Hacker News new | past | comments | ask | show | jobs | submit login
How to Detect IMSI Catchers (armadillophone.com)
48 points by pacificresearch on April 8, 2022 | hide | past | favorite | 11 comments



The article focuses heavily on why existing solutions are bad, but doesn’t seem to propose novel detection techniques - or at least glosses a bit over the details of the detection algorithm.

Would the approach be able to detect an AdaptOver/LTrack style attack?


The Radio Sentinel app is our new solution, a combination of several offline heuristic detection methods designed to minimize false positives. It can detect not only IMSI catchers but also binary SMS, silent SMS and some SS7 attacks. You can read more in our followup article: https://armadillophone.com/blog/radio-sentinel

LTrack is one of the stealthiest IMSI catchers I'm aware of, because it's almost entirely passive, and the victim never actually connects to the attacker. Radio Sentinel can detect AdaptOver style attacks that use empty paging requests for the DoS and downgrade attacks.

We are working on further improving Radio Sentinel to also detect suspicious "Attach Reject" and "Identity Request" messages used by LTrack. We're also adding methods to detect connected messages without a MAC, and repeated overshadowing messages, as described in the Detection section of the AdaptOver paper. Unfortunately LTrack was published just after we released the initial version of Radio Sentinel so it wasn't added, but we're continuing to improve it.

One big downside to the AdaptOver/LTrack style attacks is they require a signal at least 3dbm stronger than the real tower, which is not always feasible when dealing with noisy environments. This is a downside compared to traditional IMSI catchers that the victim directly connects to. In the AdaptOver paper they mention that even if the victim is 1km from the real tower, the attacker cannot be farther than 70m from the victim.


Nice, thanks for the link. I‘m the author of AdaptOver, and I‘m in process to release a new version (paper is under submission atm) that removes the range limitations almost entirely by overshadowing the uplink instead of the downlink. It works by coercing the legitimate base station to transmit the attack message as response (i.e., Identity Request, Attach Reject, …).

I‘m interested to see if Radio Sentinel could/will detect the new improved version! Would you be willing to provide us with a test version/device?


Hi, author here. If you have any questions about IMSI catchers I'd be happy to help :)


Hi, this sounds interesting... But when I try to enter the site I just get a image of an armadillo. I do browse with javascript disabled so that is most likely the reason, but I can also imagine that a fair bit of your audience are among the slightly more paranoid end so if you want to reach out I would recommend you to make a page that can be viewed without requiring javascript.


This is a fair criticism and something I'll bring up with the team


Do you plan to upload your kernel sources? This site seems ambiguous considering the open source nature of the product...


Yes, although the code needs to be updated you can view our kernel code here : https://github.com/pacificresearchalliance/kernel_google_cro...

The only changes to the kernel required for our Radio Sentinel app are DIAG_CHAR=y when building.


Crosshatch is the pixel 3xl which is EOL. Any sources for your devices in stock?


Thanks for the article!

Can you explain, how an IMSI catcher works on a protocol level?


There's a wide variety of attack methods, however most usually fall into one 1 of 2 types:

1. Active interception. The IMSI catcher is actively transmitting data to the victim device and forcing it to connect, appearing to be a normal cell tower. These are the most common and can usually get a very accurate location. Because 4G and earlier don't require the tower to authenticate to the device, only the device to the tower, there really isn't any vulnerability required to do this. They use different tricks to entice the victim to connect or update its location ( e.g: falsely inflating it's signal strength, appearing to be the only tower in a location, increasing the frequency of location updates ) . Some of these techniques are mentioned in the "Warnings" section of another article describing our Radio Sentinel app: https://armadillophone.com/blog/radio-sentinel

2. Passive interception. The IMSI catcher doesn't transmit any data, or transmits very little data. It's able to gather data and location from the victim using unencrypted data sent over the control plane. These generally aren't able to extract as much data, or as accurately as active interception, but they're much harder to detect. Usually they aren't able to extract the device's IMSI for example. However, there was a recent paper describing a passive IMSI catcher that was both extremely hard to detect and great at tracking victims: https://www.usenix.org/system/files/sec22summer_kotuliak.pdf

If you'd like a more technical description about the techniques described I'd be happy to jump into that too.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: