\title[IMSI Catcher Detection]{IMSI Catcher Detection System using the OsmocomBB Framework}
\author[Thomas Mayer]{Thomas Mayer\\[3mm]\footnotesize {Advisors: Prof.\ Dr.\ Gerhard Schneider}\\\footnotesize{\hspace{-5mm}Dennis Wehrle}\\\footnotesize{\hspace{-6mm}Konrad Meier}}
\institute[Uni Freiburg]{Albert-Ludwigs-Universit\"at Freiburg \\ Technische Fakult\"at \\ Institut f\"ur Informatik \\ Lehrstuhl f\"ur Kommunikationssysteme}

\subsection{IMSI Catcher}
\begin{frame}{Mode of Operation}

\begin{block}{Technical Possibilities}
	\item Tapping and recording of phone calls
	\item Localisation of subscribers
	\item Suppression of communication
Other concerns:
	\item Cannot target individuals
	\item No emergency calls possible
	\item Procedural law situation
	\item Hard to prove operation in retrospect
... risk intensified by homebrew IMSI catcher projects!

\subsection{IMSI Catcher Detection}
Main Question: How to detect such a device?
	\item<1-> Actively connect to the catcher
		\item<1-> Localisation possible once connected
	\item<1-> \color<2>{red}Passively gather information
\visible<2>{Procedure: Information that is publicly available
	\item Broadcast Control Channel
		\item System Information Messages 1-4
		\item SI 1 and 2 of special interest
	\item Parameters that can be measured

Parameters measured:
	\item Signal Strength
Parameters harvested from SI:
	\item ARFCN
	\item Country and Provider Codes
	\item Cell ID and Location Area Code
	\item Neighbouring Cell List
	\item Base Station Identification (not yet used)
\begin{alertblock}<2>{Main Problem}
Parameters that can be set, can be forged!

\tocsection{Current State}


Model/View/Controller oriented design with plug-in rules and evaluators
	\item Data Model:
		\item Constantly updated by the OsmocomBB Framework
	\item Rules:
		\item Mapping: $\text{DataModel}~\rightarrow~\{\text{Ok}\vert\text{Warning}\vert\text{Critical}\}$
		\item Different kinds of rules
		\item Constant re-evaluation
	\item Evaluators:
		\item Gathers and aggregates rule results for a base station
		\item Conservative Evaluator

\begin{frame}{Rules}{Parameter Mapping and Context Rules}
Parameter Mappings:
	\item Simple implication rules
	\item Mapping of parameter to range
	\item Integrity checks on single base stations
Context Rules:
	\item Compare parameters with surrounding base stations
	\item See how well a base station fits in its neighbourhood
	\item Check whether the ARCFN is in the registered range of the respective provider
	\item Check whether LAC is consistent with neighbouring LACs

\begin{frame}{Rules}{Neighbourhood Rules}
Analyse the structure of the neighbourhood graph:

\tocsection{To Do}
Forged parameters!
Possible solution:
	\item Cell ID Databases:
		\item Many official and open databases (Nokia/OpenCellID)
		\item Used for localisation, but can also be used vice versa!
	\item Local Area Database:
		\item Learn surroundings
		\item 'Trustworthiness Score'
		\item Can use signal strength

\begin{frame}{Evaluators}{Bayes Filter}
\begin{block}{Bayesian Filtering}
A statistical algorithm that can be used to predict the class of an object given certain evaluations and base probabilities.
Uses Bayes theorem:
\[P(A\vert B)= \frac{P(B\vert A) \cdot P(A)}{P(B)}\]

\begin{exampleblock}{Bayes for a single Rule}
\[P(\text{B1 is catchter}\vert \text{R1 yields warning})\] 
\[=\frac{P(\text{R1 yields warning}\vert \text{B1 is catchter}) \cdot P(\text{B1 is catchter})}{P(\text{R1 yields warning})}\]

\begin{frame}{Evaluators}{Bayes Filter (contd.)}
Bayes Theorem is recursive:
	\item Evaluate P(B1 is catcher$\vert$R1 yields warning, R2 yields ok, $\ldots$)
	\item Further refinement possible:
		\item Refine base probabilities (enlarge database)
		\item Finer grained rule results than only three classes
		\item $\ldots$


\begin{frame}{The End}
	\huge{Thank you for your attention! Questions?}
