Phone Tapping and IMSI-Catchers

Print pagePDF pageEmail page

Following a Parliamentary Question [1] to the Prime Minister of Mauritius on Tuesday 19 April 2016 by an Opposition member, an widespread interest was created about telephone tapping in the country especially after what the Opposition member described as a van lurking around the house of opposition members in order to listen to conversations. Days later,  a weekly newspaper published a 3-page article [2] on the whole phone tapping in Mauritius and mentioned about an IMSI-Catcher which is basically a device that spoofs your mobile telephony provider’s Base Transceiver Station (In an nutshell, Base that connects your mobile phone to the telephony network) and acts as a middle-man between your device and the providers network thus capturing all of your communications. Out of my usual curiosity, I wanted to know more about it and clarify some doubts I had. I knew about the IMSI-Catcher technique and remembered an article by a hacker by the name of Simone Margaritelli who once assembled a relatively cheap bench rogue-BTS using a Raspberry Pi [3] that, if tweaked, could be used for that same purpose, intercept communications. I contacted him and he very kindly accepted to reply to my questions.

What is an IMSI-Catcher and how does it work?

An IMSI catcher is a device used to intercept nearby mobile stations voice and data traffic.
It works by mimicking a legit BTS and offering such services to the phone which will automatically connect to it due to its stronger signal compared to the legit BTS.

Is the GSM protocol that vulnerable? Does moving to digital (3G,4G) change anything in the interception capabilities of the Catchers?

GSM itself was proven multiple times to be really broken, it’s been developed while there was almost no security culture at all, moreover all the related specifications were considered to be inaccessible by normal people and at that time security researchers didn’t even exist.
3G and 4G are slightly better but, as the recent news about the SS7 network hijacking mention, they also are being exploited by governments and various state agencies for interception.

Is there any countermeasure at provider level that can protect from such interceptions?

State agencies and providers usually have agreements about interceptions, this means that intercepting someone does not necessarily imply exploiting some vulnerability, they simply give the “keys to the kingdom” to those agencies.
The only effective type of protection should be implemented on the mobile phone itself.

In your Rogue BTS article, you mentioned that a similar setup can be used for listening purposes. How easy it is from that point on, to listen to phone calls and read sent/received SMSs?

It’s just a matter of setting 2/3 configuration parameters properly in the rogue BTS web administration panel.

We often talk about those silent-sms. What are they and how do they work?

A silent sms is a specially crafted/encode message which once received by the target phone does not show any kind of notification at all, it’s completely invisible to the user (and that’s were the “silent sms” name comes from).
It’s used by IMSI catchers operators in order to “spot” the target phone in a crowded area.
Since at the very beginning of the attack the only radio-visible value is the TMSI (a temporary value assigned by the BTS to each mobile stations), a very high number of silent sms are sent to the target mobile number, the operator
will then identify its associated TMSI by inspecting paging requests sent by the BTS, for instance:
1. The operator will send 200 silent sms to number X in a very small time frame.
2. Suddenly, it will notice a spike in paging requests targeting the TMSI associated to X.
3. From that point on, the operator will know what TMSI the target number has on that network and he will be able to eavesdrop its connection.

As per your experience, how can we counter both those silent-sms and the IMSI-spoofing? Any tested-and-working method as countermeasure?

The only application I’m aware of capable of protecting people for such threats is Android-IMSI-Catcher-Detector, an open source app developed mostly by german hackers.

There’s an app for Android devices known as Android-IMSI-Catcher-Detector. Did you have any chance to work with it and review same?

I’ve used it quite a few times and I also contributed to the project, I know for sure the people behind it are very skilled and respected in the community.

The article mentions that once the device’s traffic is being intercepted and routed through the catcher, Internet traffic, Facebook and WhatsApp conversation too can be monitored. Considering SSL implementations and WhatsApp’s recently implemented End-to-End Encryptions, is this a myth or a reality?

That’s total nonsense, GSM/3G/4G interception has nothing to do with the encryption mechanisms of higher level layers such as HTTPS and generally speaking SSL.
It’s pretty much like performing a man-in-the-middle attack on a TCP/IP network … there’s nothing you can do against encrypted connections even if you are in control of the traffic.

Spare the fact the IMSI-Catcher intercepts communications from devices in its radio range, is it possible to connect it to an existing cellular communications provider network and extend its reach? (Without major modifications to the providers’ infrastructures)

No, in order to do that you’d need to interact with the provider infrastructure.

A final word?

All of GSM/3G/4G vulnerabilities are very well known by both providers and state agencies and they intentionally keep the system as it is because a safer system would be harder to eavesdrop.
For instance, Qualcomm ( which is one of the major GSM baseband producers ) GSM baseband chips are known to be vulnerable to a wide range of attacks, Qualcomm knows that and they never actually fixed it … guess why? 🙂

 

For my readers; Who is Simone?
I’m a developer and security researcher from Italy, I’ve been involved in security since I was very young and contributed to the open source community with quite a decent number of projects.

I currently work for Zimperium, a mobile security company.

My Twitter: https://twitter.com/evilsocket
Github: https://github.com/evilsocket
Website: http://www.evilsocket.net/

Thanks Simone for your contribution to this article 🙂
Irshaad

[1] – http://mauritiusassembly.govmu.org/English/hansard/Documents/2016/hansard0416.pdf

[2] – http://defimedia.info/ecoutes-telephoniques-au-coeur-dune-cellule-ultra-secrete-27009/

[3] – https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/

[4] – https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector

DISCLAIMER
This article does not have in any way any political intent nor anything against the Intelligence Services and Disciplined Forces of Mauritius.