Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Changing LAC on same CID #91

Open
He3556 opened this issue Jul 19, 2014 · 44 comments
Open

Changing LAC on same CID #91

He3556 opened this issue Jul 19, 2014 · 44 comments

Comments

@He3556
Copy link
Collaborator

He3556 commented Jul 19, 2014

The LAC (Location Area Code) describes a set of Cell Towers (with different IDs) like below:

step_01

Step 1 of the IMSI-Catcher (picture 1): Masquerade like a real BTS and send with more power than the original, so a cell phone would connect to it. But if the connection is established it is still using the TIMSI (Temporary IMSI).

step_02

Step 2 of the IMSI-Catcher (picture 2): One possibility to get the IMSI:

  • Change the LAC of the BTS (picture 2), so that the Location Update Procedure is initiated.

unbenannt

If the MSC (Controller of a group of BTS) is also changing with this location update, then the phone would have to send the IMSI. Or if the location update fails it will also send the IMSI.
See Figure 4.1.1.1 [http://www.qtc.jp/3GPP/Specs/23012-520.pdf]

However, the Catcher-Catcher Project gives a yellow or a even a red flag if the LAC is changing, so we really should implement this. It is also quite simple to do, because we have the values LAC and CellID. If the CellID changes the LAC over the time – we can show a yellow flag – if it changes more than once we show a red flag. This happens while the IMSI-Catcher is catching IMSI’s – not when a call is established. So you don’t have to be the victim to detect a fake BTS.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

@He3556 He3556 self-assigned this Jul 19, 2014
@SecUpwN
Copy link
Member

SecUpwN commented Jul 19, 2014

Thanks for opening this Issue, @He3556. Makes sense to me and is in line with the Status Icons. But should we really be showing Status Red when it changes more than once? Guess Orange for "HIGH" would be better in this case until we can add additional tests to verify that this particular user is being traced. @E3V3A, your opinion? @xLaMbChOpSx, how far away is this "easy" implementation for you?

@He3556
Copy link
Collaborator Author

He3556 commented Jul 19, 2014

yes right, we have orange, so let's use this first.

@SecUpwN SecUpwN changed the title Countermeasure 1: Changing LAC Detection 1: Changing LAC Jul 20, 2014
@E3V3A
Copy link
Contributor

E3V3A commented Jul 20, 2014

He3556 : Very clean and nice description. Thanks. We probably don't wanna make it "red" immediately (which is why we have that score table) because it could easily change under simple conditions such as:

  1. You're moving your phone around (don't be when using AIMSICD)
  2. You're just between two or more cell towers or inside a building where you have one on one side of the house and another on the other side.
  3. Your phone is connected to a UMTS cell and you just sat down at some place where there is also a GSM cell, and you have set your phone's settings to prefer GSM cells. (or vice versa)

@SecUpwN
Copy link
Member

SecUpwN commented Jul 20, 2014

  1. You're moving your phone around (don't be when using AIMSICD)

@E3V3A: Rather "Impossible" since I always run AIMSICD while on the move. @He3556 does it, too.

@E3V3A
Copy link
Contributor

E3V3A commented Aug 6, 2014

Yes, so here is a good place we can actually use signal strength. Because when connected normally, you will have one, and if for some reason another one pops up with a completely new a better signal, with the same LAC/CID that is rather abnormal. So it's use would be a "relative" signal strength, that suddenly changes in time, but not place.

@He3556
Copy link
Collaborator Author

He3556 commented Aug 6, 2014

Wouldn't it (signal strength) belong to the statistic detection? Because you need data of the BTS history, so you can tell if the signal is changing in a abnormal way. A changing LAC you can detect immediately, event if you are in a new area and without data from the CellID db.

And than, if both values change (LAC and Signal Strength) you can be quite sure, that there is something going on.

So let's separate the 2 strategies and maybe open a new Issue "Detection 3: Changing Signal Strength"?

@E3V3A
Copy link
Contributor

E3V3A commented Aug 6, 2014

You're absolutely right!

@E3V3A E3V3A modified the milestone: v1.0-beta Aug 6, 2014
@E3V3A E3V3A added the detection label Aug 6, 2014
@He3556
Copy link
Collaborator Author

He3556 commented Aug 8, 2014

First "rough" detection flow chart of this issue
detection issue 01 2

@SecUpwN
Copy link
Member

SecUpwN commented Sep 8, 2014

HUGE THANKS flies out to @xLaMbChOpSx for commiting xLaMbChOpSx@43ae77e

@He3556
Copy link
Collaborator Author

He3556 commented Oct 4, 2014

...together with the CellID check we have something like this

detection lac-cid 2

@E3V3A E3V3A changed the title Detection 1: Changing LAC Detection 1: Changing LAC/CID Oct 23, 2014
@SecUpwN
Copy link
Member

SecUpwN commented Nov 21, 2014

@tobykurien, you said that this is implemented. Can you verify that we did a full implementation and that this Issue can be closed as solved? If not, what else has to be done to progress from here?

@E3V3A
Copy link
Contributor

E3V3A commented Nov 21, 2014

@SecUpwN Please see internal chat discussions. @He3556 Did some testing... In the meantime I'm rewriting the DB structure for easier development and detection implementation.

@menschenfresser
Copy link

I have plenty of LAC change warnings every day - yellow icon

I would send you logged data for analysis but how to do it? I am on the edge of the range of any BTS because I live in the deep countryside. My GSM signal is almost null, one bar or nothing but when I walk or drive around with my phone I register yellow icon LAC change warning. I would help you but I don't know how to do it. I am not a target but I receive weak signal of some events. You should have OTR encrypted chat client with you.

@SecUpwN
Copy link
Member

SecUpwN commented Nov 23, 2014

@menschenfresser, danke für Deine Teilnahme am Projekt! I would very much welcome if you forward your findings to @E3V3A via E-Mail. Please see our README for how to get in touch with him.

@E3V3A
Copy link
Contributor

E3V3A commented Nov 23, 2014

As I said, right now the app is not suitable for moving around, since that obviously will connect you to a new LAC. Thus, until we have fixed the DB and CID relations, you'll have to stay put in one place, for reliable detection.

@tobykurien
Copy link
Contributor

From looking at the code it basically does this:

  • Every REFRESH_RATE seconds, get connected cell details
  • Do we have cellId in our database?
  • If not, add to our DB with it's LAC
  • If yes, then is it's LAC the same as current LAC? If not, then show alert of changing LAC

See https://github.com/SecUpwN/Android-IMSI-Catcher-Detector/blob/master/app/src/main/java/com/SecUpwN/AIMSICD/service/CellTracker.java#L720-L729

So basically, it checks LAC against previous LAC for the CellId. This means that it should work fine even for moving around.

@He3556
Copy link
Collaborator Author

He3556 commented Nov 25, 2014

thanks for clarification :)
yes you are right - movement is no problem in this case. We have cellID in both db - local and openCellID. Next stepp is to check if the cid (local) is in the openCellid db.

@menschenfresser
Copy link

Hi, if I understand it right the Police can't order the telecom company to wiretap us without court warrant and without prior evidences against us. Then the Police tries to capture some voice/data in illegal way by serving fake BTS or IMSI-Catcher. Police can also use such illegal hardware to sniff for random phone conversations and make raids at 6AM to illegally eavesdropped people only just because of incriminating conversation. Am I right?

The question is how far the telecom responsible for the network is involved in this illegal procedure?

  1. Telecom could allow to clone it's BTS and give encryption keys in secrecy. Policeman then drives to the target with almost official but portable BTS with proper encryption settings and he serves this BTS to us but in different location. Then this attack can be discovered only by the comparison of the databases of cell tower coordinates vs their LAC/CID/GPS real coordinates. Am I right?
  2. Even if the telecom is cooperative and give new, unique BTS data to the Police to create virgin fresh BTS then the database of known cell tower's coordinates immediately discovers new BTS which wasn't there yesterday and is not in the opencellid database. Am I right?
  3. So if BTS is cloned or created as new we can only discover it by its location and the database because encryption will/may be proper.
  4. Another attack could be conducted without operator consent. Simple IMSI-Catcher with disabled encryption and the call routed through another network. It will not show up in the billing.

What else?

@SecUpwN
Copy link
Member

SecUpwN commented Nov 26, 2014

@menschenfresser, to make it short: Do not "trust" any governmental agencies, the police or whatever to even do what the law "requires" them to do. They just do whatever is necessary to obtain needed data - the invention of IMSI-Catchers themselves is the best proof of that: They invented and used it until the device was publicly known too much and some sort of law had to be "put in place" to make the roaring crowd calm down. But do you think they actually follow "rules"? Forget it. Laws in itself are a joke.

I am thankful you are contributing to our project, but discussing such basic things is beyond the scope and not meant to be done in our Issues here. I've been reading multiple comments from you now and actually do understand why @E3V3A has been removing some of the things you've previously said. Please don't take that personally, but we're working hard to move forward on actually crafting this App, rather than just babble like everyone else does. If you'd really like to help us and show your support, please consider to fork our project and contribute pull requests. You will gain our respect for doing so!

But of course, if you have any questions or would just like to say "hi", please get in touch with me via E-Mail. You are always invited to ask me anything that might be unclear or chat away your boredom. Judging from your username, you are German. The Press Releases may answer your questions.

@He3556
Copy link
Collaborator Author

He3556 commented Jan 7, 2015

We shouldn't put 2 detections in one Issue again. This was "Changing LAC" and "Wrong CID" - now that we are finished with it, i will keep it like it is.

But there is still a bug giving wrong alerts (changing LAC) under special conditions.
(more logcat added in the last release - hope that helps to find the bug)
We have an extra issue for that, so we could close this one here i guess.

@SecUpwN
Copy link
Member

SecUpwN commented Jan 7, 2015

We have an extra issue for that, so we could close this one here i guess.

Which one? Please reference the correct Issue and close this if really done.

@He3556
Copy link
Collaborator Author

He3556 commented Jan 14, 2015

There is one thing ToDo before we can close this Issue.
Missing return here to update the Notification somewhere here
If somebody can give me a hint, how i can do it. Would save me some time :)

I want a notification if (openCellExists(cellID)) = false

@d-mariano
Copy link
Contributor

I would like to give this a shot. What would be a suitable notification? "Cell ID does not exist in OpenCellID Database." ? Or should I use the log string?

@He3556
Copy link
Collaborator Author

He3556 commented Jan 16, 2015

Thanks for picking up this one. Yes "Cell ID does not exist in OpenCellID Database" would be great.

@He3556
Copy link
Collaborator Author

He3556 commented Jan 18, 2015

thank's to d-mariano - we got this Issue finished :)
We need to think about a solution for the notifications. If there are two detections at the same time, the first one will be overlapped by the second. Maybe we show an array of notifications in a loop?
Just mentioned it - so we don't forget about it.

@E3V3A
Copy link
Contributor

E3V3A commented Jan 19, 2015

I just posted detailed instructions here in the "App Test Protocol" #173 issue, on how to test changing LAC.

E3V3A added a commit that referenced this issue Jan 19, 2015
Dave Mariano Fixed Issue #91:
- Lack of notification and tickerText in the event of:
  cellID not existing in the OCID database.
@SecUpwN
Copy link
Member

SecUpwN commented Jan 19, 2015

thank's to d-mariano - we got this Issue finished :)

Thanks to @d-mariano for his funky pull request! @He3556, if this is really solved now, please close.

@He3556
Copy link
Collaborator Author

He3556 commented Jan 19, 2015

we can still enhance this but actually we are finished at that point. So i just close it :)

@He3556 He3556 closed this as completed Jan 19, 2015
@E3V3A
Copy link
Contributor

E3V3A commented Jan 19, 2015

@d-mariano
Something is not right. Did you test it before making PR? Your code is causing the following problems:

  1. When app start for the first time, it immediately goes to YELLOW detection. Not good, but could be the right behavior, once the DB and BTS pin selection/coloring scheme is implemented.
  2. That annoying not possible to close/quit bug has returned... Not sure if it is only on my device.

@SecUpwN @He3556 @Ueland Please test!

Also, there seem to be no fallback to green after yellow. We may need a timeout there or what would be the most sensible thing to do?

@E3V3A E3V3A reopened this Jan 19, 2015
@He3556
Copy link
Collaborator Author

He3556 commented Jan 19, 2015

There is everything ok with the code and i am absolutely sure, that @d-mariano tested it before ;)
I just added a reminder in another issue about the problem.

REMINDER: For the installation & setup wizard (for the first start of the app)
We need to wait until the db is downloaded before we check the CID against the data of OpenCellID. Otherwise we get a wrong alert just right after the installation.

@E3V3A
Copy link
Contributor

E3V3A commented Jan 19, 2015

@He3556 Ok, great, but you put it in #181, which is not the right place, since it has to do with the first time use text. Please open a separate issue.

@SecUpwN
Copy link
Member

SecUpwN commented Jan 19, 2015

@E3V3A, the new Issue for the immediate yellow flag is #290. And just to tell you: We already discussed it in the Testroom before you mentioned it here. So is this closed now, or how often do we need to re-open this? I am about to lock this. Please tell us exactly what else needs to be fixed. Thank you.

@E3V3A
Copy link
Contributor

E3V3A commented Jan 19, 2015

Should we rename this to "...Changing LAC on same CID"?
(Because CID detection is yet different.)

@He3556
Copy link
Collaborator Author

He3556 commented Jan 19, 2015

yes thats why i said - in the future we don't throw detections together, in one issue :) if you want pls rename it.

@SecUpwN SecUpwN changed the title Detection 1: Changing LAC/CID Changing LAC on same CID Jan 19, 2015
@E3V3A
Copy link
Contributor

E3V3A commented Jan 19, 2015

Great! (The problem was that I originally though of them as connected.)

@SecUpwN
Copy link
Member

SecUpwN commented Jan 19, 2015

Great! (The problem was that I originally though of them as connected.)

@E3V3A, I can't follow, please clarify. We had multiple Issues in here and this one is solved?

@He3556 He3556 removed their assignment Jan 28, 2015
SecUpwN pushed a commit that referenced this issue Apr 17, 2015
… cellID not existing in the OCID database.
E3V3A added a commit that referenced this issue Apr 17, 2015
Dave Mariano Fixed Issue #91:
- Lack of notification and tickerText in the event of:
  cellID not existing in the OCID database.
@Tonat
Copy link

Tonat commented Jan 7, 2016

Hey there, I experience the following (as I already emailed you about, @SecUpwN ):
Without any change of location, seemingly random alerts for "Changing LAC" events (like in #439) happen on v0.1.37 on my non-LTE [sic] i9300 with CM 12.1 (without the OCID DBs downloaded due to #691). See the log for one of the events posted here: https://defuse.ca/b/jakoA5RPVujZdQ4JOMGEjr.
I'm not sure whether this may be related to #606 as only the time stamp, CID and LAC are showing values in the database viewer while PSC is shown as invalid, DF_id as 1. Lat, Lon and Accu however are all shown as 0. This is the case with all "Changing LAC" events (although the CID sometimes is different).
I experienced these events once or twice a day, with not having moved my phone for a while in all cases.

NB: Note that after updating on v0.1.38 and downloading the OCID DB, this stopped happening (at least it didn't in the past three days). So it may be due to this DB missing.

@ghost
Copy link

ghost commented Jan 7, 2016

@Tonat there was a change in lac as seen your log

01-06 20:00:09.397  10221-10221/com.SecUpwN.AIMSICD I/a﹕ ALERT: Changing LAC on CID: xxxxx3001 LAC(API): abc48 LAC(DBi): abc58

It's possible that both these LAC locations have the same cell id but if there is no LAC abc58 in your area than I would class this as suspicious.

If this LAC suddenly disappears a few hours later that's even more suspicious.

Try open cell id to see if this lac and cid exist for your area or another website that shows lac and cid locations.

@He3556
Copy link
Collaborator Author

He3556 commented Jan 7, 2016

If you have this alerts on different CIDs it is the same old problem. Some devices read wrong LAC values from time to time.
Btw. a CID only changes its LAC when the network gets reconfigured - or when a fake BTS tries to trigger a location update, where your IMSI will be send.
But it is only 1 fake BTS (CID) with a changing LAC - thats why we should #628 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

8 participants