summaryrefslogtreecommitdiffstats
path: root/Tex/Content/Motivation.tex
blob: 95462f2a5bd222dda2f4dcf4dd5c2447b132cd11 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
\chapter{Introduction}

\section{Motivation}
Boundless communication for everyone, everywhere, any time.
That was the main idea and dream behind the development of the \gls{gsm} technology.
Considering its reception and growth it can be said that \gls{gsm} was one of the most successful technologies of the last 30 years \cite{GSM2009,GSM_history2011,GSM_stats2011}.
The advent of portable radio equipment and microprocessors in the 1980's made mobile phones technologically possible.

From that point on commercialisation started with more and more providers emerging.
With more users, security became an ever more important aspect, since confidential telephone calls were now made over radio instead of fixed landlines.
An inherent problem of the air medium is that anybody with suitable equipment can access radio waves, while with landlines physical access is required.
In 1996 Rhode\,\&\,Schwarz released the IMSI catcher \cite{fox}, a device that takes advantage of security flaws in the \gls{gsm} protocol which enables it to record phone calls and track users.
The name refers to the \gls{imsi} number, a unique identification of the user inside the \gls{gsm} network.
It can be obtained by the device by impersonating a base station which is the entry point of the subscriber into the network.
To the mobile phone used by the subscriber there is no difference between a real base station and an IMSI catcher.
It will always connect to the strongest base station available.
By means of a classical man-in-the-middle attack the IMSI catcher operator lures the subscriber to connect to the device and relays the information to a legitimate base station while harvesting the desired information, like calls or \gls{imsi} numbers.
This process is completely invisible to the user.


Up until now countermeasures to IMSI catchers have not been given much attention to, since the commercial grade devices were only available to authorities and private abuse was thus not a important issue.
This risk is intensified by the fact that several other projects like the Open Source IMSI-Catcher \cite{dennis} demonstrated that such an IMSI catcher can be built at very low cost, using hardware and software that is freely available.
It is now possible for anyone to self-construct these devices in an cost-effective manner.
With these systems it is considerably easier to eavesdrop on and thus breach the privacy of a neighbour, wife or husband.
In the context of industrial espionage, corporate phone calls done over a mobile phone are also easier to target this way.

The detection of illegal private use of IMSI catchers is where this project is aimed at.
Different ways will be explored on how to identify an IMSI catcher based on its differences to a regular base station.
In particular, information about the surrounding area and tracking of different parameters over time is used to isolate suspicious base stations in the perimeter.
We present a tool that makes it possible to gather and analyse information from all available base stations in an easy manner, using a sophisticated graphical interface: the \gls{icds}.
It also allows switch to an end user mode, where only a very simplified version of the graphical interface is presented and the program evaluates whether it is safe to place a phone call or not.
The tool operates in a passive manner, \ie it only uses information that is freely broadcasted, never connecting to base stations in question.
This way the system itself stays invisible to base stations and thus potential IMSI catchers while evaluating them.

\section{Structure}
The remainder of this thesis is structured as follows: the second chapter will give an overview of how a \gls{gsm} network is built up to create a general understanding of the infrastructure in which an IMSI catcher and the detection system are situated.
Protocol specifics of the interface on which the two systems operate, the $U_m$ or air interface will be discussed in the second part.
The chapter concludes with a description of how an IMSI catcher works and gives an account of what kinds of attacks are possible.

In the third chapter, the software framework and hardware is introduced on which the \gls{icds} is built upon.
The different procedures used for information gathering and evaluation are also discussed in this chapter based on possible attacks an IMSI catcher can perform as well as the differences in parameters to a valid base station.
Finally a explanation of how to set up and operate the system together with some use cases is outlined.

The fourth chapter contains an evaluation of how the system performs in several categories.
First, some general performance statistics and results on the individual methods used are collected.
Afterwards, a longer test is conducted over the course of one week to see how well the databases the system uses work in a potentially changing environment.
The chapter ends with two simulated attack scenarios.

In the last chapter, a short summary of the results will be given as well as an outlook of how the system can be extended in several ways.

\section{Disclaimer}
While conducting the practical part of this thesis precautions have been taken not to interrupt or influence radio transmissions made by regular subscribers.
The main part of the experiments is passive information gathering which only harvests information that is freely available and thus does not influence regular communication procedures.

Whenever the IMSI catcher was used, it was configured in a way to not let subscribers connect.
Therefore, it is not interfering with regular connection procedures.
Operation of the IMSI catcher and the OpenBTS base station were restricted to ARFCN 877 which is officially registered to the university.

\section{On Typesetting}
To make the thesis more readable, a few conventions will be kept throughout this document.
Important words or components of the \gls{icds} are printed \emph{emphasised} when they first appear.
\texttt{Type\-writer} is used whenever a program or a file name are used in the running text.
Code examples can be distinguished by a code listing box that surrounds them.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting} 
if __name___ == '__main__':
    print 'Hello ICDS'
\end{lstlisting} 
\end{minipage}\\
If a complete command line is given it will be put into a new line and the \texttt{typewriter} font will be used.
\[\texttt{sudo do\_it -t now}\]
Generally a lot of acronyms will be used due to the nature of \gls{gsm} and telephony dialects, where every possible word has an abbreviation associated with it.
The first appearance will always be written out followed by the acronym in parenthesis that will be used from that point henceforth.
A complete list of all acronyms for reference can be found in the back of the document.