summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTom2012-06-06 21:41:02 +0200
committerTom2012-06-06 21:41:02 +0200
commitcd61ab8c04ba891827dfb8a861a571feea607211 (patch)
tree860f05fbf51242f6c850b7a9f92c339dc462aff6
parentsecond round of improvements up to chapter 4 (diff)
downloadimsi-catcher-detection-cd61ab8c04ba891827dfb8a861a571feea607211.tar.gz
imsi-catcher-detection-cd61ab8c04ba891827dfb8a861a571feea607211.tar.xz
imsi-catcher-detection-cd61ab8c04ba891827dfb8a861a571feea607211.zip
stuff done
-rw-r--r--Src/PyCatcher/src/driverConnector.py12
-rw-r--r--Tex/Content/Conclusion.tex23
-rw-r--r--Tex/Master/Master.acn15
-rw-r--r--Tex/Master/Master.aux4
-rw-r--r--Tex/Master/Master.ist2
-rw-r--r--Tex/Master/Master.log21
-rw-r--r--Tex/Master/Master.pdfbin18951256 -> 18951952 bytes
-rw-r--r--Tex/Master/Master.synctex.gzbin740100 -> 740092 bytes
8 files changed, 46 insertions, 31 deletions
diff --git a/Src/PyCatcher/src/driverConnector.py b/Src/PyCatcher/src/driverConnector.py
index 8b20e4a..cf6f15a 100644
--- a/Src/PyCatcher/src/driverConnector.py
+++ b/Src/PyCatcher/src/driverConnector.py
@@ -182,6 +182,7 @@ class PCHThread(threading.Thread):
self._timeout = timeout
self._thread_break = False
self._scan_finished_callback = finished_callback
+ self._tmsi_dict = {}
def terminate(self):
self._thread_break = True
@@ -224,6 +225,13 @@ class PCHThread(threading.Thread):
if line:
if 'Paging' in line:
pages_found += 1
+ match = re.search(r'M\((.*)\)',line)
+ if match:
+ tmsi = match.group(1)
+ if not self._tmsi_dict.has_key(tmsi):
+ self._tmsi_dict[tmsi] = 1
+ else:
+ self._tmsi_dict[tmsi] += 1
if 'IMM' in line:
if 'HOP' in line:
ia_hop_fund += 1
@@ -243,6 +251,10 @@ class PCHThread(threading.Thread):
if scan_process:
scan_process.kill()
+ print 'Different TMSI: %d'%len(self._tmsi_dict)
+ for key, value in self._tmsi_dict.iteritems():
+ print key, value
+
result = {
'Pagings': pages_found,
'Assignments_hopping': ia_hop_fund,
diff --git a/Tex/Content/Conclusion.tex b/Tex/Content/Conclusion.tex
index 5effc8b..4242cb4 100644
--- a/Tex/Content/Conclusion.tex
+++ b/Tex/Content/Conclusion.tex
@@ -5,20 +5,20 @@ The first section starts by reviewing what has been done while the second sectio
\section{Summary}
The aim of this project was to find ways of unveiling whether an IMSI catcher is being operated in the close perimeter or not.
In other words to find out whether it is safe to initiate a phone call or not.
-The main premise that distinguishes this project from other similar projects like the also OsmocomBB based 'catcher catcher' is that the system is operating in a completely passive manner.
-Therefore it can only operate on a limited amount of information, namely on information that is broadcasted on publicly available channels.
+The main premise that distinguishes this project from other similar projects like the also OsmocomBB based 'Catcher Catcher' is that the system is operating in a completely passive manner.
+Therefore it can only work on a limited amount of information, namely on information that is broadcasted on publicly available channels.
The benefit this yields over other projects is that the IMSI Catcher Detection System itself is completely invisible to the IMSI catcher.
Chapter 2 laid out basic concepts of \gls{gsm} communication to create a basis for understanding why and how an IMSI catcher works.
-Some more detailed concepts on the $U_m$ interface were discussed to enable the reader to grasp the concept of logical channels and how they can later be used to harvest information in a passive manner.
+Some more detailed concepts on the $U_m$ interface were discussed to enable the reader to grasp the concept of logical channels and how they can be used to harvest information in a passive manner.
The chapter concluded with an account of how an IMSI catcher operates by outlining the two main ways of attacking a subscriber --- one by creating a new cell for the subscriber to connect to and the other by overtaking an already existent cell.
Chapter 3 started by explaining how the OsmocomBB framework was used to build the \gls{icds}.
It concluded with a summary of how to configure and use the system.
The two main sources of information, the \gls{bcch} and the \gls{pch} were introduced along with the different parameters that the \gls{icds} bases its findings on.
An outline of how this finding is reached is illustrated in Figure \ref{fig:decision_process}.
-At first a sweep scan is conducted or an old project is loaded to supply the \gls{icds} with base information of the surrounding base stations.
-During the scan or after the data has been loaded the \gls{icds} evaluates different Rules on the data.
+At first a sweep scan is conducted or an old project is loaded to supply the \gls{icds} with information of the surrounding base stations.
+During the scan or after the data has been loaded the \gls{icds} evaluates different rules on the data.
This can be done with or without consulting databases containing local information.
\begin{figure}
\centering
@@ -26,14 +26,17 @@ This can be done with or without consulting databases containing local informati
\caption{ICDS decision finding process outlined.}
\label{fig:decision_process}
\end{figure}
-The results show that some IMSI catcher configurations can be uncovered by these Rules which check basic configuration data obtained from System Information messages.
-In addition to this data broadcasted on the \gls{bcch} reception levels and \glspl{lac} are also monitored over time to unveil attacks in which existing base stations are replaced by IMSI catchers.
+The results show that some IMSI catcher configurations can be uncovered by these rules which check basic configuration data obtained from System Information messages.
+In addition to this data broadcasted on the \gls{bcch}, reception levels and \glspl{lac} are also monitored over time to unveil attacks in which existing base stations are replaced by IMSI catchers.
This leaves IMSI catchers that have a consistent configuration and blend well in their surroundings concerning the reception levels.
-Additionally these catchers do not actively try to make mobile phones contact them by broadcasting a new \gls{lac}.
+They are also broadcasting the same \gls{lac} as the replaced base station, even if this means it could take a long time until the \gls{ms} announces itself.
To handle this case the \gls{icds} can monitor the \gls{pch} of the base station in question to gather Paging Messages and \glspl{ia}.
Since an IMSI catcher is not part of the provider's network no paging messages will be forwarded to the connected subscribers.
These findings have been confirmed with the experiments in Chapter 4 where different attack scenarios have been tested.
-In cases where the \gls{icds} was not able to uncover the IMSI catcher by Rule evaluation the \gls{pch} scan yielded the desired result.
+In cases where the \gls{icds} was not able to uncover the IMSI catcher by rule evaluation the \gls{pch} scan yielded the desired result.
+It should be kept in mind that the evaluation has been done against a prototype IMSI catcher since data from a real IMSI catcher is not available.
+However the results provided in this thesis are based more on general procedures, the \gls{gsm} protocol itself and not tailored to the specific system.
+Therefore they should be applicable to any IMSI catcher that uses the attacks outlined here.
\section{Future Work}
There are several ways in which the \gls{icds} could be improved.
@@ -46,7 +49,7 @@ In case of the Open Source IMSI Catcher no Paging Messages were sent.
However it would be possible for a catcher that is aware of this evaluation criterion to send fake Paging Messages to arbitrary \glspl{tmsi} to deceive the \gls{icds}.
To face this the \gls{icds} could be extended.
Since Paging Messages would be unreliable in such a case one would have to use \glspl{ia}.
-The experiments have shown that this might increase scanning time on the \gls{pch} since these messages are much more rare than pagings.
+The experiments have shown that this might increase scanning time on the \gls{pch} since these messages are much more rare than Paging Messages.
An \gls{ia} sent to a subscriber contains the dedicated channel on which the conversation between the base station and the mobile phone is to continue.
At this point the \gls{icds} already uses the information about dedicated channels to see whether frequency hopping is used or not.
If an \gls{ia} is caught by the \gls{icds} one could follow on the assigned channel and catch the Cipher Mode Message.
diff --git a/Tex/Master/Master.acn b/Tex/Master/Master.acn
index f9185b9..5bcc18c 100644
--- a/Tex/Master/Master.acn
+++ b/Tex/Master/Master.acn
@@ -582,7 +582,6 @@
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
-\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{60}
\glossaryentry{IMEI?\glossaryentryfield{imei}{\glsnamefont{IMEI}}{International Mobile Equipment Identifier}{\relax }|setentrycounter{page}\glsnumberformat}{61}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{61}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{63}
@@ -593,15 +592,15 @@
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{64}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{64}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{64}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{64}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{65}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{65}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{65}
\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{66}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{66}
\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{66}
\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{66}
-\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{66}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{67}
\glossaryentry{USRP?\glossaryentryfield{usrp}{\glsnamefont{USRP}}{Universal Software Radio Peripheral}{\relax }|setentrycounter{page}\glsnumberformat}{67}
@@ -619,8 +618,8 @@
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{68}
-\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{68}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{69}
+\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{69}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{69}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{69}
\glossaryentry{ARFCN?\glossaryentryfield{arfcn}{\glsnamefont{ARFCN}}{Absolute Radio Frequency Number}{\relax }|setentrycounter{page}\glsnumberformat}{69}
@@ -656,11 +655,13 @@
\glossaryentry{BCCH?\glossaryentryfield{bcch}{\glsnamefont{BCCH}}{Broadcast Channel}{\relax }|setentrycounter{page}\glsnumberformat}{73}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{73}
\glossaryentry{LAC?\glossaryentryfield{lac}{\glsnamefont{LAC}}{Location Area Code}{\relax }|setentrycounter{page}\glsnumberformat}{75}
+\glossaryentry{MS?\glossaryentryfield{ms}{\glsnamefont{MS}}{Mobile Station}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
+\glossaryentry{GSM?\glossaryentryfield{gsm}{\glsnamefont{GSM}}{Global System for Mobile Communications}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{BTS?\glossaryentryfield{bts}{\glsnamefont{BTS}}{Base Station Transceiver}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
@@ -675,4 +676,4 @@
\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{IA?\glossaryentryfield{ia}{\glsnamefont{IA}}{Immediate Assignment Message}{\relax }|setentrycounter{page}\glsnumberformat}{75}
\glossaryentry{PCH?\glossaryentryfield{pch}{\glsnamefont{PCH}}{Paging Channel}{\relax }|setentrycounter{page}\glsnumberformat}{75}
-\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{75}
+\glossaryentry{ICDS?\glossaryentryfield{icds}{\glsnamefont{ICDS}}{IMSI Catcher Detection System}{\relax }|setentrycounter{page}\glsnumberformat}{76}
diff --git a/Tex/Master/Master.aux b/Tex/Master/Master.aux
index bb7f99f..fab65bc 100644
--- a/Tex/Master/Master.aux
+++ b/Tex/Master/Master.aux
@@ -378,8 +378,6 @@
\newlabel{fig:decision_process}{{5.1}{74}}
\@writefile{toc}{\contentsline {section}{\numberline {5.2}Future Work}{75}}
\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
-\FN@pp@footnotehinttrue
\bibstyle{acm}
\citation{*}
\bibdata{../Content/Bibliography}
@@ -397,6 +395,8 @@
\bibcite{fox}{12}
\FN@pp@footnotehinttrue
\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
+\FN@pp@footnotehinttrue
\@writefile{toc}{\contentsline {chapter}{Bibliography}{77}}
\bibcite{GSM_stats2011}{13}
\bibcite{GSM_history2011}{14}
diff --git a/Tex/Master/Master.ist b/Tex/Master/Master.ist
index 7ffd9fa..8f2e7d6 100644
--- a/Tex/Master/Master.ist
+++ b/Tex/Master/Master.ist
@@ -1,5 +1,5 @@
% makeindex style file created by the glossaries package
-% for document 'Master' on 2012-6-5
+% for document 'Master' on 2012-6-6
actual '?'
encap '|'
level '!'
diff --git a/Tex/Master/Master.log b/Tex/Master/Master.log
index 5f36c20..c408a2f 100644
--- a/Tex/Master/Master.log
+++ b/Tex/Master/Master.log
@@ -1,4 +1,4 @@
-This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 5 JUN 2012 20:34
+This is pdfTeX, Version 3.1415926-1.40.10 (TeX Live 2009/Debian) (format=pdflatex 2012.1.7) 6 JUN 2012 21:38
entering extended mode
%&-line parsing enabled.
**Master.tex
@@ -1317,7 +1317,7 @@ window.png>] [59] <../Images/user_window.png, id=280, 368.37625pt x 469.755pt>
File: ../Images/user_window.png Graphic file (type png)
<use ../Images/user_window.png>
-Underfull \vbox (badness 7344) has occurred while \output is active []
+Underfull \vbox (badness 10000) has occurred while \output is active []
[60 <../Images/user_window.png>]) (../Content/Evaluation.tex [61] [62
@@ -1325,7 +1325,7 @@ Underfull \vbox (badness 7344) has occurred while \output is active []
]
Chapter 4.
-Overfull \hbox (3.33815pt too wide) in paragraph at lines 16--30
+Overfull \hbox (3.33815pt too wide) in paragraph at lines 18--32
[][]
[]
@@ -1334,7 +1334,7 @@ Overfull \hbox (3.33815pt too wide) in paragraph at lines 16--30
File: ../Images/catcherICDS.jpg Graphic file (type jpg)
<use ../Images/catcherICDS.jpg> [67 <../Images/catcherICDS.jpg>]
-Overfull \hbox (20.58582pt too wide) in paragraph at lines 236--242
+Overfull \hbox (20.58582pt too wide) in paragraph at lines 238--244
\T1/ptm/m/n/10.95 Rules trig-gered: LAC/Provider Map-ping, Neigh-bour-hood Stru
c-ture, AR-FCN/Provider
[]
@@ -1347,12 +1347,8 @@ File: ../Images/flowchart.png Graphic file (type png)
<use ../Images/flowchart.png> [73
-] [74 <../Images/flowchart.png (PNG copy)>])
-[75] [76
-
-
-
-] (./Master.bbl
+] [74 <../Images/flowchart.png (PNG copy)>]
+[75]) [76] (./Master.bbl
Underfull \hbox (badness 2818) in paragraph at lines 17--21
[]\T1/ptm/m/n/10.95 Radio ac-cess net-work: Ra-dio trans-mis-sion and re-cep-ti
on. GSM 05.05,
@@ -1397,6 +1393,9 @@ Underfull \hbox (badness 10000) in paragraph at lines 48--52
[77
+
+
+
]
Underfull \hbox (badness 3428) in paragraph at lines 73--76
[]\T1/ptm/m/n/10.95 Gsm/3g stats. $\T1/pcr/m/n/10.95 http : / / www . gsacom .
@@ -1611,7 +1610,7 @@ exlive/fonts/type1/urw/courier/ucrb8a.pfb></usr/share/texmf-texlive/fonts/type1
e/texmf-texlive/fonts/type1/urw/times/utmb8a.pfb></usr/share/texmf-texlive/font
s/type1/urw/times/utmr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/ut
mr8a.pfb></usr/share/texmf-texlive/fonts/type1/urw/times/utmri8a.pfb>
-Output written on Master.pdf (116 pages, 18951256 bytes).
+Output written on Master.pdf (116 pages, 18951952 bytes).
PDF statistics:
492 PDF objects out of 1000 (max. 8388607)
0 named destinations out of 1000 (max. 500000)
diff --git a/Tex/Master/Master.pdf b/Tex/Master/Master.pdf
index 39e2cd3..58134ec 100644
--- a/Tex/Master/Master.pdf
+++ b/Tex/Master/Master.pdf
Binary files differ
diff --git a/Tex/Master/Master.synctex.gz b/Tex/Master/Master.synctex.gz
index 9a90eb0..9bb03a5 100644
--- a/Tex/Master/Master.synctex.gz
+++ b/Tex/Master/Master.synctex.gz
Binary files differ