EFForg
New possible indicators
A group of researchers from University of Florida and ETḦ Zurich presented a paper Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic.
Video of presentation is here: https://m.youtube.com/watch?v=jY3idyn11Tc
Most important finding:
_In this paper, we focus on the messages an adversary must send as opposed to behaviors their IMSI-Catcher might exhibit. We develop a detection methodology that searches cellular downlink traffic for all possible messages an adversary can use to force a mobile phone to reveal its IMSI.
...
That is, our approach focuses on causal attributes rather than correlated ones. We systematically analyze message flows that would lead to IMSI exposure (most of which have not been previously considered in the research community), and identify 53 messages an IMSI-Catcher can use for its attack._
Also, at 8:30 (in Youtube) he is talking about "attach reject messages". I already mentioned on Mattermost that we should be watching Location Update Reject messages. I believe something like this is quite important to implement.
Interestingly, at 10:20 he is talking about downlink overshadowing attack, when the attacker is not using fake base station, but can only inject fake messages to downlink.
Here is the code: https://zenodo.org/records/14262356
I understand, that they are using SDR, but probably we can add some indicators based on their findings.
This table could be useful.
We should definitively monitor LAU Reject (Location Area Update reject) messages, for instance Snoopsnitch flags LAU rejects if accompanied with an Identity Request.
Also, some IMSI Catchers require the UE to delete its TMSI, which leads to IMSI exposure in a subsequent connection.
Relevant:
https://san.com/cc/exclusive-evidence-of-cell-phone-surveillance-detected-at-anti-ice-protest/
The analysis uncovered unusual bursts of data, known as “IMSI-exposing messages,” across several LTE frequency bands. Normally, cell phones are provided Temporary International Mobile Subscriber Identities, or TIMSIs, by networks for privacy purposes. Legitimate cell towers rarely request a cell phone’s permanent IMSI, which can be used to identify and track individuals.
At 8:58 a.m., just before the protest began, SAN began monitoring eight LTE bands present in the area and found no anomalous behavior. At 9:06 a.m., however, a burst of 57 IMSI-exposing commands was detected.
Other bursts, present on four of the LTE frequency bands, appeared roughly every 10 minutes over the next hour, causing Marlin to issue numerous real-time alerts. A post-scan analysis confirmed the detection of 574 IMSI-exposing messages.
It also flagged two “attach reject” messages, a type of cellular rejection sent when a cell phone tries to connect to a network. Attach rejects can occur for valid reasons, such as when a phone with an expired SIM card tries to connect to a network but such messages are rare on properly configured networks. IMSI catchers may use attach reject messages to block or downgrade connections and obtain an IMSI before it is encrypted. SAN observed the two suspicious messages at 9:55 a.m. and 10:04 a.m. at the height of the protest but did not encounter others before or after the demonstration ended.
