summaryrefslogtreecommitdiffstats
path: root/Tex/Content
diff options
context:
space:
mode:
Diffstat (limited to 'Tex/Content')
-rw-r--r--Tex/Content/Conclusion.tex13
-rw-r--r--Tex/Content/Detection.tex8
-rw-r--r--Tex/Content/Evaluation.tex34
-rw-r--r--Tex/Content/Motivation.tex12
4 files changed, 58 insertions, 9 deletions
diff --git a/Tex/Content/Conclusion.tex b/Tex/Content/Conclusion.tex
index 6d2a593..6f85c41 100644
--- a/Tex/Content/Conclusion.tex
+++ b/Tex/Content/Conclusion.tex
@@ -1,5 +1,16 @@
\chapter{Conclusion}
+This chapter will give a short summary of the whole project and its findings.
+The second section will then bring up some aspects where the \gls{icds} could be improved to yield results either faster or more accurate.
+
\section{Summary}
-\section{Future Work} \ No newline at end of file
+The aim of this project was to find ways of unveiling whether an IMSI catcher is being operated in the close perimeter or not; in other words to find out whether it is safe to initiate a phone call or not.
+The main premise that distinguishes this project from other similar projects like the Osmocom 'catcher catcher' is that the system developed is operating in a completely passive manner.
+Therefore it can only operate on a limited amount of information, namely on information that is broadcasted on publicly available channels.
+The benefit this yields over other projects is that the IMSI Catcher Detection System itself is completely invisible to the IMSI catcher.
+
+
+
+\section{Future Work}
+
diff --git a/Tex/Content/Detection.tex b/Tex/Content/Detection.tex
index c31455d..9591776 100644
--- a/Tex/Content/Detection.tex
+++ b/Tex/Content/Detection.tex
@@ -426,6 +426,7 @@ The\emph{Location Area Databse Rule} then checks if reception levels differ sign
If no database has been build beforehand but the \gls{icds} is stationary the \emph{rx Level Rule} can watch the reception level during the course of a scan and ensure that no change occured suddenly.
\subsubsection{Remaining Issues and Paging}
+\label{sec:paging}
At this stage, if local information is given an IMSI catcher should be identified with a high probability.
However some issues still remain.
If a catcher is configured in a consistent way, replaces a cell and by chance has an \emph{appropriate distance} from the subscriber that is its target, the \gls{icds} will not unveil it up to now.
@@ -506,12 +507,15 @@ Appendix \ref{sec:extensions} gives an example of how this can be done.
\subsection{Configuration}
\label{sec:configuration}
\begin{figure}
+\hspace*{\dimexpr\fboxsep+\fboxrule}%
+\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule}
\begin{lstlisting}
dictionary = {
"key_1": value_1, #single value
"key_2": [value_2,value_3] #value range
}
\end{lstlisting}
+\end{minipage}
\caption{Configuration Dictionary in the settings file.}
\label{fig:python_dict}
\end{figure}
@@ -536,9 +540,7 @@ This way python code can also be used to change settings dynamically depending o
\label{sec:icds_operation}
The \gls{icds} main application has to be started with root privileges since it needs to work with Unix sockets and open up connections to the Motorola C123.
This should be done by starting up the \texttt{main} class that initialises everything else.
-\begin{lstlisting}
-sudo python /path-to-project/Src/PyCatcher/src/main.py
-\end{lstlisting}
+\[\texttt{sudo python /path-to-project/Src/PyCatcher/src/main.py}\]
After a brief loading time the main window shown in Figure \ref{fig:icds} should appear if a valid configuration is set up.
\begin{figure}
diff --git a/Tex/Content/Evaluation.tex b/Tex/Content/Evaluation.tex
index bd37b6c..5254d31 100644
--- a/Tex/Content/Evaluation.tex
+++ b/Tex/Content/Evaluation.tex
@@ -106,7 +106,35 @@ However it must be said that these two services are intended for localisation an
Therefore it must be kept in mind when using this rule for analysis that false positives might still be brought forth.
What can be said though is that a base station that has been found may only be subject to a type of attack that replaces an existing base station and can thus be investigated more specifically.
-\subsection{PCH Scan Speed}
+\subsection{PCH Scans}
+In order to establish a baseline on what to expect from the \gls{pch} scans different measurements have been done.
+Table \ref{tab:pagings} shows scans that have been done in three different areas.
+In each area the cell with the strongest reception for each provider was chosen as a representative for the respective provider.
+The duration of each scan was set to 60\;s, while the values in the table have been averaged for 10\;s since this is the unit the \gls{icds} is using.
+
+A comparison of the results suggests that the different providers also have different policies when to page.
+Vodafone has about six times the paging rate O$_{2}$ has but only half the Immediate Assignments.
+
+Another scan was also done on the IMSI catcher.
+No Paging Messages or Immediate Assignments were detected although \glspl{ms} were connected to it.
+That was to be expected as formerly discussed in Section \ref{sec:paging} because the IMSI catcher is not actually part of the providers network and thus cannot receive and forward paging requests.
+\begin{table}
+\centering
+\begin{tabular}{lrrcrrcrr}
+\toprule
+& \multicolumn{2}{c}{\texttt{house\_area}} &\phantom{a}& \multicolumn{2}{c}{\texttt{cbd}} &\phantom{a} & \multicolumn{2}{c}{\texttt{airport}}\\
+\cmidrule{2-3} \cmidrule{5-6} \cmidrule{8-9}
+&Pagings&Imm. Ass.& &Pagings &Imm. Ass.& &Pagings&Imm. Ass.\\
+\midrule
+T-Mobile& 89&3& &75&3& &109&4\\
+E-Plus& 119&1& &67&2& &70&1\\
+Vodafone& 776&6& &720&5& &712&6\\
+O2& 117&9& &106&16& &94&11\\
+\bottomrule
+\end{tabular}
+\caption{Number of Pagings and Immediate Assignments (per 10\;s) for the four German providers at different locations.}
+\label{tab:pagings}
+\end{table}
\section{IMSI Catcher Detection}
Before using an IMSI catcher for testing purpose or a launching an OpenBTS base station it should be ensured that licenses for the specific frequencies that are used, have been obtained.
@@ -141,6 +169,8 @@ Since we do not want to actually connect to the IMSI catcher, the Asterisk part
The parameters necessary to simulate a \gls{gsm} cell have to be set inside the \texttt{OpenBTS.conf}.
Figure \ref{fig:openbts_parameters} shows an annotated example for a configuration simulating a T-Mobile cell.
\begin{figure}
+\hspace*{\dimexpr\fboxsep+\fboxrule}%
+\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule}
\begin{lstlisting}
#Do not let people connect
Control.OpenRegistration 0
@@ -160,6 +190,7 @@ GSM.Neighbours 69 53 20
#Force location Updates, multiple of 6 minutes
GSM.T3212 1
\end{lstlisting}
+\end{minipage}
\caption{Excerpt of a \texttt{OpenBTS.conf}.}
\label{fig:openbts_parameters}
\end{figure}
@@ -344,4 +375,5 @@ Since the catcher sends a different \gls{lac} the \gls{ms} will send a location
\end{figure}
Due to its strong increase in reception and the change in the \gls{lac} the IMSI catcher cell obtained a 'Critical' status immediately after it had been scanned a second time.
+Also due to this fact the reception level differed too much from the interval that had been measured for this Cell ID in the Local Area Database and received as a result also a 'Critical' rating from the respective rule.
User Mode did not start a PCH scan since the evaluation had already been 'Critical'. \ No newline at end of file
diff --git a/Tex/Content/Motivation.tex b/Tex/Content/Motivation.tex
index 0d5b571..ddc5b12 100644
--- a/Tex/Content/Motivation.tex
+++ b/Tex/Content/Motivation.tex
@@ -54,12 +54,16 @@ The IMSI catcher was configured in a way to not let subscribers connect, therefo
To make the thesis more readable a few conventions will be kept throughout this document.
Important words or components of the IMSI Catcher Detection System will be printed \emph{emphasised}.
\texttt{Typewriter} font will be used whenever a console command or a file name will be used in the running text.
-Code examples and whole command lines can be distinguished by a code listing box that surrounds them.
-\begin{lstlisting}
+Code examples can be distinguished by a code listing box that surrounds them.\\\\
+\hspace*{\dimexpr\fboxsep+\fboxrule}%
+\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule}
+\begin{lstlisting}
if __name___ == '__main__':
- print 'Hello World'
+ print 'Hello ICDS'
\end{lstlisting}
-
+\end{minipage}\\
+If a complete command line is given it will be put into a new line and the \texttt{typewriter} font will be used.
+\[\texttt{sudo do\_it -t now}\]
Generally a lot of acronyms will be used due to the nature of \gls{gsm} and telephony dialects, where every possible word has an acronym associated with it.
The first appearance will always be written out followed by the acronym in parenthesis that will be used from that point henceforth.
A complete list of all acronyms for reference can be found in the back of the document. \ No newline at end of file