[HN Gopher] SeaGlass: City-Wide IMSI-Catcher Detection (2017) ___________________________________________________________________ SeaGlass: City-Wide IMSI-Catcher Detection (2017) Author : kogir Score : 281 points Date : 2021-05-16 13:53 UTC (9 hours ago) (HTM) web link (seaglass.cs.washington.edu) (TXT) w3m dump (seaglass.cs.washington.edu) | nceqs3 wrote: | https://news.ycombinator.com/item?id=14474956 | DyslexicAtheist wrote: | The German government has just published a paper on the | requirement for telecom operators to ensure LEA continue to be | able to _covertly_ intercept traffic in 5G: "Ensuring Undetected | use of the IMSI Catcher", the paper which is in German | (https://posteo.de/FormulierungshilfeBMI.pdf) reads: | | _" > Mobile network operators must ensure security authorities | can use IMSI Catchers without the end user becoming aware of | this. According to the TKG-E, mobile operators must continue to | allow IMSI catchers in accordance with statutory investigative | measures. Until now, it's unnecessary for operators to act so | that members of the Security authorities can use IMSI-Catchers, | as they "simply" pretend to be a base station. In new mobile | networks, devices brought into the network must be actively | "accepted" by the network and otherwise cannot be used. As a | result, it will no longer be possible to insert IMSI catchers of | "previous design" into the new networks. We acknowledge that in | the future unauthorised persons, such as foreign intelligence | services can no longer use them. At the same time, it will no | longer be possible for German security authorities to use an IMSI | catcher without the cooperation of the mobile operator. The | necessary regulations for the participation of the mobile | operator are already included in the draft TKG, but the necessary | addition is missing that the introduction of an IMSI catcher by | security authorities may not be known to the end user."_ | | Most people will think this is a fringe scenario which will never | affect them. But they are very common in international airports: | | _> At Trudeau airport, Radio-Canada detected the catcher 's | presence through the use of a CryptoPhone -- a cellphone look- | alike that emits red alerts when a fake antenna tries to catch | its signal. Several red alerts were received, throughout the | afternoon and early evening, in the section of the airport for | U.S. departures._ | | https://www.cbc.ca/news/canada/montreal/trudeau-airport-spyi... | | _> For two months last year, researchers at the University of | Washington paid drivers of an unidentified ridesharing service to | keep custom-made sensors in the trunks of their cars, converting | those vehicles into mobile cellular data collectors. They used | the results to map out practically every cell tower in the cities | of Seattle and Milwaukee--along with at least two anomalous | transmitters they believe were likely stingrays, located at the | Seattle office of the US Customs and Immigration Service, and the | Seattle-Tacoma Airport._ | | https://www.wired.com/2017/06/researchers-use-rideshares-sni... | | _> The devices are operated out of at least five U.S. airports, | "covering most of the U.S. population". It is unclear whether the | U.S. Marshals Service requests court orders to use the devices._ | | source: https://en.wikipedia.org/wiki/Dirtbox_(cell_phone) | | For a "modern" take on this subject (info relevant to 3G is | outdated unless they do a downgrade attack on you first), see | this article and the linked videos that go into the issues LEO | face with 4G/5G and the "crocodile hunter" software that is an | EFF project to identify them: https://www.pcmag.com/news/police- | spying-on-your-phone-ask-c... | [deleted] | baybal2 wrote: | There used to be a very handy Android app, now booted off the | Google Market, called "GSM Spy Finder" which worked on MediaTek | SoCs. | | https://apkplz.net/app/kz.galan.antispy | joering2 wrote: | I cannot find anything on it - does anyone know the reason it | was booted out by Google? | heavyset_go wrote: | Google will boot things that use APIs that they don't want | app developers using, or apps that "abuse" the APIs they are | allowed to use. | anonymousiam wrote: | There is still this one: | https://play.google.com/store/apps/details?id=com.wilysis.ce... | (Network Cell Info). | | It will reveal a catcher nearby if you are already familiar | with the local area. | sigg3 wrote: | You can also use SnoopSnitch from F-droid for this. | | https://f-droid.org/packages/de.srlabs.snoopsnitch | hnjst wrote: | There was another one in f-droid (or at least it was named | differently at the time) that I had installed and running by | curiosity a few years ago. I more or less forgot it until one | day while I was driving on the highway and got forcibly | directed out because of a blockade set by protesters (nation- | wide protests by farmers occurring at that time). Once in the | vicinity of said blockade I got notified unequivocally that | something weird was happening to the cellular network. I | guess law enforcement people were using IMSI catchers to | monitor protesters. | | Just anecdotal evidence, however, while I almost never got | false positive alerts from this app (once at the arrival of | an international flight), the one time it triggered a | notification, it was in a highly probable situation. | | Communication between our devices and these base stations | being so opaque (closed-source baseband processors/OS not | helping there) and sensible, I'm glad these projects exist | and I just installed this one, blaming myself for not doing | so earlier. | DyslexicAtheist wrote: | since some years already any app based solutions are useless | in practice since they yield a huge amount of false positives | or no results at all. The talk on crocodile hunter (an EFF | software) goes into why that is so: | https://www.pcmag.com/news/police-spying-on-your-phone- | ask-c... | | edit: if you've ever spent some time sitting on a plane (non | domestic) and your phone was on during the time-window when | boarding is ongoing and just before the aircraft taxis to the | runway, then there is a very good chance that you've | connected to one of these before. It's a way to match known | cell numbers of individuals where an arrest warrant has been | issued (or otherwise individuals that are monitored) against | actual passengers phones (who might be traveling with a fake | ID). If somebody on your flight was ever lifted off the plane | by LEA (but obviously has made it through security into the | plane) they are very likely the target of such a dirtbox | intercept. | gruez wrote: | >If somebody on your flight was ever lifted off the plane | by LEA (but obviously has made it through security into the | plane) they are very likely the target of such a dirtbox | intercept. | | You'd think fugatives won't bring their phones with them, | turn them off unless absolutely necessary, or use burners. | DyslexicAtheist wrote: | yeah one would think so! | | in reality huge number of arrests are made due to | incredibly dumb mistakes (and not because LEO's used some | super newsworthy hack). | [deleted] | lykr0n wrote: | Ooh. New project for today. Deploy this locally and figure out | how to make this a public service where people can run their | devices and the data is uploaded to a central database in real- | ish time so people can see suspect changes. | | EDIT: This should have a 2017 tag, as the code is 4 years old and | I assume the same is true for the website. | dweekly wrote: | Now we just need a few of these on coordinating drones to | triangulate in real-time and snap some pictures of the | transmission source. | jhart99 wrote: | You could do it with a couple of KerberosSDR units. | ChrisMarshallNY wrote: | This is cool! | | Of course, it will only be a matter of time before the stingray- | users figure out how to fool them... | sschueller wrote: | Maybe we get enough time to finally make it illegal to use one. | If this isn't mass surveillance then what is? | ng55QPSK wrote: | "a matter of national security" - there are endless | interfaces into the network (by law) for lawful interception | and some of them are designed in such a way that Interceptor | E1 cannot see what Interceptor E2 is trying to read. | | Still, some 'other' interested parties that have reasons not | to use the standardised interfaces. | | For 5G at lot of additional security measures CAN be enabled, | but you can guess who started to complain about that. | xfitm3 wrote: | I fear the same. This research will drive stingray to be more | stealth. | hilbert42 wrote: | Right, that is highly probable and the fact that it's likely | to happen will drive nefarious operators to illegally change | IMSI numbers,etc., that is, if it's not already happening on | a grand scale. This could lead to a technology war between | law enforcement and crooks where the main victims will be | innocent people. | | The bigger and more important issues are that (a) our police | forces are becoming more militaristic and are acting more | like invading armies without themselves conforming to the law | not to mention the fact that they are also acting | underhandedly and by stealth (which leads the citizenry to | distrust them), and (b) the issue of citizens' right to | privacy has not been properly or adequately addressed by | legislators. | | The fact that our governments have precious little control | over their various agencies is also of great concern. | hn_throwaway_99 wrote: | Seems like that would maybe be a game of cat-and-mouse, but | fundamentally these IMSI catchers _have_ to have an | identifiable signature. That is, in order to work they need to | mimic an existing cell tower as much as possible, but it is | exactly because of that mimicry that they can be detected over | time (e.g. because the signal is coming from a different | location). | coretx wrote: | Using more than one antenna will expose a phase difference | and drifting in time can't be avoided either unless they | waste millions of tax money on ultra expensive TCXO's. | Herefore I suspect that they'll passively identify a signal | and order the service provider to decrypt it at their | backbone. If France/the GSM foundation could pull of that | encryption is to be downgraded in strategic countries; surely | some other powerhungry nationstate will beat that record. | wcarss wrote: | In case anyone else is wondering what an IMSI-Catcher is, let me | save you a google: | | "An international mobile subscriber identity-catcher, or IMSI- | catcher, is a telephone eavesdropping device used for | intercepting mobile phone traffic and tracking location data of | mobile phone users." | | 1 - https://en.wikipedia.org/wiki/IMSI-catcher | Imagenuity wrote: | The Stingray is a commercially available model that you may | have heard of. | heavyset_go wrote: | They're also cheap, easy to use and deployed all over the | country by local law enforcement. It isn't just three letter | agencies using them, it's your local police department, too. No | warrants needed, either. | mnw21cam wrote: | Is it just me that looks at the equipment photo, and thinks - | you're using an inverter to convert 12VDC to 120VAC, then a | couple of wall plug transformers to convert that back down to | low-voltage DC - why don't you just use a DC regulator? | bombcar wrote: | Everything is off-the-shelf: you can find 12DC to 120AC at | Walmart, but a DC/DC regulator is harder to find and more | difficult to configure and setup correctly. | sjruckle wrote: | Car 12v systems can be really noisy. The inverter and power | bricks are pretty much guaranteed to filter all that out. | | Besides that, this way doesn't need any soldering, which is | nice. | op00to wrote: | Inverters and power bricks are noisy too. | tzs wrote: | > Car 12v systems can be really noisy. | | A 12 V lead acid battery ranges from around 12.7 volts when | fully charged down to around 12.2 at 50% (the minimum | recommended charge level for typical car batteries). When | starting the car, the voltage will drop below that. When the | alternator is running to charge the battery it is around 14 | V. | | Is there any regulation or filtering on the 12 V ports on | cars, or do devices plugged into them see it all--the | alternator voltage when it is running, a big drop when | starting, and 12.7-12.7 at other times? | anyfoo wrote: | Not necessarily, and there is way worse stuff on that power | source than that. For example, you have to guard against | things like "load dump" where voltage can spike up to | rather high voltages momentarily (80V or so, don't know the | actual spec right now). | | Chances are that a modern car has more regulation and | protection between battery/alternator and the 12V plug, but | you don't usually know what, and the spec doesn't (or at | least didn't when i looked into it) require it. | JoshTriplett wrote: | There's no standardized regulation or filtering; devices | typically see it all. And it's much more than the | alternator voltage; a device might see transient 24V or | more, and as little as 9V. | | See https://en.wikipedia.org/wiki/Automobile_auxiliary_powe | r_out... for more. | | Modern chargers tend to be really forgiving, and they're | often powering a device that has its own battery, so there | are multiple levels of regulation between the car and the | device. | | On the other hand, I've used automotive adapters that do a | simple DC-DC conversion with no regulation, and pass | through to a barrel connector to a device that would | otherwise be powered by standard alkaline disposable | batteries. Those aren't nearly as robust, and I've seen | devices fail or power-cycle due to undervolting. | detaro wrote: | No filtering, it goes directly to the general power rails | in the car, with all the noise included. Devices are | responsible for filtering/protection as needed. | jdc wrote: | BOM from the paper: | | Telit GT-864 QUAD/PY GSM modem $65 | | External antenna $25 | | Raspberry Pi 2B+2 $35 | | GPS (GlobalSat BU-353) $30 | | Bait Phone (Motorola Moto-G 4G LTE) $95 | | 4G Hotspot (ZTE Z917) + 3 month plan $100 | | DC/AC inverter $26 | | Powered USB Hub $17 | | Pi accessories $15 | | SD Card (32 GB) $17 | | Modem accessories $30 | | Cables $35 | | Box $12 | | Total $502 | | https://seaglass-web.s3.amazonaws.com/SeaGlass___PETS_2017.p... | jcrawfordor wrote: | While the project has largely languished lately, I | reimplemented a sensor with similar capabilities to Project | Seaglass with the goal of a lower BOM cost and easier purchase | - the particular Telit module they used is discontinued and | hard to obtain. My BOM is around $160 and could be lowered. See | here: https://github.com/jcrawfordor/cellscan | 4gotunameagain wrote: | Partnering with rideshare drivers to maximize coverage of the | mobile units is quite clever. | | Glad things like these are being done | nceqs3 wrote: | Is this open source? Would love to run it in DC. Would imagine | quite a few hits. | LargoLasskhyfv wrote: | https://github.com/seaglass-project/seaglass | baybal2 wrote: | > Would love to run it in DC. | | You will probably find a lot, but mostly from SMS spammers | | https://m.alibaba.com/product/1600220614935/detail.html | | IMSI catchers are pretty much freely available for everybody to | use, and now closing on becoming tiny, and portable: | https://m.alibaba.com/product/1600226966011/detail.html | | P.S. The company has quite an interesting list of buyers: | https://www.exporthub.com/shenzhen-thinkwell-digital-co-ltd-... | . Including one "eternal friend" of US who has recently been | caught red handed stingraying the state department, and the | whitehouse. | nanna wrote: | > P.S. The company has quite an interesting list of buyers: | https://www.exporthub.com/shenzhen-thinkwell-digital-co- | ltd-... . Including one "eternal friend" of US who has | recently been caught red handed stingraying the state | department, and the whitehouse. | | Link is to a motorcycle mp3 player. What am I missing? | baybal2 wrote: | Looks like an SEO spam then | 2Gkashmiri wrote: | What... is the price of these again ? Im on mobile and the | price in my currency shows this specific one in upwards of us | $ 18k+? Is it that expensive or is alibaba somehow showing me | wrong price | InvaderFizz wrote: | Not a wrong price, $18k USD is downright cheap for what it | does for the intended customer base. ___________________________________________________________________ (page generated 2021-05-16 23:00 UTC)