LTE Catcher & Stingrays 2.0

Smartphone Security

 

IMSI-Catcher of the new generation:

Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha”   They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features

I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.

 

Short conclusion:

1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.

2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.

3. The possibilities of manipulating the firmware are more advanced than in 2G.

Sources and Papers about the topic 5G / LTE /
UMTS surveillance and security:
 

[1] LTE & SS7 Security  [1] http://arxiv.org/pdf/1510.07563v2.pdf

[2] Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information  https://www.ndss-symposium.org/wp-content/uploads/2018/03/NDSS2018_02A-3_Hussain_Slides.pdf

Practical Attacks against Privacy and Availability in 4G/LTE Mobile Communication Systems http://arxiv.org/pdf/1510.07563v2.pdf

[3]  aLTEr Attack (MITM, DNS Spoofing on LTE): imsi-catcher is also transmitting a signal to the phone. It tries to manipulate the DNS to redirect all data that is send from/to the mobile device. It uses 2 attack vectors   Paper: breaking_lte_on_layer_two.pdf (pre-paper 7-2019) https://alter-attack.net/#paper

http://dl.ifip.org/db/conf/networking/networking2016/1570236202.pdf

Details about SS7 requests and messages. TS 29.338 Section 6.3.2 TS 29.305 Section A2.5.2.3

Other papers and projects about next generation surveillance:


5G Is Here—and Still Vulnerable to Stingray Surveillance 

https://www-wired-com.cdn.ampproject.org/

Touching the Untouchables: Dynamic SecurityAnalysis of the LTE Control Plane https://syssec.kaist.ac.kr/pub/2019/kim_sp_2019.pdf

New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols
https://eprint.iacr.org/2018/1175.pdf

Easy 4G/LTE IMSI Catchers
for Non-Programmers: https://arxiv.org/pdf/1702.04434.pdf

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer) http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02A-3_Hussain_paper.pdf

Stingray Manuals https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/

SS7 Exploid Kit http://www.forbes.com/sites/thomasbrewster/2016/05/31/ability-unlimited-spy-system-ulin-ss7/#2e1591887595

IMSI Catcher 2.0 and LTE fake base stations:Hackday: lte-imsi-catcher

– zdnet: Stingray-security-flaw-cell-networks-phone-tracking-surveillance

White-Stingray: Evaluating IMSI Catchers Detection Applications

Anatomy of Commercial IMSI Catchers and Detectors