The goal is the research and development of Intrusion Detection System related with Cell Networks.
Mainly this App will check the status of some Cell Network variables (e.g. Cellid, LAC, A5 Encryption, etc.) subsequently update a local DB and check if the information about the cell networks around the users are valid or if there could be a risk (e.g. possible interception, possible impersonation, etc.).
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Â
iParanoid: an IMSI Catcher - Stingray Intrusion Detection System
1. Bootcamp 2012 â University of Luxembourg
Luca Bongiorni â 20/09/2012
2. The GSM or 2G, even if outdated (1987), is the most
popular radio communication standard around the
world.
It is widely deployed!
It counts more than 4.4 billion of subscribers spread
across more than 200 countries.
2
4. â⊠police had been detecting unauthorized IMSI catchers
being used across the country, though had not been able
to catch any of the perpetrators. ⊠Former Czech
intelligence agency chief A. Sandor said that businesses
could be using them to spy on one another. ⊠itâs possible
that criminal gangs could be using them for extortionâ
âą What happens if competitors use it to take advantage of your company?
âą What happens if someone intercept you and then extorts you money?
Think about itâŠ
4
5. In the last years many Practical Attacks have been publicly disclosed!
Using Cell Phones is no longer safe for Private Life or for Business.
Some of the Threats that You should be aware:
ïœ
IMSI-Catchers (e.g. Location Disclosure, Calls, SMS, Banking mTAN
Interception, Highjacking Emergency Calls, User Impersonation, etc.)
ïœ
Passive Sniffing / Cracking (If the operator uses a weak encryption
algorithm your data, calls, SMS can be easily intercepted by everyone!)
5
6. âą Lack of Mutual Authentication
o The MS auths the network, not viceversa
âą Subcribers Mobility
o The Stronger signal Wins
(Cell Selection & Reselection)
o Forced Location Update
(if LACPLMN != LACIMSI-Catcher then
swtich to IMSI-Catcher)
âą Encryption is NOT Compulsory
o
A5/0 No Encryption
6
9. Donât worry! Are vulnerable as well!
What happens if we JAM the UMTS & LTE frequencies?!
Le UE: âNice to meet you again sir GSMâ
Le GSM: âWelcome back my dearâ
9
13. âGPRS Intercept Wardriving phone networksâ
by Nohl & Melette, 2011
http://tinyurl.com/gprs-nohl-slides
Many operators does NOT encrypt communications!!!
13
16. A Mobile Cell Networks Intrusion Detection
System
iParanoid is an Android App (and soon also for iPhone) that
acts as a sort of Real Time IDS (Intrusion Detection System),
that alerts the subscriber in case is happening something
strange and reacts in order to prevent attacks or data loss:
ïœ
ïœ
ïœ
ïœ
ïœ
Man In The Middle Attacks
(Phone Interception)
No Encryption adopted by the
operator
Impersonation Attacks
Denial of Services
Silent Calls or SMS
16
17. iParanoid has two Operative Modes:
s
Offline Mode: The App should be able to show which
encryption level is used from the Cell Network and alert the
user in case that encryption level is changed (e.g. A5/1 ->
A5/2 -> A5/0) and if the tuple (CellID/LAC) is changed too.
Online Mode: The App should retrieve the list of all
Trustable BTSes (related on the area where the user is
located thanks to the GPS) from the remote server. **
** High Encryption Level needed (e.g. GPG)
Both operative modes can be ran as deamon from the boot of the phone
(without user interaction) or launched by the users as a usual app.
17
18. The App should use the Androidâs APIs to retrieve some
important variables from the Cell Network, like: MNC,
MCC, LAC, CID, Cipher indicator A5 (eventually also CRO,
T3212 and Neighbours Cells).
Then, once retrieved also the GPS position, all datas are
evaluated and sent to a remote server that will further
analyze the Security Level and report eventual malicious
behaviours.
In case of alerts the user will be notified and He/She will
have the possibility to spread them through Social
Networks or the iParanoidâs webserver (anonymously).
18
20. The Server should use TWO DBs:
âTrustable BTS Towers DataBase
(e.g. http://www.opencellid.org)
âAnonymous Users Alerts
(GPS position, Timestamp & Type of Risk)
The Server Should be able to:
Analyze and Correlate the informations between the first
DB and the ones that have been sent from iParanoid.
In case of malicious behaviour, It should notify the
user with an Alert.
20