In GSM, the network is not authenticated which allows for man-in-the-middle (MITM) attacks. Attackers can track traffic and trace users of cellular networks by creating a rogue base transceiver station (BTS). Such a defect in addition to the need for backward compatibility of mobile networks makes all GSM, UMTS, and LTE networks susceptible to MITMs. These attacks are conducted using IMSI-Catchers (ICs). Most of the solutions proposed for detecting ICs in the literature are based on using specific mobile devices with root access. Also, they cannot identify ICs to which users are not connected. In this paper, we propose an approach called YAICD for detecting ICs in the GSM network. YAICD consists of a sensor that can be installed on Android mobile devices. It detects ICs by extracting 15 parameters from signals received from BTSs. We also established a lab-scale testbed to evaluate YAICD for various detection parameters and for comparing it against existing solutions in the literature. The experimental results show that YAICD not only successfully detects ICs using the parameters but also identifies ICs to which users are not yet connected to the network.
Cell sites known as base transceiver stations (BTSs) constitute the underlying infrastructure of today’s cellular networks. They connect end-users of mobile devices to a wider network (for example, a cellular carrier network and the Internet) by sending audio streams, short messages, and IP data packets. Unfortunately, vulnerabilities of the Global System for Mobile Communications (GSM) make it possible to create fake Base transceiver station (FBTS). In fact, the GSM standard does not require cellular devices to confirm the BTS. Currently, millions of BTS simultaneously support GSM, universal mobile telecommunications systems (UMTS), and Long-Term Evolution (LTE) networks and serve billions of mobile phones. Also, most mobile devices nowadays support GSM, UMTS, and LTE networks, and in the presence of several networks, they tend to choose the one with the highest signal strength. This allows attackers to launch their own GSM cell sites with high signal strengths. By sending malicious signals, attackers can even downgrade 3G/4G GSM-compatible mobile phones to the GSM mode. Such defects of GSM networks, along with the need for backward compatibility of cellular networks, expose all GSM, UMTS, and LTE networks to man-in-the-middle attacks (MITMs) which make use of FBTSs.
In cellular network architecture, mobile devices are always assigned an International Mobile Subscriber Identity (IMSI) and an International Mobile Equipment Identity (IMEI). During a network connection process, these IDs are exchanged between the mobile phone and BTSs over the air. In order to prevent disclosure of a particular user’s IMSI, a Temporary Mobile Subscriber Identity (TMSI) is applied to the security architecture of the mobile phone. However, in two cases before a successful validation, IMSI is transmitted to the network without encryption: when a device is turned on and when the network fails to detect the TMSI. Attackers exploit this GSM weakness in order to introduce themselves to mobile users as a real network. Thus, they acquire the ID of cellular network users. At first, attackers were only able to receive IMSI and IMEI of neighboring mobile users. Hence, they were called IMSI catchers (ICs). The more advanced models of this malware can launch MITMs in the traffic exchanged between an authentic BTS and a mobile phone. In this way, when an adversary with a “fake” mobile tower acts between the target mobile phone and the service provider’s real towers in order to listen and manipulate the communication of a targeted mobile phone, it is considered a MITM attack. It is to be noted that disclosing such information may be further used to achieve confidentiality and privacy violations.
Many mobile phone operators are planning to abolish GSM. However, it will take years to upgrade cell sites and to do away with old mobile phones . Offenders and criminals currently use ICs to attack users directly. Today, ICs have been seen in the United States, China, India, Russia, Israel, and the United Kingdom . Recently, the widespread use of ICs has been reported at airports and embassies. In the past, FBTSs such as StingRays were quite expensive (ranging from $68,000 to $134,000), and they were sold only to judicial and state authorities. But in the last decade, new technical devices designed for the same malicious purposes have become popular and cheap. By spending about $1,500, it is now possible to design a simple IC that includes a Software-Defined Radio (SDR) and two directional antennas, and it only requires a laptop to run the OpenBTS for free.
Given the rise in IC attacks, several solutions have been recently advanced for their identification. In 2017, the FBS-Radar project was developed in collaboration with Chinese mobile network operators to uncover ICs. Meanwhile, FBS-Radar detects only ICs that send spam or unwanted SMS. In the same year, security researchers at the University of Washington devised a system called SeaGlass to report ICs. It collects the data related to BTS signals and transmits them to the server by several sensors embedded in the car. The server-side application subsequently performs necessary analyses. In 2014, SRLabs introduced two client-side tools, called SnoopSnitch and CatcherCatcher, for detecting ICs. The main limitation of these solutions is that they can only be used on specific mobile devices and require root privilege. Moreover, they cannot identify ICs that users are not yet connected to the network. The Android IMSI-Catcher Detector (AIMSICD) project reports ICs by checking BTS signals. It is capable of identifying even ICs which users have not yet connected to the network. However, AIMSICD is still in the alpha phase, and its effectiveness has not been evaluated in practice.
In this paper, we propose yet another IC detector, called YAICD, a client-side solution to effectively detect ICs while overcoming the above-mentioned constraints. This solution can be launched on Android mobile devices, regardless of whether they have root privilege or not. In rooted mobile devices, as in SnoopSnitch, a Qualcomm chip is used to collect signal data received from BTSs. In the case of nonrooted Android mobile devices, BTS signals are received using a library called Telephony Manager (https://developer.android.com/reference/android/telephony/TelephonyManager). The Android Telephony Manager library provides information about the telephony services such as subscriber id, sim serial number, phone network type. Telephony Manager is compatible with all phone models. The YAICD sensor uses the signals received from BTSs to detect ICs by extracting fifteen parameters in rooted devices and six parameters in nonrooted devices. The detection process in the YAICD is accomplished based on a threshold value and considering the sum of individual parameters. The YAICD sensor alarms the user when an IC is detected. In addition to detecting ICs to which the user is connected, our solution can identify the neighboring ICs and alerts users before they might decide to get connected to them.
We also created a laboratory-scale testbed at the Shahrood University of Technology to evaluate the proposed method along with existing approaches proposed in the literature. In this testbed, an FBTS is launched using an SDR device and a laptop to run the OpenBTS (http://openbts.org/) software. Three rooted mobile phones (Huawei Y7, LG nexus 5x, and Huawei G620) and three nonrooted phones (Samsung J7, Sony z2, and LG G4) were used to collect the signal data received from the BTSs and the designed FBTS. To protect the privacy of users, only the test mobile phones were permitted to connect to the FBTS. By separately implementing each of the fifteen parameters for identifying ICs in the laboratory environment, we conducted several experiments to compare the performance of our approach against the state-of-the-art approach in the literature. Only the YAIC sensor detects ICs successfully. It is also capable of identifying the neighboring ICs to which users are not yet connected.
GSM, a 2G standard, is geographically divided into different location areas (LAs). This classification is performed by the operators. Each LA comprises a number of cells, and each cell is controlled by a BTS. Based on its capacity, power, and radio range, each BTS can serve multiple users. A mobile phone with a SIM card, hereafter simply “mobile phone,” is known as a mobile station (MS). The BTS periodically broadcasts network information as System Information Block (SIB) messages. In the GSM, the mobile phone identifies its network using SIB messages based on mobile country codes (MCCs) and mobile network codes (MNCs). When a mobile phone is turned on or enters a new LA, it sends a location area updating (LAU) request to the network. If the mobile phone is already connected to the network, it will send a TMSI for authentication; otherwise, it communicates an IMSI for this purpose. If the network is unable to identify the TMSI, it will send an identification request. The mobile phone sends an ID response that contains the IMSI. Immediately after receiving the IMSI, the network sends the authentication request to the mobile phone, which includes a random number. The mobile phone performs some computations with the random number and then sends it to the network in the form of an authentication response. After successful authentication, the network creates a ciphering mode command and determines the desired encryption algorithm (such as A5/1 or A5/3) to encrypt the user’s information. The mobile phone generates encryption keys and transmits them to the network in the form of an encrypted ciphering mode complete message. From this point onward, communications between the BTS and the mobile station (MS) are encrypted. Eventually, the network sends an LAU Accept message with a new TMSI to the mobile phone. It should be noted that both authentication and encryption steps are optional in GSM. Figure 2 illustrates the LAU process in the GSM network .
In the GSM network, the mobile phone must be authenticated to connect to the network, but network authentication is not required for the mobile phone. GSM is an old technology which makes the mutual authentication between the mobile station and the network very expensive. To remove GSM constraints, UMTS and LTE proposed a two-step verification, which requires BTS authentication via the mobile phone. Due to backward compatibility and the use of GSM as a support network in cases where UMTS and LTE are not available, mobile phones have to downgrade to a GSM connection and be totally exposed to IC attacks. In fact, an IC enables the attacker to get the mobile’s IMSI in order to track locations, eavesdrop on phone calls, or impersonate an existing user. Using such tricks, the attacker inserts himself as man-in-the-middle (MITM) attacks. On the GSM network, an IC introduces himself as an authentic BTS by adopting a high signal strength. The IC registers IMSI of all mobile phones in the nearby which want to connect and, thus, obtains the necessary information from the target device . It can also be force connected to mobile phones to use the A5/0 encryption algorithm (without encryption) in order to better eavesdrop on them (Figure 3).
As one can see in Figure 6, the Data Collection module aims to collect all the data related to the BTS devices. Such data are organized and stored in two tables named here cell info and session info. The Data Analysis module uses the data stored in these two tables to evaluate the 15 detection parameters in order to detect ICs. After detection of any IC based on the data collected from BTS devices, the system generates corresponding alerts.
As can be understood from Table 6, SnoopSnitch succeeds in identifying parameters of those ICs to which the mobile phone is connected (except p13). However, this application can only be installed on rooted devices that are equipped with Qualcomm chip. Cell Spy Catcher, AIMSICD, and GSM Spy Finder could detect fewer parameters than SnoopSnitch. Meanwhile, the YAICD sensor could recognize all parameters implemented in the testbed environment. The advantage of our model is that it can be installed on Android mobile devices, whether they have root privilege or not. Since it has access to most BTS information in the rooted mode, it uses the largest number of parameters possible to detect ICs. In the nonrooted mode, however, it can only access high-level information. As a result, it uses fewer parameters to perform its task.