summaryrefslogtreecommitdiffstats
path: root/Tex/Content/Detection.tex
blob: b29b210af2d1f00bfbb7d9db4ae08c961138bee8 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
\chapter{IMSI Catcher Detection}
\section{Framework and Hardware}
The following section will give a short overview of the OsmocomBB framework and how it works in conjunction with the Motorola C123 mobile phone to enable information harvesting for the \gls{icds}.
OsmocomBB is one of many \gls{osmo} projects\footnote{\url{http://osmocom.org/}} that implements the software part of a mobile phone.
Another project is OpenBSC which implements software for configuring and operating a \gls{bsc}.
OpenBSC was used to realise the Open Source IMSI Catcher \cite{dennis} and the base station that will be used later to evaluate the performance of the \gls{icds}.

\subsection{OsmocomBB}
OscmocomBB is the project that implements the baseband part of \gls{gsm} as an open source project.
Baseband means an open source software to control the baseband chip inside the mobile phone which is a different processor than the application processor.
The goal is to have, by using compatible hardware, a phone using free software only as opposed proprietary baseband implementations.
Therefor the project scope is implementing \gls{gsm} layer 1-3 as well as hardware drivers for the baseband chipset.
A simple user interface on the phone is planned but not yet implemented and a verbose user interface on the computer.
This could be beneficial to multiple areas \cite{osmo_rationale}:
\begin{itemize}
	\item \textbf{Security:} The software running on the baseband chips is highly proprietary and closed.
	The source is often disclosed only to the mobile phone manufacturers using the specific chipset.
	One cannot be sure that this software does not have bugs that could be exploited and ultimately pose a security risk to the subscriber.
	History has shown that open source projects are more secure than proprietary solutions since more people can view the source to find issues.
	If a security threat is found the bug is fixed fast and a patch is released.
	This could be a great benefit for phone users.
	\item \textbf{Education:} Currently knowledge about \gls{gsm} and its layers on a technical level is not very well spread.
	The literature so far 
	An open source implementation as a reference could serve to educate more developers generally interested in the subject of mobile communications and thus improve products and software.
	Additionally this implementation enables universities to hold practical lab courses and private persons to do hands-on experiments.
	\item \textbf{Research:} A free implementation can decouple research on \gls{gsm} technologies from the industry since key technologies are no longer only available to researchers employed to a specific company.
	Additionally this way security holes can be uncovered more easily.
	Modifications to the protocol stack can be deployed and tested in a real environment.
\end{itemize}

\subsubsection{Project Status}
At this point layer two and three do not actually run on the phone but rather on a computer to which the phone is connected via a serial cable whereas layer 1 runs inside the custom firmware on the \gls{me} itself, since the procedures on layer 1 are very time critical.
This has advantages as well as disadvantages.
The disadvantage is that in order to run an application written with OsmocomBB you always have to have a notebook in addition to the phone.
The benefit however is that during the development process, the phone does not have to be touched after an initial deployment of the firmware.
This means code can be modified, compiled and tested locally without the need of remote debugging; experimenting is considerably easier this way.
This separation however would not work in the original \gls{gsm} specification, therefore an extra interface between layer 1 and 2 had to be implemented to manage handle messages.
It is called L1CTL.

\begin{figure}
\centering
\includegraphics{../Images/OsmoStructure}
\caption{Interaction of the OsmocomBB components with the ICDS software.}
\label{fig:osmo_setup}
\end{figure}

The current state of the project is, according to a presentation given on the 27$^\text{th}$ chaos communication congress\footnote{27C3: \url{http://events.ccc.de/congress/2010/wiki/Main_Page}} by Dieter Spaar and Harald Welte, that the network layers 1-3 are fully implemented, SIM cards can be accessed or emulated and \gls{gsm} cell selection and reselection are working.
A3/A8 as well as A5/1 and A/52, Full Rate and Enhanced Full Rate codecs are there, so it is possible to do voice calls with an OsmocomBB application written for that purpose, called \texttt{mobile}.
It features a terminal/telnet based interface much like Cisco routers however there is no user interface for the phone so far or any implementation for Handovers since neighbourhood measurements are not implemented in the framework as of now.
During these calls or during the operation of other programs, it is possible to receive all the frames that are being transmitted via Wireshark from the \texttt{osmocon} application \cite{konrad}.

\subsubsection{OsmocomBB and ICDS}
The setup that is used for the \gls{icds} project can be seen in Figure \ref{fig:osmo_setup}.
It was build and tested in a Xubuntu 11.10 environment \footnote{http://xubuntu.org/} which is a more lightweight variant of the popular Debian based Ubuntu Linux distribution.
The process of acquiring, compiling and running the OsmocomBB framework itself in this environment is explained in Appendix \ref{sec:osmo_install}.
As can be seen in the diagram, layer 1 of the OsmocomBB \gls{gsm} stack runs on the phone.
It is connected via a serial cable to the computer running the \gls{icds}.
On the computer side the \texttt{osmocon} program provides a general interface to the phone.
\texttt{Osmocon} is also used to download the firmware to the Motorola C123.
Other software can communicate with \texttt{osmocon} and subsequently with the phone using unix sockets.

\texttt{Catcher} is a modified version of the \texttt{cell\_log} program by Andreas Eversberg that interfaces with \texttt{osmocon} to harvest information from \gls{bts} and forward it to the \gls{icds}.
It can be seen as a layer 3 program that scans through available frequencies and reads information from the \gls{bcch} whenever one such channel is available on the frequency at hand.
The forwarding is done directly via \texttt{stdout} since it runs as a child process of the \gls{icds}.
The functionality of \texttt{catcher} will be explained in detail in Section \ref{sec:info_gathering} while the implementation and operation of the \gls{icds} will be discussed in Section \ref{sec:icds}.

\subsection{Motorola C123}
\label{sec:osmo_phones}
Since the general idea behind OsmocomBB was to become a vendor independent open source \gls{gsm} implementation for everyone to use, there were certain requirements the targeted hardware would have to meet.
For the consumer side requirements these were having a low price and a good availability.
This criterion rules out \gls{diy} approaches since number of produced devices would be low and thus costly or a significant technical knowledge would be expected from all users to assemble the hardware.
For the developer side this would also mean implementing a lot on the lower levels of analog logic.
Therefore the Motorola C123 was chosen, an old, very cheap phone that is well spread.
It has the advantage of being very simple on the hardware side since it is based on the well documented Texas Instruments Calypso Chipset\footnote{Documentation can be found on \url{http://cryptome.org} and other sites.}
Table \ref{tab:c123_specs} shows an overview of the main specifications for the phone.
\begin{table}
\centering
	\begin{tabular}{ll}
	\toprule
	Component			&Specification\\
	\midrule
	Band 				&GSM 900, GSM 1800\\
	Size				&$101\times 45\times 21$ mm\\
	Weight				&86 g\\
	Battery				&920mAh Li-Ion battery\\
	Digital Baseband	&Texas Instruments Calypso\\
	Analog Basenand		&Texas Instruments Iota TWL3025\\
	GSM Transceiver		&Texas Instruments Rita TRF6151C\\
	\bottomrule
	\end{tabular}
	\caption{Technical specifications for the Motorola C123.}
	\label{tab:c123_specs}
\end{table}
The OsmocomBB framework should work well or with small adjustments for phones that share the same components.
Figure \ref{fig:osmo_c123} an image of the Motorola C123 circuit board with the components mentioned before.
\begin{figure}
\centering
	\includegraphics[width=.9\textwidth]{../Images/c123_pcb}
	\caption{Circuit board of the Motorola C123 with its components \cite{osmo_wiki_c123}.}
	\label{fig:osmo_c123}
\end{figure}
Another reason for choosing this hardware platform was that during the start of the OsmocomBB project an open source implementation of \gls{gsm} layer 1 was already available on sourceforge (TSM30 Project) that could be used as a reference.

In order to use the Motorola C123 in combination with the OsmocomBB framework the custom firmware implementing layer 1 and L1CTL has to be flashed.
This has to be done using a RS332 serial cable that is connected to the 2.5 mm audio jack.
The audio jack of the Motorola C123 and other Calypso based mobile phones typically have a 3.3 V serial port on their audio jacks.
These cables are normally referred to as T191 unlock cables 
A variety of stores around the internet sell the cables ready made for about \$10\footnote{\url{http://fonefunshop.co.uk}}.
One must be careful when using the PC's serial port to communicate with the phone though.
Since the phone's serial operates at 3.3 V and is internally connected to the 2.8 V IO-pins of the baseband processor, directly connecting it to the computers 12 V serial port will destroy the hardware.
Therefore it is recommended to use a USB serial cable.
Schematics for such an unlock cable, along with a few instructions on how to build one are given in Appendix \ref{sec:osmo_serial_schematics}.
Another issue is virtualisation.
The bootloader and the firmware can fail to be deployed correctly if a virtual machine is used as development system.
This is because the protocol used by Motorola to do the actual flashing process is \emph{very} time critical and thus timeouts can occur that are caused by the overhead the virtual machine imposes on the hardware/software communication.

\section{Procedure}
The main goal of the \gls{icds} is to reach a conclusion on whether it is safe to initiate a phone call or not, in other words if we trust all surrounding base stations.
As mentioned before as soon as a subscriber connects to an IMSI Catcher it automatically gives up information on his/her location.
Therefore this project will use a passive approach on information harvesting, meaning we will only use information that is broadcasted or freely available as to not give up any hints of the \gls{icds} being active.

To that end a four-step process is taken.
First the information is gathered.
This process is explained in detail in Section \ref{sec:info_gathering}.
After information on the surrounding \gls{bts} is ready in the \gls{icds} a set of checks is evaluated on each base station individually each yielding a specific result for the station.
These checks are called rules and discussed further along with the next two steps in Section \ref{sec:info_evaluation}.
The next step is to aggregate all the results the rules yielded for each base station into one single result for each \gls{bts}.
At last, after every \gls{bts} has its evaluation it can be decided whether to tell the subscriber it is safe to initiate a phone call or not.

\subsection{Information Gathering}
\label{sec:info_gathering}
As explained in Section \ref{sec:common_channels} every base station has an associated \gls{bcch} where information about the station and its network is spread.
\gls{bcch} frames are always sent inside a 51-Multiframe.
After the \gls{ms} has synchronised using the values on the \gls{fcch} and \gls{sch} it can determine which kind of information is hosted inside the \gls{bcch} message.
These so called System Information Messages originate at the \gls{bsc} and are produced for each \gls{bts} individually and then periodically broadcasted.
Since all the required information would not fit inside a single frame there are different kinds of System Information Messages that are distinguished by their \gls{tc} and host different kinds of information.
The type can be extracted using the \gls{fn} of the frame the message is sent in \cite{GSM2009}:
\[\text{TC}=(\text{FN} \text{ div } 51)\text{ mod } 8\]
Table \ref{tab:tc_mapping} shows how the \glspl{tc} can be mapped on those types.
\begin{table}
\centering
\begin{tabular}{lc}
\toprule
TC		&System Information Type\\
\midrule
0		&Type 1\\
1		&Type 2\\
2,6		&Type 3\\
3,7		&Type 4\\
4,5		&Any (optional)\\
\bottomrule
\end{tabular}
\caption{Type Codes and the corresponding System Information Types \cite{GSM2009}.}
\label{tab:tc_mapping}
\end{table}
For this project the System Information Type 1-4 are of interest because these are available to all \gls{ms} that tune in to the particular \gls{bcch} of the respective \gls{bts} without actively connecting to it.

The harvesting of information contained in these System Information Messages is done via the \texttt{catcher} program.
\texttt{Catcher} is implemented inside the OsmocomBB framework and connects over the \texttt{osmocon} application to the Motorola C123.
At first a sweep scan is done over all the \glspl{arfcn} to measure their reception levels in order to determine where base stations and thus \glspl{bcch} are located.
Afterwards \texttt{catcher} tunes the phone to those specific frequencies where a \gls{bts} was found 
%TODO: see whether all parameters can be harvested inside OsmocomBB
At each such frequency it waits until all the System Information Messages are gathered and extracts parameters where possible.
The parameters along with the raw data are forwarded to the main \gls{icds} application for further parsing and evaluation.
An example for a parsed System Information Type 2 Message can be seen in Figure \ref{fig:sysinfo2}.
Examples for all the System Information Messages used are located in Appendix \ref{sec:system_infos}.
\begin{figure}
\centering
\caption{System Information 2 Message with annotations \cite{protocols1999}.}
\label{fig:sysinfo2}
\end{figure}
As long as scanning mode is active all the available stations are scanned repeatedly and changes in the \gls{bts} will continuously update the data model inside the \gls{icds} software.
The parameters harvested are:
%TODO: add more detail of format
\begin{itemize}
	\item Country: The interpreted country code the base station is broadcasting.
	\item Provider: The interpreted provider code the base station is broadcasting.
	\item ARFCN: The \gls{arfcn} on which the base station is located.
	\item rxlev: Receiving strength in db.
	This parameter is measured by the Motorola C123 and not part of the System Information Messages.
	Even small changes in the location can have a large impact on this parameter due to shadowing and reflection.
	How ever it can be used in certain cases as will be discussed in Section \ref{sec:fake_parameters}.
	\item BSIC: Because of frequency reuse in a cellular network it is possible that two different base stations can sent at the same \gls{arfcn}.
	In order for the \gls{ms} to keep these apart the \gls{bsic} is also broadcasted.
	It consists of a \gls{ncc} identifying the provider, so the \gls{ms} can filter out messages that is does not need and the \gls{bcc} that must be unique for a given provider over all base station in a large area.
	\item LAC: This is the last part of the \gls{lai} (that consists of \gls{mcc} + \gls{mnc} + \gls{lac}) and is a hierarchical identifier for a given base station.
	The hierarchy is provider wide, meaning two different providers may use \glspl{lac} with a completely different numbering system.
	\item Cell ID: The Cell ID is a globally unique identifier for the cell the \gls{ms} is connected to.
	\item Neighbouring Cells: Each base station keeps a list of other base stations in the perimeter  for the \gls{ms} to scan and determine if there is a \gls{bts} with a better reception in the area.
	\item Encryption: The encryption algorithm used to encrypt the voice data.
	Note that encryption cannot actually be read passively from a base station since the encryption algorithm is determined when a connection is established.
	%TODO: find out exactly how this is done
	To not become active and connect to the station, this is harvested by tuning in to something and capture the packages that set the encryption for another mobile subscriber.
\end{itemize}
Note that there are different formats for the Neighbouring Cell List since the original number of 17 bytes could only present a bit mask for 124 neighbouring \glspl{arfcn}.
This works for the 900 MHz band but for the 900 extended and the 1800 MHz band the System Information Type 2 bis and System Information Type 2 ter have to be harvested additionally to construct the Neighbouring Cell List.

\subsection{Information Evaluation}
\label{sec:info_evaluation}
Each base station is evaluated the moment the data completely arrived at the \gls{icds} application.
Additionally when a new \gls{bts} has been found and added all formerly discovered station are also re-evaluated since new discoveries can have an impact on the rules that evaluate the context surrounding an old base station.

As mentioned above, evaluation is done based on constructs called rules.
Each rule represents one check that can be performed on a base station and yields a result based on its findings.
\emph{Critical} result means that the base station evaluated has a critical configuration error or critical settings that are not found on normal base stations, \eg unknown provider names or encryption that is turned off.
This station should not be trusted.
If  a \emph{Warning} status is yielded the \gls{bts} at hand has some concerning features but it could not be said whether this really is a hint to a catcher or sheer coincidence.
An example would be a base station having a  neighbouring cell list of which none of the cells therein have actually be found up to that point.
The list could either be a fake or it could simply be coincidence that scan has not found any up to that point.
In some cases the rule cannot yield a finding.
That is when the state is explicitly set to \emph{Ignore} so the evaluator knows that this rule should have no influence on the final outcome.	
This is the case for example when trying to find whether the base station uses encryption or not and no other subscriber connects until a set timeout is reached.
Rules can be divided into two categories depending on what they do.
If everything went as expected, \emph{Ok} is returned.

These rules can be divided into two different categories depending on how they work and which situations they are tailored to.
Most of the rules are parametrised so they can be tweaked to different environments.

The first set of rules called \emph{Configuration Rules} targets the base station itself.
Rules in this category are meant to check the parameters that concern the \gls{bts} and check them for integrity and configuration mistakes that could have been made by an IMSI catcher operator.
These rules are mainly meant to filter out some base cases fast.
An overview of which Context Rules are currently implemented inside the \gls{icds} is given in Table \ref{tab:config_rules}.
\begin{table}
\centering
\begin{tabular}{ll}
\toprule
Rule					&Functionality\\
\midrule
Provider Known			&Checks whether the provider is in a list of known \\
						&providers.\\
Country/Provider Map	&Checks whether the given provider is a valid provider\\
						&for the given country.\\
LAC/Provider Map		&Checks whether the LAC of the station is in the normal\\
						&LAC range for that provider given the area.\\
ARFCN/Provider Map		&Checks whether the ARFCN is in the officially registered\\
						&range of the provider.\\
Encryption Algorithm	&Checks which encryption algorithm is used.\\
\bottomrule
\end{tabular}
\caption{Configuration Rules implemented inside the ICDS.}
\label{tab:config_rules}
\end{table}
Since there is no official listing or rule how the \gls{lac} is derived the LAC/Provider Mapping Rule need knowledge of the area in the the \gls{icds} is used.
The \gls{icds} itself can be used to gather that knowledge but it has to be done prior to using the rule for base station evaluation.
The \gls{arfcn} range each provider has registered can be looked up at the website of the Bundesnetzagentur\footnote{\url{http://www.bundesnetzagentur.de/}} which is needed for the ARFCN /Provider Mapping Rule.

The second set of rules is called \emph{Context Rules}.
As the name suggests these rules serve the purpose of checking how well a given \gls{bts} fits into its neighbourhood.
Table \ref{tab:context_rules} shows which rules have been implemented.
The Neighbourhood Structure Rule will be explained in a bit more detail in the next section.
\begin{table}
\centering
\begin{tabular}{ll}
\toprule
Rule					&Functionality\\
\midrule
LAC Median Deviation	&Checks whether the LAC of the given BTS deviates\\
						&more than a certain threshold from the median LAC of\\
						&that provider.\\
Pure Neighbourhoods		&Checks whether all found stations in the Neighbouring\\
						&Cell List share the same provider.\\
Neighbourhood Structure	&Checks the structure of the Neighbouring Cell List for\\
						&certain patterns.\\
Fully Discovered Nbhds. &Checks whether all the cells in the Neighbouring Cell\\
						&List have actually been found.\\
Cell ID Uniqueness 		&Checks whether there are other cells with the same\\
						&Cell ID.\\
\bottomrule
\end{tabular}
\caption{Context Rules implemented inside the ICDS.}
\label{tab:context_rules}
\end{table}
For the LAC the median was chosen over the average since if an extreme value (ill configured IMSI catcher) exists it would have a too strong impact on the average to which all the \gls{bts} are compared.
It could even have such a strong effect on the average that legitimate base stations would fall below the threshold and be recognised as catchers.

\subsubsection{Neighbourhood Structure}
The neighbourhood structure is the graph that is described by the Neighbouring Cell List located in the System Inforamtion 2/bis/ter constructs.
Figure \ref{fig:neighbourhood_example} shows an example of the neighbourhood graphs from Vodafone and T-Mobile at the Technische Fakult\"at of the University of Freiburg\footnote{Georges Koehler Allee, Freiburg}.
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/neighbourhoods_fak}
\caption{T-Mobile and Vodafone stations at the Technische Fakult\"at.}
\label{fig:neighbourhood_example}
\end{figure}
It can be seen that for each provider, the neighbourhood forms a isolated, nearly fully connected subgraph.
The bordering grey-blue nodes have not yet been discovered therefore they have no outgoing edges.
This could be the case because they are too far away for the Motorola to receive them or because of signal damping due to shadowing and reflection effects.
In the \gls{icds} the aspect of isolated subgraphs for neighbourhoods is captured inside the Pure Neighbourhoods Rule.

Some of the attacks discussed in Section \ref{sec:attacks} imply a certain structure of the neighbourhood graph.
Since the IMSI catcher tries keep \glspl{ms} that have connected from switching back to a normal cell the neighbourhood list of such a catcher cell would either be empty or would only host neighbour cells that have a bad reception.
An empty neighbourhood list is represented in a graph by a node that has been discovered and has only incoming edges.
\begin{figure}
\centering
\subfigure[Normal neighbourhood]{
\begin{tikzpicture}[->,>=stealth',shorten >=1pt,auto,node distance=3cm,
  thick,main node/.style={circle,fill=blue!10,draw,font=\sffamily\Large\bfseries}]

  \node[main node] (1) {A};
  \node[main node] (2) [below left of=1] {B};
  \node[main node] (3) [below right of=1] {C};

  \path[every node/.style={font=\sffamily\small}]
    (1) edge  node {} (2)
        edge  node {} (3)
    (2) edge  node {} (1)
    	edge  node {} (3)
    (3) edge  node {} (1)
    	edge  node {} (2);
\end{tikzpicture}
}
\subfigure[Tainted neighbourhood]{
\begin{tikzpicture}[->,>=stealth',shorten >=1pt,auto,node distance=3cm,
  thick,main node/.style={circle,fill=blue!10,draw,font=\sffamily\Large\bfseries}]

  \node[main node] (1) {A};
  \node[main node] (2) [below left of=1] {B};
  \node[main node] (3) [below right of=1] {C};
  \node[main node] (4) [right of=1] {D};

  \path[every node/.style={font=\sffamily\small}]
    (1) edge  node {} (2)
        edge  node {} (3)
    (2) edge  node {} (1)
    	edge  node {} (3);
\end{tikzpicture}
}
\caption{Comparison between a normal neighbourhood subgraph and a tainted one.}
\label{fig:structure_comparison}
\end{figure}
Figure \ref{fig:structure_comparison} shows a simplified regular neighbourhood graph compared to a graph with a catcher node inside.
In this case catcher C chose the attack where it replaces a previously existent \gls{bts} whereas catcher D opened up a new cell.
Replacing has several advantages, one being already integrated in the neighbourhood of other nodes and thus being able to catch subscribers by handover.
For catcher D it is the other way around, it has only outgoing edges.
This means that this cell is not known by any other node of the same provider (of course the catchers provider is fake!).
Nevertheless it has some outgoing edges to nodes with significantly less transmission strength to not stick out too much as a completely isolated node.
Combinations of these two approaches are also possible.
These thoughts are basically what is captured in the Neighbourhood Structure Rule.

\subsubsection{Base Station Evaluation}
As mentioned at the beginning, all the rules are evaluated for each base station.
Aggregation of these rule results into a single result is done by modules called \emph{Evaluators}.
Currently there are three different evaluators implemented inside the \gls{icds}, with varying degrees of customisability.
\begin{itemize}
	\item Conservative Evaluator: This is a worst-case evaluator.
	It iterates over all the rule findings and yields the most concerning finding as its result.
	By default this evaluator is enabled in the system.
	\item Weighted Evaluator: Using this evaluator the user can give a weight to each rule.
	This way rules that are more important to the user can have a higher impact on overall evaluation.
	\item Grouped Evaluator: With this evaluator rules can be grouped together.
	Inside each group the result for the group is found by majority vote whereas the final result is conservatively found by comparing all the group results.
\end{itemize}
The different kinds of evaluators can be used to tweak the whole system more to a specific environment or purpose, if specific rules or groups of rules are given more weight.
After a finding has been determined for each station, all the results are again aggregated into a final result.
This result is always found in a conservative manner since the subscriber cannot choose to which \gls{bts} to connect to.
If one base station seems to be compromised it cannot be guaranteed that the subscriber will not connect to it, thus the final result needs to reflect that fact.

\subsection{Forged Parameters}
\label{sec:fake_parameters}
All of the parameters that have been looked at in this project so far are parameters that can be directly set by the operator of the \gls{bts} or IMSI catcher.
This is a major problem since how can an IMSI catcher be found that sends exactly the same information as a regular base station?
To further investigate this issue we will analyse based on the three attack types presented in Section \ref{sec:attacks} which parameters can be forged and which cannot.

For all three attack types presented it is possible to find a parameter configuration that does not raise suspicion, if the operator chooses a compatible \gls{lac}, \gls{arfcn}, \etc for the imitated provider. 
The Neighbouring Cell List is a bit different.
Since the catcher wants to keep lured subscribers it will normally have an empty list or a list pointing only \glspl{bts} that have a lower reception level. 
Both of these cases can be detected.
However the operator \emph{may} also choose to set a list consistent with the neighbouring cells.
This would lower the chances of success for the catcher but also make it blend better in its environment and thus harder to detect.
A sure criterion is the absence of an encryption algorithm which is needed by the catcher to record and monitor phone calls.
The main problem here is that it cannot be guaranteed that this parameter can be harvested.
Since this is a semi passive approach to harvesting it needs another subscriber to connect to the base station in question during the time the \gls{icds} is scanning it.

For the Cell ID there are basically two possibilities depending on which attack is used.
In the second case parameters can be chosen in a consistent way although a new Cell ID has to be chosen, as the Cell ID needs to be unique.
The second possibility is that the IMSI catcher replaces a formerly existent cell and the second one is that it opens up a new cell.
In the first case all parameters can be copied from the original cell.
These cases can be resolved by adding outside knowledge to the \gls{icds}.
This is also done by certain rules called \emph{Database Rules}.

\subsubsection{Database Rules}
There are to different rules that each handles one of the cases separately.
The first case is the easier of both.
We know that the catcher cell has a new Cell ID that has not been there before.
Therefore the \emph{Cell ID Databse Rule} has three different approaches to exploit this fact:
\begin{itemize}
	\item A database of Cell IDs can be learned by the \gls{icds} beforehand. 
	Each cell that was seen more often over longer periods of time receives a higher rating.
	This can be used to detect new Cell IDs that have not been seen before.
	The better way to receive a Cell ID database is to use a commercially build one since it is always possible to overlook a cell when learning the surroundings.
	\item A web service also offered by most providers of Cell ID databases can be used to see whether a cell actually exists and check whether it should be situated in the neighbourhood it is in.
\end{itemize}
The three largest Cell ID databases are the two commercial ones by Ericson\footnote{\url{https://labs.ericsson.com/apis/mobile-location/}} and combain\footnote{\url{http://location-api.com/}} as well as the free alternative OpenCellID\footnote{\url{http://www.opencellid.org/}} \cite{wiki_cells}.
Ericson and combain have trial modes, where the first 1000 requests are free for developers afterwards a subscription or a fee per request must be paid.
By adding this information new cells can be identified.

The second where an existing cell is replaced is a bit more complicated since its parameters are an exact copy of the old cell.
Attacking by replacing a cell works in a way that the cell with the worst reception is targeted.
That way when the IMSI catcher finished replacing it, the reception goes up a significant amount and the mobile phone will initiate a handover to that cell.
The difference in reception can be used to identify this kind of attack.
In general the reception cannot be well used as a parameter because shadowing and reflection can substantially change the reception from one moment to the other.
However when reception intervals are logged for a fixed location like a bureau, important calls made from that specific location can be protected against this kind of attack.
To that end the \emph{Location Area Databse Rule} can augment a Cell ID Database with information about the reception of the particular cells in different locations and find out if reception for a particular station and location have changed significantly.

\section{IMSI Catcher Detection System}
\label{sec:icds}
This section will give a short overview over some technical aspects of the \gls{icds} software itself.
The first section will focus on architectural aspects and how the architecture can be extended.
The second and third section will then explain how to configure and operate the application.

\subsection{Implemetation}
\begin{figure}
\centering
\includegraphics{../Images/Architecture_software}
\caption{System architecture of the ICDS. The arrows indicate the flow of data.}
\label{fig:architecture}
\end{figure}
Figure \ref{fig:architecture} shows a diagram describing the system architecture, modules in light blue have been implemented for this project.
The application consists of two main parts.
One part, the \texttt{catcher} is implemented inside the OscmocomBB framework, the other part \texttt{PyCatcher} is a Python application that uses \texttt{catcher} to harvest information and evaluate it afterwards.
Since the way \texttt{catcher} works has already been described in Section \ref{sec:info_gathering} this section will focus on the Python application part.

As mentioned before layer 1 of the \gls{gsm} stack is implemented in the firmware running on the Motorola C123.
Layer 2 and 3 are implemented on the computer and are used by the \texttt{catcher} software to harvest information from the \gls{bcch}.

The \texttt{PyCatcher} application was designed with a \gls{mvc} approach in mind to make it easy to implement new functionality.
The \gls{mvc} pattern is used to separate the data model of an application form the logic as well as from the way it is presented to the user.
That way each of the different components can be exchanged without affecting the other two.
An additional module has been added, the \texttt{OsmoConnector} that is loaded by the controller and spawns \texttt{catcher} as a child process.
It takes the output back in and transforms it into an object oriented representation of the discovered base stations.
These are then handed over and update the data model.
This way it can be ensured that only coherent and complete information is incorporated in the data model.
Another benefit is that the parsing module is separated from the main program logic.

The \texttt{Controller} is the main part of the program and instantiates all the other modules.
It loads data from the model, triggers the evaluation and sends the results to the view to be displayed.
As discussed before there are several rules that can be evaluated for each base station.
These rules are stored within the controller and can be enabled or disabled by using the view that in turn calls the respective functions for enabling or disabling rules respectively from the controller.
Whenever a new evaluation is requested the controller evaluates the active rules and gives the results to the active evaluator, afterwards the results are send to the view for display to the user.
Note that all the structures used are view independent, this way the current view could easily be exchanged with a web interface for example.

The \texttt{View} in this project consists of a GTK3 window with several forms for user input.
It is bound to the controller using PyGTK.
Details on the \texttt{View} and how to use it will be explained in Section \ref{sec:icds_operation}.

Rules and Evaluators were designed in a plugin fashion, since these are the main points where the program can be enhanced and new ideas can be realised.
Implementing a new rule or a new evaluator works by extending the rule or evaluator base class and implementing one method that does the actual checking.
After that they only need to be added to the list of included evaluators and rules inside the \texttt{controller}.
This process is also shown in Appendix \ref{sec:extensions} in more detail.

\subsection{Configuration}
\label{sec:configuration}
\subsection{Operation}
\label{sec:icds_operation}
\begin{figure}
\centering
\includegraphics[width=.9\textwidth]{../Images/ICDS}
\caption{The ICDS main window.}
\label{fig:icds}
\end{figure}