Big FAQ on mobile interception: IMSI catchers and how to protect yourself from them

Teacher

Teacher

Professional
Messages
2,677
Reputation
9
Reaction score
647
Points
113
00592ca8-fdd7-476e-a16e-67670251215c.jpeg


Hello, running in the shadows! Hello, random carders. Even housewives probably know that public Wi-Fi hotspots are insecure. This does not prevent ordinary users from using them with might and main — after all, if you can't, but you are bored and really want to, then you can!

And without any VPN — although the VPN function is now being implemented even in complex antivirus products. A normal mobile connection has always been considered a healthy alternative to Wi-Fi, especially since it is getting cheaper and faster every year. But is it as safe as we think it is? In this article, we decided to collect the main questions and answers on mobile data interception, and determine whether it is worth being afraid of an ordinary user, far from the innermost secrets.

Go:

WARNING
Overly active activities in the radio spectrum require special approval and licensing; ignoring this fact, you automatically fall into the category of "bad guys".

What is an IMSI interceptor?
This is a device (the size of a suitcase or even just a phone) that uses the design feature of mobile phones — to give preference to the cell tower whose signal is the strongest (in order to maximize signal quality and minimize its own power consumption). In addition, in GSM (2G) networks, only the mobile phone must pass the authentication procedure (this is not required from the cell tower), and therefore it is easy to mislead it, including to disable data encryption on it. On the other hand, the universal UMTS (3G) mobile communication system requires two-way authentication; however, it can be circumvented by using the GSM compatibility mode that is present in most networks. 2G networks are still widespread — operators use GSM as a backup network in places where UMTS is not available. More in-depth technical details of IMSI interception are available in the report of the SBA Research center. Another informative description that has become a desktop document of modern cyber counterintelligence specialists is the article "Your secret stingray, no longer secret at All, " published in the fall 2014 issue of the Harvard Journal of Law & Technology.

StingRay.jpg


When did the first IMSI interceptors appear?
The first IMSI interceptors appeared in 1993 and were large, heavy and expensive. "Long live domestic microchips - with fourteen legs... and four handles." Manufacturers of such interceptors could be counted on the fingers, and the high cost limited the range of users-only government agencies. However, they are now becoming cheaper and less bulky. For example, Chris Page built an IMSI interceptor for just $ 1,500 and introduced it at the DEF CON conference back in 2010. Its version consists of a programmable radio and free open source software: GNU Radio, OpenBTS, Asterisk. All necessary information for the developer is publicly available. And in mid-2016, the hacker Evilsocket offered its own version of a portable IMSI interceptor for just $ 600.

How do IMSI interceptors monopolize access to mobile phones?
  • They trick your mobile phone into thinking that this is the only available connection.
  • They are configured in such a way that you can't make a call without an IMSI interceptor.
  • Read more about monopolization in the publication of the SBA Research center: IMSI-Catch Me If You Can: IMSI-Catcher-Catchers.

The range of interceptors sold is highly respected. What about handicrafts?
  • Today (in 2021), enterprising technicians make IMSI interceptors using high-tech boxed components and a powerful radio antenna available for public sale, and they spend no more than $ 600 (see the version of the hacker's IMSI interceptor Evilsocket). This applies to stable IMSI interceptors. But there are also experimental, cheaper ones that are unstable. For example, in 2013, a version of the unstable IMSI interceptor was presented at the Black Hat conference, the total cost of hardware components was $ 250. Today, such an implementation would be even cheaper.
  • If we also take into account that modern Western high-tech military equipment has an open hardware architecture and open software code (this is now a prerequisite for ensuring compatibility of software and hardware systems developed for military needs), then developers interested in manufacturing IMSI interceptors have all the trumps for this. You can read about this modern trend of military high-tech in Leading Edge magazine (see the article "Advantages of SoS integration", published in the February 2013 issue of the journal). Not to mention the fact that the US Department of Defense recently expressed its willingness to pay $ 25 million to a contractor who will develop an effective system for radio identification (see the April issue Military Aerospace monthly magazine, 2017). One of the main requirements for this system is that its architecture and components that it will consist of must be open. Thus, the openness of the architecture is now a prerequisite for the compatibility of software and hardware systems developed for military needs.
  • Therefore, manufacturers of IMSI interceptors do not even need to have great technical qualifications — they just need to be able to choose a combination of existing solutions and put them in one box.
  • In addition, modern — falling exorbitant rates — microelectronics allows you to accommodate their artisanal crafts are not only in one box, but even (!) in single chip (see description of the concept of SoC) and configure nutricional wireless network (see description of the concept of NoC on the same link), which replaces the traditional bus systems. What can we say about IMSI interceptors, when even technical details about the hardware and software components of the super-modern American F-35 fighter can be found in the public domain today.

Can I become a victim of "accidental interception"?
Quite possibly. Imitating a cell tower, IMSI interceptors listen to all local traffic — which, among other things, includes conversations of innocent passers-by (read "revelations of Big Brother's big sister"). And this is a favorite argument of "privacy advocates" who oppose the use of IMSI interceptors by law enforcement agencies that use this high-tech equipment to track down criminals.

In general, future cyberstalkers, we continue to dive to the very bottom of the DarkNet, and then even further-to the Depth (Deep). After all, no one promised that it would be easy? The continuation of this article will be published a little later.

5553c244-0aaf-43a2-887e-77a3796741ed.jpeg


Let's continue our topic for advanced users-IMSI catchers. 21st century in the yard. So if you want more anonymity and security, match it.

Go:

How can the IMSI interceptor track my movements?
  • Most often, IMSI interceptors used by local law enforcement agencies are used for tracing.
  • Knowing the IMSI of the target mobile phone, the operator can program the IMSI interceptor to communicate with the target mobile phone when it is within range.
  • Once connected, the operator uses the radio frequency mapping process to find out the direction of the target.

Can they listen to my calls?
  • This depends on the IMSI interceptor used. Interceptors with basic functionality simply record: "in such and such a place there is such and such a mobile phone".
  • To listen to conversations, the IMSI interceptor requires an additional set of functions that manufacturers embed for an additional fee.
  • 2G calls are easily listened to. IMSI interceptors have been available for them for more than a decade.
  • The cost of an IMSI interceptor depends on the number of channels, the operating range, the type of encryption, the speed of encoding/decoding the signal, and which radio interfaces should be covered.

Can they install software on my mobile phone?
  • The IMSI interceptor collects IMSI and IMEI data from your device. This means that the mobile operator knows what model of mobile phone you are using, and sometimes also knows where you bought it. Knowing the model number makes it easier for him to promote a firmware update specially designed for this mobile phone.
  • Also, your SIM card is already a computer in its own right. It is able to run simple programs without even interacting with your mobile phone and without even knowing what model your mobile phone has and what operating system it has.
  • Mobile operators can update the SIM card software remotely, and moreover- "in silent mode". Accordingly, if the IMSI interceptor pretends to be a mobile operator, it can do the same. The SIM card's computer can do the following: receive and transmit data, go to URLs, send SMS messages, answer and receive calls, connect and use information services, receive and process events such as" connection established"," connection interrupted " and the like, and run AT commands on the mobile phone.
  • The SIM card's computer can do all this "in silent mode" — so that the phone will not give a single sign of life. You can learn more about the personal life of your SIM card from the presentation Eric Butler, shown at DEF CON 21 (2013).

SIM.png


We all know about the dangers of open (and not only) Wi-Fi hotspots. Can I become a victim of interception if I sit everywhere strictly via LTE?
  • First of all, even if your mobile phone is configured for LTE and shows that it works in this mode, it is still far from a fact that this is the case. If the IMSI interceptor is properly configured, your mobile phone will show a normal 3G or 4G cellular connection, but at the same time it has to return to the weaker 2G encryption.
  • Some mobile phones even perform commands in LTE mode without prior authentication, although the LTE standard requires this (see the SBA Research report mentioned at the beginning of the article).
  • In addition, since the LTE interface was developed not from scratch, but as a modernization of the UMTS interface (which, in turn, is an upgraded GSM interface), its structure is not so perfect. In addition, despite the widespread adoption of 3G and 4G networks, 2G networks still provide backup access if 3G and 4G become unavailable.
  • Of course, you can configure your mobile phone to connect only to the 4G network, but this network is not available everywhere, and therefore the coverage area for your mobile phone will significantly narrow.

And if I'm a cool banker and they might really, really want to take a sniff?
  • The Universal Mobile Communication System (UMTS, 3G) and the "long-term cellular development" standard (LTE, 4G) require mutual two-way authentication, but even they are not protected from IMSI interceptors. Although, of course, devices for intercepting them are much more expensive. Among others, this role is claimed by VME Dominator produced by the American company Meganet Corporation.
  • At the DEF CON 22 conference (in 2014), a hackerJustin Keyes conducted a demonstration hack of the world's most secure smartphone — Blackphone. It took him only five minutes to do this (see the previous section). slides of his speech).
  • In addition, there is a system for intercepting LTE traffic, which "does not look for workarounds", but deals with a full-fledged LTE connection. This system was introduced in 2014 Tobias Engel at the annual congress of the IT club "Chaos", held under the title"New Dawn".
  • Finally, if the "very, very strong desire to sniff" is supported by a budget of 100 thousand dollars, then you will definitely not be able to protect yourself. Because all the most advanced technological components are available for public sale. The US Department of Defense even encourages such openness — so that technology manufacturers compete with each other for quality standards.

What data can I lose if I have HTTPS everywhere and two-factor authorization?
  • HTTPS is not a panacea. You definitely can't hide from the special services. All they need to do is request SSL keys from the service provider, and they can access all your data transmitted over the network. Therefore, if you do not belong to the category of "Elusive Joe", then you should refrain from guarantees of immunity.
  • On April 14, 2017, WikiLeaks published six documents of the Beehive project — gadgets for unauthorized access to encrypted HTTPS traffic, which until recently were used only by CIA employees. So today these lotions are available to the general public.
  • Given the scale of the ambitions of international special services (see the publication "Snowden's Truth"), as well as the fact that the CIA's high-tech treasury is now wide open at the suggestion of Snowden and WikiLeaks, there is reason to expect that anyone can be interested in your data: government intelligence agencies, commercial corporations, hooligan youth. In addition, since the average age of a cybercriminal is gradually decreasing (in 2015, the average age bar went down to 17 years), we can expect that these hooligan young people will increasingly be behind hacking — unpredictable and desperate.

How are they protected from interception?
  • IMSI interceptors are becoming more accessible, and there is a growing demand for protection against them. There are both exclusively software and hardware-software solutions.
  • Among the software solutions on the market, there are many Android applications, for example, AIMSICD (interacts with the mobile phone's radio subsystem, trying to track anomalies there), FemtoCatcher (has similar functionalityto AIMSICD, but is optimized for Verizon femtocells). You can also note GSM Spy Finder, SnoopSnitch, Net Change Detector. Most of them are of poor quality. In addition, a number of applications available on the market lead to a lot of false positives due to insufficient technical skills of their developers.
  • In order to work effectively, the application must have access to the base frequency range of the mobile phone and the radio communication stack, as well as have first — class heuristics-to be able to distinguish an IMSI interceptor from a poorly configured cell tower.
  • Among the software and hardware solutions, four devices can be noted:

1. Cryptophone CP500. Sold for $ 3,500 apiece. As of 2014, more than 30 thousand cryptophones were sold in the US and more than 300 thousand were sold in other parts of the world.

2. ESD Overwatch. A device with a three-component analyzer (see the description below).

3. Pwn Pro. A device with a built-in 4G module, announced at the RSA conference in 2015; its price is $ 2675.

4. Bastille Networks. A device that displays a list of nearby wireless devices that interact with the radio (in the range from 100 kHz to 6 GHz).

Can ESD Overwatch provide one hundred percent protection?
  • ESD Overwatch in its basic functionality is equipped with a three-component analyzer that tracks the next three "bells". The first bell is when the phone moves from more secure 3G and 4G to less secure 2G. The second bell is when the phone connection cuts off encryption, which makes interception much easier. The third is when the cell tower does not provide a list of other nearby cell towers (this list allows the phone to easily switch between neighboring towers).; IMSI interceptors usually leave no alternatives, as they seek to gain exclusive access to the mobile phone.
  • However, it should be understood that even such a three-component approach does not provide one hundred percent protection. By the way, there is a free app (available on Google Play) that claims the same role as Cryptophone with ESD Overwatch — Darshak. In addition, although rare, there are cases when even if all three "bells" are present, there is no actual IMSI interception. And naturally, the developers of IMSI interceptors, having heard about this three-component counter-interception system, will not slow down with a retaliatory step in this "arms race".
  • Even the military cannot provide one hundred percent protection, although they use one of the most advanced (for 2018) IQ-Software hardware and software systems developed by PacStar. IQ-Software is a promising wireless tactical system for exchanging classified information with smartphones and laptops via Wi-Fi and cellular radio stations.
  • So, the US Air Force in the summer of 2013 published the announcement of "B-52 CONECT: Moving into the digital age". CONECT's "combat network communications technology" will help the strategic B-52 ultra-long-range bomber integrate into the modern cyber infrastructure, transforming this analog aircraft into a digital platform that can be used to issue commands from a regular smartphone.

INFO

It is for such purposes that the military is very interested in secure communications, but even they cannot provide absolute protection for themselves.

Will the IMSI eavesdroppers be able to continue listening to me if I change my SIM card?
  • IMSI interceptor captures your IMSI from your SIM card and IMEI from your mobile phone. Both of these parameters are then stored in a centralized database. Thus, changing SIM cards and changing mobile phones will not help.
  • Of course, if you take a new mobile phone and a new SIM card, then there will be no record of them in the centralized IMSI interceptor database. However, the people you contact will also need to purchase new mobile phones and new SIM cards. Otherwise, cross-referencing the centralized database will put you back on the IMSI interceptor list.
  • In addition, the IMSI interceptor can track mobile devices located in a specific geolocation.

And if I'm on CDMA, will I be protected from an IMSI interceptor?
No, because the same manufacturers that make GSM IMSI interceptors also make CDMA versions; and some even produce versions for Iridium (a global satellite operator) and Thuraya (a regional satellite telephone operator that operates in Europe, Central Asia, Australia, and Africa). Among them are Israel's Ability lab and Thailand's Jackson Electronics.

Why do bad guys use IMSI interceptors?
  • To terrorize others with threatening text messages.
  • Monitor the conduct of law enforcement investigations.
  • For government, commercial, and domestic espionage.
  • Steal personal information transmitted by mobile phone.
  • Prevent the mobile phone user from contacting emergency services.

How common are IMSI interceptors today?
  • Aaron Turner, head of the IntegriCell Research center, which specializes in mobile device security, conducted his own independent investigation. During a two-day drive with a cryptophone (which tracks suspicious mobile activity), he came across 18 IMSI interceptors, mostly near specialized government agencies and military bases.
  • At the same time, Turner does not undertake to say whose IMSI interceptors they are: whether they are being monitored by special services, or whether someone is following the special services. This was reported in 2014 by The Washington Post.
  • In the same year, the news site Popular Science published the results of another sensational investigation — during which 17 more IMSI interceptors were discovered during a month of traveling in the United States.
  • In addition, if we recall that in 2014 alone, more than 300 thousand cryptophones were sold worldwide, which solve the opposite problem to IMSI interceptors, we can also get some idea of the prevalence of the latter. After all, it is reasonable to assume that a significant part of these buyers also use IMSI interceptors. So your chances of encountering an IMSI interceptor are quite real.

In general, how promising is the IMSI interception technique? Maybe there are some more effective alternatives?
There is also Wi-Fi radio mapping, which combines the old analog school with modern digital power. This approach works at a lower level and is therefore more flexible. After all, it can be used to monitor even those people who do not carry any equipment with them. Take, for example, WiSee, which recognizes human gestures, WiVe, which sees moving objects behind a wall, WiTrack, which tracks three-dimensional movements of a person, and finally WiHear, which is able to read lips. But since these are fundamentally different technologies, we'll talk about them in more detail another time.

We draw conclusions, cyberstalkers. And remember, safety, bitch, decides. And the best defense is offense...

xakep.ru
 
You must log in or register to reply here.

Similar threads

Forum Library
[BIG FAQ] Spy-Net RAT 2.6
Replies
0
Views
535
Forum Library
Forum Library
Forum Library
ProxyHunter big FAQ
Replies
0
Views
421
Forum Library
Forum Library
Tomcat
Big Data resistance 1 or the elusive Joe. Internet anonymity, anti-detect, anti-tracking for anti-you and anti-us.
Replies
0
Views
18
Tomcat
Tomcat
Tomcat
Big Android Security Hole: Why Are Green Robot Smartphones Prone to Theft?
Replies
0
Views
15
Tomcat
Tomcat
Tomcat
Big Bank Robbery: Carbanak APT Campaign
Replies
0
Views
18
Tomcat
Tomcat
Top