Skip to content

Top New Best Ask Show Jobs

Android IMSI-Catcher Detector | Better HN

Android IMSI-Catcher Detector (opens in new tab)

(secupwn.github.io)

76 pointsslashdotaccount11y ago34 comments

34 comments

slashdotaccountOP11y ago

Hello, everyone! Since Google does not seem to be interested in fixing the huge security hole of not showing a ciphering indicator on Android, it appears as if they get paid (or are forced to) not fix it. For all of you that are sick of getting spied on through IMSI-Catchers, Silent SMS and alike and want to do something about it, here's a great project you should check out: "The Android-IMSI-Catcher-Detector" (AIMSICD). It is an Android open-source based project to detect and (hopefully one day) avoid fake base stations (IMSI-Catchers) or other base-stations (mobile antennas) with poor/no encryption.

This project aims to warn users if the ciphering is turned off and also enables several other protection-mechanisms. Since it is under constant development, they are constantly searching for testers and security-enthusiastic developers with balls. Don't be shy, feel free to contribute, in any way you can on GitHub: https://github.com/SecUpwN/Android-IMSI-Catcher-Detector

telecuda11y ago

Thanks for working on this important project! Maybe I missed this in reading your site, but how do you know it detects fake base stations? Have you been able to test it against a Stingray, or are you basing the app on a set of assumptions derived from recently leaked product specs?

andor11y ago

Their development roadmap has some details, not all of which seem viable. They want to make 2-3 apps:

1. Detect hidden SMS and (SIM card?) app installations through public APIs. I don't think this will work.

2. Send AT commands to the baseband processor and use the results to detect anomalies. My guess is that the baseband doesn't expose enough information for this to work.

3. Connect to an OsmocomBB phone running CatcherCatcher [0] via USB. This should work, since CatcherCatcher seems to work.

[0] https://opensource.srlabs.de/projects/mobile-network-assessm...

mike_hearn11y ago

> it appears as if they get paid (or are forced to) not fix it

Occam's Razor says ... perhaps they believe 99.9% of people do not care and are not capable of understanding which encryption standard is being used to communicate with their base station, and thus Google prefers to focus its efforts on things that 99.9% of people would consider when buying a phone?

slashdotaccountOP11y ago

I don't think so. As a matter of fact, the Issue of not having a ciphering indicator within Android has been filed on December 10, 2009! But see for yourself: https://code.google.com/p/android/issues/detail?id=5353

tmosleyIII11y ago

It isn't an Android only thing, all devices will be found and you would not know.

rinon11y ago

However, rooting and interfacing with underlying hardware is significantly harder on other platforms.

nradov11y ago

Do you intend to add CDMA support?

E3V3A11y ago

We had partial CDMA support with an extra feature to detect Verizon Pico/Micro (?) cells. However, the lack of CDMA testers put this on hold.

slashdotaccountOP11y ago

This entirely depends on peoples contributions on GitHub.

TorKlingberg11y ago

You probably shouldn't put the EFF, Guardian Project and Privacy International logos so prominently on your website if you are not affiliated with or supported by those projects.

slashdotaccountOP11y ago

Sadly, this Project is not yet officially supported by them. But it is one of the GOALS to support FF, Guardian Project and Privacy International. Not necessarily the other way around. :)

noyesno11y ago

This reminds me of the early days of GSM where Nokia phones showed a broken lock icon if the air interface between the mobile phone and the base station did not use encryption. At the time at least France had disabled the encryption and the indicator caused some interesting discussions.

abritishguy11y ago

Display which cipher is being used?

2G is insecure regardless of whether encryption has been turned off or not, it can be decrypted on the fly with very modest hardware so the indicator telling you what connection you have is as good as telling you whether it is "secure" or not.

> Detect hidden SMS

Not really feasible - there are tons of different types of "hidden" sms that are routinely used by the network but can be spoofed by a third party.

> Detect SIM card app installations through public APIs

This won't work unless it is rooted and this messages have to be signed from the network anyway.

nerderloo11y ago

It seems only 2G connection is crackable. Are we safe as long as the device is on 3G/4G network? We should just disable cellular radio when you see the device is on 2G suspiciously in the middle of city(around demonstrations, I suppose)

slashdotaccountOP11y ago

I'm just going to quote the GitHub README here: "Although A5/3 withstands passive eavesdropping, it can be bypassed by deploying an IMSI-Catcher which can force a mobile device into 2G mode and downgrade then the encryption to A5/1 or disable it."

Here is the best hint I can give you: LEAVE YOUR PHOEN AT HOME when you really have to participate in demonstrations! The main reason why the use of IMSI-Catchers, Stingrays and alike is such a popular tactic for law enforcement agencies is because people are not SMART ENOUGH to think ahaed and leave their phones at home!

No solution for you? Well then, at the very least make yourself your own signal blocking pouch to fully block all Silent SMS: www.killyourphone.com

lttlrck11y ago

Or use airplane mode?

kalleboo11y ago

On Android phones you can disable 2G and set them to 3G only. I wish iOS had this option.

slashdotaccountOP11y ago

IMPORTANT: We're actively searching for skilled DEVELOPERS. Chime in!

programmernews11y ago

Great project! Will follow this and share the GitHub link.

cowbell11y ago

This sounds like such a good idea, I think the US government will outlaw it.

slashdotaccountOP11y ago

How will they outlaw an open-source project? They can "outlaw" all they want, they're already doing what they want, when they want it. It's time for the brave people out there to fight back! Have some balls and stand against the massive abuse of your most private data!

cowbell11y ago

Look at the attempts to outlaw apps like Trapster. You give away the position of speed traps and DUI checkpoints and cops don't like that.

Last I heard, Trapster was forced to remove DUI checkpoints to stay on the app store. That was after attempts to rule it illegal in court failed. Same result. Crowdsourced DUI checkpoint apps are effectively gone if the stores don't have them. If only a few sideloaders have them, then there's no crowd to source.

This would work in a similar manner, but would expose the cops' fake cell towers. I fully expect this to suffer a similar fate.

That is not to say I don't like the project. I commented just so I could find it again in the future :)

lallysingh11y ago

Probably not. They don't want to bring up their own tactics in court for challenge.

pyre11y ago

They'll just put the developers on a terrorist watch list instead...

couchand11y ago

Any chance you could quiet the headline a bit? I recognize you have a good project but that title's awfully loud.

dang11y ago

We took "DEVELOPERS WANTED: " out of the headline. It broke more than one of the site guidelines.

slashdotaccountOP11y ago

Thank you, much appreciated.

j / k navigate · click thread line to collapse