~~~
devindotcom
Yeah, there's a lot of legwork to be done if you want to use this kind of
data, but it's legwork that can be distributed fairly easily. People can check
public listings for this or that tower type, carriers document their test
setups, etc. Once you weed out the strange but not _that_ strange stuff you
probably see a few like the one in Sea-Tac.

------
csense
The next generation of the cellphone protocol should include some kind of PKI
so the telco can't be spoofed without its permission.

Don't know if that will actually help, because the telcos are already quite
compliant about giving every bit of data that passes through their systems to
the NSA.

~~~
schoen
> The next generation of the cellphone protocol should include some kind of
> PKI so the telco can't be spoofed without its permission.

3G already does this. But apparently IMSI catchers have often been able to get
around this by various means, including downgrading to an earlier GSM protocol
(that lacks authentication), or spoofing a carrier from a different region
(whose keys they have obtained somehow) in order to induce roaming, or somehow
obtaining keys of a local carrier. I have heard there are a couple of other
tricks too but I don't know what those are.

> Don't know if that will actually help, because the telcos are already quite
> compliant about giving every bit of data that passes through their systems
> to the NSA.

It's true that IMSI catchers can also be used to wiretap mobile telephony and
SMS, which trust the carrier to provide confidentiality, but that doesn't
cover everyone's use of mobile data services. But IMSI catchers often
represent a very different kind of threat, which is not just wiretapping but
real-time location tracking and/or enumerating devices that are present in an
area.

------
Datenstrom
I spent the last year researching, designing, then implementing an IMSI
Catcher detector at first as a hobby then as my capstone project. There
already exists working fairly mature solutions for this and they are very open
about their detection metrics, specifically SnoopSnitch [1].

The major drawback of the SnoopSnitch solution is that they are phone apps and
are tightly coupled with the hardware and drivers. We were attempting to
demonstrate that it could be done in a way portable across desktop operating
systems and phones and we succeeded in creating a proof of concept at a cost
of $200 [2].

This solution is also better suited to use as a centralized device for
organizations to use that can be audited by security personnel to protect
against corporate espionage. This is a real threat demonstrated by the fact
that by simply changing a few lines of code in the IMSI Catcher detector a few
undergrads built we could have an IMSI Catcher. This need is often left out of
the arguments for IMSI Catcher detectors and I think that is very harmful
because the first thing said about the project has always been "They will just
make it illegal." This is much more unlikely when you consider that anyone can
build one.

I would like to continue development beyond the proof of concept but have lost
most of my team now that school is out if anyone would be interested you can
contact me. Some commercial IMSI Catcher detectors sell for as much as
$40,000.

[1]
[https://opensource.srlabs.de/projects/snoopsnitch/wiki/IMSI_...](https://opensource.srlabs.de/projects/snoopsnitch/wiki/IMSI_Catcher_Score)

[2] [https://gitlab.com/finding-ray/antikythera](https://gitlab.com/finding-
ray/antikythera)

~~~
jacquesm
Interesting project!

> This need is often left out of the arguments for IMSI Catcher detectors and
> I think that is very harmful because the first thing said about the project
> has always been "They will just make it illegal." > This is much more
> unlikely when you consider that anyone can build one.

But that isn't true. Anybody can make fire-arms, explosives and all kinds of
bad stuff and plenty of that is illegal depending on where you live.

The fact that something is easy does not have much to do with legality, if it
did then pot would have been legal long ago.

~~~
Datenstrom
True, I just found the argument for IMSI Catcher Detectors to be more
effective once I changed from presenting it as "fighting state surveillance"
to "protecting corporate IP" most people stopped even suggesting that it will
be made illegal (usually citing radar detectors).

------
watertorock
Interesting.

Wouldn't it be a desirable phone feature to be able to list and select a cell
tower connection the same way you can select wifi?

~~~
oretoz
Key feature of cellular networks is mobility and if the user interaction is
needed it would make it unwieldy

------
joering2
One of those moments would be nice to have Steve Jobs step in. He certainly
did not like Government abusing its powers (he used to buy or rent [don't
remember] his Benz from CA dealer once every six month and drove on paper
license plate because that's how long you can drive on non-hard plate) - I bet
you newest update of OS would have it by default turned on detection and
rejection of connections with unknown sources.

Overnight Stingray producer - bankrupt.

