summaryrefslogtreecommitdiffstats
path: root/Tex/Content/Motivation.tex
blob: c8b2483a49a0bae1e942a03dc0b8653837df3e0a (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
\chapter{Introduction}

\section{Motivation}
Boundless communication for everyone, everywhere, any time.
That was the main idea and dream behind the development of the \gls{gsm} technology.
Considering its reception and growth \cite{GSM2009,GSM_history2011,GSM_stats2011} it can be said that \gls{gsm} was one of the most successful technologies of the last 30 years.
The advent of portable radio equipment and microprocessors in the 80's made mobile phones technologically possible.

From that point on commercialisation started with more and more providers emerging.
With more users, security became an ever more important aspect since confidential telephone calls were now made over radio instead of fixed landlines.
In 1996 a device was released that took advantage of a security hole in the \gls{gsm} protocol which enabled it to record phone calls and track users.
This device was developed by Rhode\,\&\,Schwartz and was called IMSI catcher.
The name refers to the IMSI number, a unique identification of the user inside the \gls{gsm} network.
It can be obtained by the device by impersonating a base station which is the entry point of the subscriber to the network.
By means of a classical man-in-the-middle attack the IMSI catcher lures the subscriber to connect to it and relay the information to a real base station while harvesting the needed information like calls or IMSI numbers invisibly.

This risk is intensified by the fact that several other projects like the Open Source IMSI catcher \cite{dennis} succeeded in building such an IMSI catcher at a very low cost, using hardware and software that is freely available.
With this hardware it is considerably easier to eavesdrop on and thus breach the privacy of a neighbour or record corporate phone calls than it was when only landlines were available.

Up until now countermeasures to IMSI catchers have not been given much attention to since the commercial grade devices were only available to authorities and private abuse was thus not a large issue.
This is where this project is aimed at.
In this project different ways will be explored on how to identify an IMSI catcher based on its differences to a regular base station.
Additionally information of the surrounding area and tracking of different parameters over time is used to isolate suspicious base stations in the perimeter.
We develop a toolbox that makes it possible to gather and analyse information from all available base stations in an easy manner, the \gls{icds}.
It is also designed to operate in an end user mode where only a very simplified version of the GUI is presented and an evaluation is yielded of whether it is safe to place a phone call or not at the moment.
The tool operates in a completely passive manner, only on information that is freely broadcasted, never connecting to base stations in question.
This way the system itself stays invisible to the base stations and thus potential IMSI catchers while evaluating them.

\section{Structure}
The remainder of this thesis is structured as follows: the second chapter will give an overview of how a \gls{gsm} network is built up to create a general understanding of the infrastructure in which an IMSI catcher and the detection system are situated.
Protocol specifics of the interface on which the two systems operate, the interface between a mobile phone and the base station will be discussed in the second part.
The chapter concludes with a description of how an IMSI catcher works and gives an account of what kind of attacks are possible.

In the third chapter, the software framework and hardware is introduced on which the \gls{icds} is built upon.
The different procedures used for information gathering and evaluation are also discussed in this chapter based on possible attacks an IMSI catcher can perform as well as the differences in parameters to a valid base station.
Finally a explanation of how to set up and operate the system together with some use cases is outlined.

The fourth chapter contains an evaluation of how the system performs in several categories.
First some general performance statistics and results on the individual methods used are collected.
Afterwards a long-term test over the course of a week is done to examine the false positive and false negative rates of IMSI catcher detection.
The chapter ends with two simulated attack scenarios.

In the last chapter, a short summary of the results will be given as well as am outlook of how the system can be extended in several ways.

\section{Disclaimer}
While conducting the practical part of this thesis precautions have been taken not to interrupt or influence radio transmissions made by regular subscribers.
The main part of the experiments is passive information gathering which only harvests information that is freely available and thus does not influence regular communication procedures.

The IMSI catcher was configured in a way to not let subscribers connect, therefore it is not interfering with regular connection procedures.
Operation of the IMSI catcher was restricted to the ARFCN 877 which is officially registered to the university.

\section{On Typesetting}
To make the thesis more readable a few conventions will be kept throughout this document.
Important words or components of the \gls{icds} are printed \emph{emphasised}.
\texttt{Typewriter} is used whenever a program or a file name are used in the running text.
Code examples can be distinguished by a code listing box that surrounds them.\\\\
\hspace*{\dimexpr\fboxsep+\fboxrule}% 
\begin{minipage}{\dimexpr\textwidth-4\fboxsep-2\fboxrule} 
\begin{lstlisting} 
if __name___ == '__main__':
    print 'Hello ICDS'
\end{lstlisting} 
\end{minipage}\\
If a complete command line is given it will be put into a new line and the \texttt{typewriter} font will be used.
\[\texttt{sudo do\_it -t now}\]
Generally a lot of acronyms will be used due to the nature of \gls{gsm} and telephony dialects, where every possible word has an abbreviation associated with it.
The first appearance will always be written out followed by the acronym in parenthesis that will be used from that point henceforth.
A complete list of all acronyms for reference can be found in the back of the document.