Android-based project to detect and (hopefully one day) avoid fake base stations (IMSI-Catchers) in GSM/UMTS Networks. Sounds cool and security is important to you? Feel free to contribute! ;-)
German Article about our Project: IMSI-Catcher Erkennung für Android – AIMSICD.
- Introduction
- IMSI-Catchers
- Roadmap
- Goals
- Limitations
- Disclaimer
- WIP-Releases
- Installation
- User Guide
- Changelog
- Discussion
- Build
- Contributing
- Support
- Bugs
- Wiki
- Sources
- Credits
- License
- More Security
Both law enforcement agencies and criminals use IMSI-Catchers, which are false mobile towers acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. The FBI or local police might deploy the device at a protest to obtain a record of everyone who attended with a cell phone. In the USA this technology is known under the name "StingRay", which is even capable to track the people who are traveling together with an owner of a targeted phone across the country. IMSI-Catchers can allow adversaries to intercept your conversations, text messages, and data. Police can also use them to determine your location, or to find out who is in a given geographic area at what time. Identity thieves might sit with an IMSI-Catcher in a parked car in a residential neighborhood, stealing passwords or credit card information from people nearby who make purchases on their phones. All of this surveillance happens in secret.
Powerful, expensive IMSI-Catchers are in use at federal agencies and some police departments. And if you think that IMSI-Catchers are not used in your own town, think twice! If you ever happen to be near a riot or demonstration, pay close attention to cars with numerous (tiny) antennas on their roof - those might be IMSI-Catchers. But most of the time you won't even discover these creepy devices - current technology shrinks them to be as tiny as your phone!
YouTube: DEF CON 18 - Practical Cellphone Spying with Kristin Paget
Unfortunately it seems that IMSI-Catchers have been exponentially popular lately, with an explosion of various "bastards" with governments and criminals all the same, using it. Anyone can now buy an IMSI-Catcher (or build a cheap one on his own). Sending spam and phishing SMS via fake base stations is already a lucrative underground market, particularly in Russia, China and Brazil (see The Mobile CybercriminalUnderground Market in China). For example in China, 1.530 people got arrested for using this kind of equipment. Just recently, hackers decided to start reverse-engineering the NSA toolset and are releasing tools like TWILIGHTVEGETABLE - an easy to use, boot and pwn toolkit for passive monitoring of GSM communications. It's just a matter of time of when your own neighbor will spy on you with simple self-build tools!
In addition, they can all crack A5/1 encryption which is most commonly used for GSM traffic on the fly (passively)! Only the latest A5/3 encryption which is used for securing mobile data (4G and 3G) and is offered as new security standard for GSM encryption remains secure in practice while susceptible to theoretical attacks. Although A5/3 withstands passive eavesdropping, it can be bypassed by deploying an IMSI-Catcher which can force a mobile device into 2G mode and downgrade then the encryption to A5/1 or disable it. There are almost no phones on the market which offer an option to check what kind of encryption is used to secure GSM traffic. The only way to protect a mobile device from downgrade attacks is to disable 2G if this option is available. In this case the phone will not be able to receive or make calls in areas without 3G coverage. This is why the original author named "E:V:A" started this project. Let's detect and protect against these threats! Never think that you've got "nothing to hide". You'll very likely regret it one day.
- NSA’s Secret Role in the U.S. Assassination Program
- Scary YouTube-Video: How easy it is to clone phones.
- Talk by Karsten Nohl and Luca Melette on 28c3: Defending mobile phones.
- Current IMSI-Catchers can be as tiny as the portable Septier IMSI-Catcher Mini now:
- Below, the smartphone takes up the most space. IMSI-Catchers will even get smaller!
- This picture has been taken during the riots on Taksim Square in Instanbul:
- Above example is way too conspicuous and you'll likely never encounter one of these.
- Todays IMSI-Catchers can be body-worn, or are hidden inside comfortable Spy-Vehicles:
- a. collects relevant RF related variables using public API calls. (LAC etc)
- b. puts them in an SQLite database
- c. catches hidden SMS's
- d. catches hidden App installations
- e. opens a device local terminal root shell
- f. uses (e.) to connect to the modem AT-Command Processor ATCoP via shared memory interface SHM
- g. displays the results from sent AT commands
- CRUCIAL to our project: Please help E:V:A develop a Native AT Command Injector!
- h. use the OTG (USB-host-mode) interface to use FTDI serial cable to interface with another OsmocomBB compatible phone (using Android host as a GUI host)
- i. uses the "CatcherCatcher" detector SW on the 2nd phone
- j. can inject fake 2G GSM location data
- k. find out how to access L0-L2 data using the ATCoP connection
- l. use a statistical algorithm (and smart thinking) on the DB data to detect rogue IMSI catchers
- m. combine all of the above (steps h to l) into a BETA App for testing, add more languages
- n. improve BETA app by adding (many more) things like IMSI-Catcher counter measures
- Detects IMSI based device location tracking
- Provides counter measures against device tracking
- Can provide swarm-wise-decision-based cellular service interruption
- Can provide secure wifi/wimax alternative data routes through MESH-like networking
- Detect and prevent remote hidden application installation
- Detect and prevent remote hidden SMS-based SIM attacks
- Prevent or spoof GPS data
- Does NOT secure any data transmissions
- Does NOT prevent already installed rogue application from full access
- Aims to be added to the Guardian Project's list of secure Apps
- Aims to be recommended by the SSD Project of the Electronic Frontier Foundation
- Provide full device encryption
- Provide secure application sand-boxing
- Provide secure data transmission
- Provide firewalls (awesome solution: AFWall+)
For our own safety, here's our Disclaimer. In short terms: Think before you act! We're untouchable.
Found a bug? Please carefully follow our guide on how to correctly submit Issues!
Although this project is fully Open Source, developing AIMSICD is a lot of work and done by enthusiastic people during their free time. If you're a developer yourself, we welcome you with open arms! To keep developers in a great mood and support development, please consider making a fully anonymous donation through sending DarkCoin to our new OFFICIAL DONATION ADDRESS: XxEJvrYtkTZzvMUjtbZwPY34MyCGHSu4ys
All collected donations will be split into appropriate pieces and directly sent to developers who contribute useful code. The amount of DarkCoins each developer receives will vary with the value of each merged commit. To be perfectly clear: We will NOT reward junk, only awesome stuff. If you are unsure how to do this, visit our WIKI-Page on Anonymous Donations.
This project is completely licensed under GPL v3+.
Our project would not have been possible without these awesome people. HUGE THANKS! ;-)
This list will be updated as our project evolves and shall be included within the final app.
- Smartphone Attack Vector - Smartphone flaws and countermeasures
- Kuketz IT-Security Blog - Great Security Reviews (written in German)
- PRISM Break - Alternatives to opt out of global data surveillance
- The Guardian Project - Secure Open Source Mobile Apps
- Security Research Labs - Stunning Security Revelations made in Berlin
- The Surveillance Self-Defense Project - Defend against the threat of surveillance
- Electronic Frontier Foundation - Nonprofit organization defending civil liberties in the digital world
- TextSecure - Secure text messaging application for Android (replace WhatsApp)
- RedPhone - Encrypted voice calls for Android
- KillYourPhone - Make your own signal blocking phone pouch super fast for little money
- GSM-Map- Compares the protection capabilities of mobile networks (contribute data!)