[HN Gopher] SeaGlass: City-Wide IMSI-Catcher Detection (2017)
___________________________________________________________________
SeaGlass: City-Wide IMSI-Catcher Detection (2017)
Author : kogir
Score : 281 points
Date : 2021-05-16 13:53 UTC (9 hours ago)
(HTM) web link (seaglass.cs.washington.edu)
(TXT) w3m dump (seaglass.cs.washington.edu)
| nceqs3 wrote:
| https://news.ycombinator.com/item?id=14474956
| DyslexicAtheist wrote:
| The German government has just published a paper on the
| requirement for telecom operators to ensure LEA continue to be
| able to _covertly_ intercept traffic in 5G: "Ensuring Undetected
| use of the IMSI Catcher", the paper which is in German
| (https://posteo.de/FormulierungshilfeBMI.pdf) reads:
|
| _" > Mobile network operators must ensure security authorities
| can use IMSI Catchers without the end user becoming aware of
| this. According to the TKG-E, mobile operators must continue to
| allow IMSI catchers in accordance with statutory investigative
| measures. Until now, it's unnecessary for operators to act so
| that members of the Security authorities can use IMSI-Catchers,
| as they "simply" pretend to be a base station. In new mobile
| networks, devices brought into the network must be actively
| "accepted" by the network and otherwise cannot be used. As a
| result, it will no longer be possible to insert IMSI catchers of
| "previous design" into the new networks. We acknowledge that in
| the future unauthorised persons, such as foreign intelligence
| services can no longer use them. At the same time, it will no
| longer be possible for German security authorities to use an IMSI
| catcher without the cooperation of the mobile operator. The
| necessary regulations for the participation of the mobile
| operator are already included in the draft TKG, but the necessary
| addition is missing that the introduction of an IMSI catcher by
| security authorities may not be known to the end user."_
|
| Most people will think this is a fringe scenario which will never
| affect them. But they are very common in international airports:
|
| _> At Trudeau airport, Radio-Canada detected the catcher 's
| presence through the use of a CryptoPhone -- a cellphone look-
| alike that emits red alerts when a fake antenna tries to catch
| its signal. Several red alerts were received, throughout the
| afternoon and early evening, in the section of the airport for
| U.S. departures._
|
| https://www.cbc.ca/news/canada/montreal/trudeau-airport-spyi...
|
| _> For two months last year, researchers at the University of
| Washington paid drivers of an unidentified ridesharing service to
| keep custom-made sensors in the trunks of their cars, converting
| those vehicles into mobile cellular data collectors. They used
| the results to map out practically every cell tower in the cities
| of Seattle and Milwaukee--along with at least two anomalous
| transmitters they believe were likely stingrays, located at the
| Seattle office of the US Customs and Immigration Service, and the
| Seattle-Tacoma Airport._
|
| https://www.wired.com/2017/06/researchers-use-rideshares-sni...
|
| _> The devices are operated out of at least five U.S. airports,
| "covering most of the U.S. population". It is unclear whether the
| U.S. Marshals Service requests court orders to use the devices._
|
| source: https://en.wikipedia.org/wiki/Dirtbox_(cell_phone)
|
| For a "modern" take on this subject (info relevant to 3G is
| outdated unless they do a downgrade attack on you first), see
| this article and the linked videos that go into the issues LEO
| face with 4G/5G and the "crocodile hunter" software that is an
| EFF project to identify them: https://www.pcmag.com/news/police-
| spying-on-your-phone-ask-c...
| [deleted]
| baybal2 wrote:
| There used to be a very handy Android app, now booted off the
| Google Market, called "GSM Spy Finder" which worked on MediaTek
| SoCs.
|
| https://apkplz.net/app/kz.galan.antispy
| joering2 wrote:
| I cannot find anything on it - does anyone know the reason it
| was booted out by Google?
| heavyset_go wrote:
| Google will boot things that use APIs that they don't want
| app developers using, or apps that "abuse" the APIs they are
| allowed to use.
| anonymousiam wrote:
| There is still this one:
| https://play.google.com/store/apps/details?id=com.wilysis.ce...
| (Network Cell Info).
|
| It will reveal a catcher nearby if you are already familiar
| with the local area.
| sigg3 wrote:
| You can also use SnoopSnitch from F-droid for this.
|
| https://f-droid.org/packages/de.srlabs.snoopsnitch
| hnjst wrote:
| There was another one in f-droid (or at least it was named
| differently at the time) that I had installed and running by
| curiosity a few years ago. I more or less forgot it until one
| day while I was driving on the highway and got forcibly
| directed out because of a blockade set by protesters (nation-
| wide protests by farmers occurring at that time). Once in the
| vicinity of said blockade I got notified unequivocally that
| something weird was happening to the cellular network. I
| guess law enforcement people were using IMSI catchers to
| monitor protesters.
|
| Just anecdotal evidence, however, while I almost never got
| false positive alerts from this app (once at the arrival of
| an international flight), the one time it triggered a
| notification, it was in a highly probable situation.
|
| Communication between our devices and these base stations
| being so opaque (closed-source baseband processors/OS not
| helping there) and sensible, I'm glad these projects exist
| and I just installed this one, blaming myself for not doing
| so earlier.
| DyslexicAtheist wrote:
| since some years already any app based solutions are useless
| in practice since they yield a huge amount of false positives
| or no results at all. The talk on crocodile hunter (an EFF
| software) goes into why that is so:
| https://www.pcmag.com/news/police-spying-on-your-phone-
| ask-c...
|
| edit: if you've ever spent some time sitting on a plane (non
| domestic) and your phone was on during the time-window when
| boarding is ongoing and just before the aircraft taxis to the
| runway, then there is a very good chance that you've
| connected to one of these before. It's a way to match known
| cell numbers of individuals where an arrest warrant has been
| issued (or otherwise individuals that are monitored) against
| actual passengers phones (who might be traveling with a fake
| ID). If somebody on your flight was ever lifted off the plane
| by LEA (but obviously has made it through security into the
| plane) they are very likely the target of such a dirtbox
| intercept.
| gruez wrote:
| >If somebody on your flight was ever lifted off the plane
| by LEA (but obviously has made it through security into the
| plane) they are very likely the target of such a dirtbox
| intercept.
|
| You'd think fugatives won't bring their phones with them,
| turn them off unless absolutely necessary, or use burners.
| DyslexicAtheist wrote:
| yeah one would think so!
|
| in reality huge number of arrests are made due to
| incredibly dumb mistakes (and not because LEO's used some
| super newsworthy hack).
| [deleted]
| lykr0n wrote:
| Ooh. New project for today. Deploy this locally and figure out
| how to make this a public service where people can run their
| devices and the data is uploaded to a central database in real-
| ish time so people can see suspect changes.
|
| EDIT: This should have a 2017 tag, as the code is 4 years old and
| I assume the same is true for the website.
| dweekly wrote:
| Now we just need a few of these on coordinating drones to
| triangulate in real-time and snap some pictures of the
| transmission source.
| jhart99 wrote:
| You could do it with a couple of KerberosSDR units.
| ChrisMarshallNY wrote:
| This is cool!
|
| Of course, it will only be a matter of time before the stingray-
| users figure out how to fool them...
| sschueller wrote:
| Maybe we get enough time to finally make it illegal to use one.
| If this isn't mass surveillance then what is?
| ng55QPSK wrote:
| "a matter of national security" - there are endless
| interfaces into the network (by law) for lawful interception
| and some of them are designed in such a way that Interceptor
| E1 cannot see what Interceptor E2 is trying to read.
|
| Still, some 'other' interested parties that have reasons not
| to use the standardised interfaces.
|
| For 5G at lot of additional security measures CAN be enabled,
| but you can guess who started to complain about that.
| xfitm3 wrote:
| I fear the same. This research will drive stingray to be more
| stealth.
| hilbert42 wrote:
| Right, that is highly probable and the fact that it's likely
| to happen will drive nefarious operators to illegally change
| IMSI numbers,etc., that is, if it's not already happening on
| a grand scale. This could lead to a technology war between
| law enforcement and crooks where the main victims will be
| innocent people.
|
| The bigger and more important issues are that (a) our police
| forces are becoming more militaristic and are acting more
| like invading armies without themselves conforming to the law
| not to mention the fact that they are also acting
| underhandedly and by stealth (which leads the citizenry to
| distrust them), and (b) the issue of citizens' right to
| privacy has not been properly or adequately addressed by
| legislators.
|
| The fact that our governments have precious little control
| over their various agencies is also of great concern.
| hn_throwaway_99 wrote:
| Seems like that would maybe be a game of cat-and-mouse, but
| fundamentally these IMSI catchers _have_ to have an
| identifiable signature. That is, in order to work they need to
| mimic an existing cell tower as much as possible, but it is
| exactly because of that mimicry that they can be detected over
| time (e.g. because the signal is coming from a different
| location).
| coretx wrote:
| Using more than one antenna will expose a phase difference
| and drifting in time can't be avoided either unless they
| waste millions of tax money on ultra expensive TCXO's.
| Herefore I suspect that they'll passively identify a signal
| and order the service provider to decrypt it at their
| backbone. If France/the GSM foundation could pull of that
| encryption is to be downgraded in strategic countries; surely
| some other powerhungry nationstate will beat that record.
| wcarss wrote:
| In case anyone else is wondering what an IMSI-Catcher is, let me
| save you a google:
|
| "An international mobile subscriber identity-catcher, or IMSI-
| catcher, is a telephone eavesdropping device used for
| intercepting mobile phone traffic and tracking location data of
| mobile phone users."
|
| 1 - https://en.wikipedia.org/wiki/IMSI-catcher
| Imagenuity wrote:
| The Stingray is a commercially available model that you may
| have heard of.
| heavyset_go wrote:
| They're also cheap, easy to use and deployed all over the
| country by local law enforcement. It isn't just three letter
| agencies using them, it's your local police department, too. No
| warrants needed, either.
| mnw21cam wrote:
| Is it just me that looks at the equipment photo, and thinks -
| you're using an inverter to convert 12VDC to 120VAC, then a
| couple of wall plug transformers to convert that back down to
| low-voltage DC - why don't you just use a DC regulator?
| bombcar wrote:
| Everything is off-the-shelf: you can find 12DC to 120AC at
| Walmart, but a DC/DC regulator is harder to find and more
| difficult to configure and setup correctly.
| sjruckle wrote:
| Car 12v systems can be really noisy. The inverter and power
| bricks are pretty much guaranteed to filter all that out.
|
| Besides that, this way doesn't need any soldering, which is
| nice.
| op00to wrote:
| Inverters and power bricks are noisy too.
| tzs wrote:
| > Car 12v systems can be really noisy.
|
| A 12 V lead acid battery ranges from around 12.7 volts when
| fully charged down to around 12.2 at 50% (the minimum
| recommended charge level for typical car batteries). When
| starting the car, the voltage will drop below that. When the
| alternator is running to charge the battery it is around 14
| V.
|
| Is there any regulation or filtering on the 12 V ports on
| cars, or do devices plugged into them see it all--the
| alternator voltage when it is running, a big drop when
| starting, and 12.7-12.7 at other times?
| anyfoo wrote:
| Not necessarily, and there is way worse stuff on that power
| source than that. For example, you have to guard against
| things like "load dump" where voltage can spike up to
| rather high voltages momentarily (80V or so, don't know the
| actual spec right now).
|
| Chances are that a modern car has more regulation and
| protection between battery/alternator and the 12V plug, but
| you don't usually know what, and the spec doesn't (or at
| least didn't when i looked into it) require it.
| JoshTriplett wrote:
| There's no standardized regulation or filtering; devices
| typically see it all. And it's much more than the
| alternator voltage; a device might see transient 24V or
| more, and as little as 9V.
|
| See https://en.wikipedia.org/wiki/Automobile_auxiliary_powe
| r_out... for more.
|
| Modern chargers tend to be really forgiving, and they're
| often powering a device that has its own battery, so there
| are multiple levels of regulation between the car and the
| device.
|
| On the other hand, I've used automotive adapters that do a
| simple DC-DC conversion with no regulation, and pass
| through to a barrel connector to a device that would
| otherwise be powered by standard alkaline disposable
| batteries. Those aren't nearly as robust, and I've seen
| devices fail or power-cycle due to undervolting.
| detaro wrote:
| No filtering, it goes directly to the general power rails
| in the car, with all the noise included. Devices are
| responsible for filtering/protection as needed.
| jdc wrote:
| BOM from the paper:
|
| Telit GT-864 QUAD/PY GSM modem $65
|
| External antenna $25
|
| Raspberry Pi 2B+2 $35
|
| GPS (GlobalSat BU-353) $30
|
| Bait Phone (Motorola Moto-G 4G LTE) $95
|
| 4G Hotspot (ZTE Z917) + 3 month plan $100
|
| DC/AC inverter $26
|
| Powered USB Hub $17
|
| Pi accessories $15
|
| SD Card (32 GB) $17
|
| Modem accessories $30
|
| Cables $35
|
| Box $12
|
| Total $502
|
| https://seaglass-web.s3.amazonaws.com/SeaGlass___PETS_2017.p...
| jcrawfordor wrote:
| While the project has largely languished lately, I
| reimplemented a sensor with similar capabilities to Project
| Seaglass with the goal of a lower BOM cost and easier purchase
| - the particular Telit module they used is discontinued and
| hard to obtain. My BOM is around $160 and could be lowered. See
| here: https://github.com/jcrawfordor/cellscan
| 4gotunameagain wrote:
| Partnering with rideshare drivers to maximize coverage of the
| mobile units is quite clever.
|
| Glad things like these are being done
| nceqs3 wrote:
| Is this open source? Would love to run it in DC. Would imagine
| quite a few hits.
| LargoLasskhyfv wrote:
| https://github.com/seaglass-project/seaglass
| baybal2 wrote:
| > Would love to run it in DC.
|
| You will probably find a lot, but mostly from SMS spammers
|
| https://m.alibaba.com/product/1600220614935/detail.html
|
| IMSI catchers are pretty much freely available for everybody to
| use, and now closing on becoming tiny, and portable:
| https://m.alibaba.com/product/1600226966011/detail.html
|
| P.S. The company has quite an interesting list of buyers:
| https://www.exporthub.com/shenzhen-thinkwell-digital-co-ltd-...
| . Including one "eternal friend" of US who has recently been
| caught red handed stingraying the state department, and the
| whitehouse.
| nanna wrote:
| > P.S. The company has quite an interesting list of buyers:
| https://www.exporthub.com/shenzhen-thinkwell-digital-co-
| ltd-... . Including one "eternal friend" of US who has
| recently been caught red handed stingraying the state
| department, and the whitehouse.
|
| Link is to a motorcycle mp3 player. What am I missing?
| baybal2 wrote:
| Looks like an SEO spam then
| 2Gkashmiri wrote:
| What... is the price of these again ? Im on mobile and the
| price in my currency shows this specific one in upwards of us
| $ 18k+? Is it that expensive or is alibaba somehow showing me
| wrong price
| InvaderFizz wrote:
| Not a wrong price, $18k USD is downright cheap for what it
| does for the intended customer base.
___________________________________________________________________
(page generated 2021-05-16 23:00 UTC)