 I would like to speak about Imzi catchers and playing tag or hide-and-seek with Imzi catchers and explain why they're pretty bad at playing hide-and-seek. This is going to be the outline of my talk. I'll be speaking about what an Imzi catcher is, what they can do and how you can observe them in doing that and then give you some practical examples. And to conclude, I would like to look into the future and explain why this is not likely to get better with 4G and 5G. I've been working on this subject for 4 years now at the GCCI in Berlin and that's where I have my experience from. What are Imzi catchers? There are various varieties of these. On the left you see a device that fits in a backpack or even a small handbag. Then there are these antiquated home-made devices that use SPDRs or highly complex suitcases. And so the range of what Imzi catchers can do is pretty broad as well. From catching phones and reading base data to opening call histories. Imzi catchers imitate normal base stations or pretend to open a new one. But in order to do this, because they're after catching phones, they have to make themselves very attractive to telephones. And that's why they tend to be fairly obvious. And Imzi catchers can start as individual base stations where they only open one base station but there are also very complex setups where a base station opens 2G, 3G and 4G simultaneously. That's why the range of what they can do is very large. And this leads to the fact that also explains its name. They try to read the Imzi and IMEI of telephones. That's a classic setup. And the name really gives it away. The anecdote I tend to tell here is that it started as a surveillance instrument for police. In order to find people whom they wanted to surveil but who tended to change telephones a lot. And that's where they started using Imzi catchers to find out what the current phone contract with the person we're interested in is. So they would open these Imzi catchers or place these Imzi catchers or the telephones that are in the vicinity register with their base stations and they do this a few times at various places and finally they'll know which Imzi corresponds to the target person. That's where their name comes from. That's the classic model. But of course these days they can do a lot more than simply reading Imzi's and this ranges from determining location down to a few meters to reading data traffic and completely jamming communication. I'm going to explain in detail how this works and I will start with reading Imzi's and IMEI's of a baseband. During authentication these are sent for the first time. So when you use a network or a base station for the first time, that's what happens. And after that there's a mechanism in the phone specs that is called location update. It's meant for moving from one cell to a location area to the next. And when you do this the Imzi is sent another time and that's a mechanism that Imzi catchers like to use. Location updates are also done to regularly tell the network, well ping the network or say tell the network I am still here and there to the Imzi is sent along and that's the base mechanism that Imzi catchers use to read Imzi's. For determining location they use features of 4G that are called measurement reports. They are built into the network to give telephones and basebands, give them the best possible network and the network can ask the telephone where it is and the telephone replies with its location and that's of course a mechanism that Imzi catchers like to exploit. This feature doesn't exist in 2G or 3G. They use signal strength and triangulation over 3 or 4 antennae to determine location during calls. Bear in mind that these can be silent calls that your telephone doesn't tell you about. So the Imzi catchers start a phone call to your telephone but your telephone doesn't actually ring and still sends your location though. There are some very nice patents on this as well. Google is very helpful in searching for patents. You can search all the registered patents and Imzi catchers too can't help themselves, can't help registering patents. So this is a very good method of understanding how things work. This is an excerpt from one of these patents and the gist of it is that they have a baseband that's normally used for call handling. They have a state machine that goes from idle where nothing happens through ringing or alerting all the way to an active call and push the state to one another. This entire patent is based on the fact that they start opening a call but then they don't send what the baseband expects. Your telephone never rings but the resources are still being allocated so they can measure where you are. So it's a great idea to look at patents regularly. You can find a lot there. People often think, people often wonder if people can listen in and they actually can but it's a very complex setup. So these home-built Imzi catchers probably can't do this. As an Imzi catcher you need at least two basebands, one for simulating a normal base station and another that goes into a sort of client mode in order to continue processing the call and they have to calculate the encryption keys in order to be able to record or listen in on the call and previous congresses, talks of previous congresses have shown how these algorithms can be broken. There's the A52 algorithm in 2G which is a secret service algorithm that was first defined or specified in the 80s that's been broken for a long time and if none of this works there's still SS7 which is a protocol that network devices like to speak among themselves and this allows to fetch the keys and use them internally. It's a bit more difficult in 3G and 4G and that's why they try to enforce a downgrade to 2G when you want to make a call in order to make it easier to listen in on your calls. And this rainbow table lookup is difficult with the mobile resources that an Imzi catcher has and that's why they do IP uplinks and use backends in order to query the rainbow tables rather quickly. Which allows them to decrypt the call live and all of this is what the Imzi catchers have to coordinate and combine 2G and 3G things where they can downgrade the telephone from 3G to 2G where they can listen in on the call. I found another patent on this and it shows this process of downgrading from 3G to 2G that's been patented here and they use mechanisms from the UMTS specifications in order to tell the telephone to continue on 2G instead of 3G and then they can take over the call. The next is DOSing the base bands using the capabilities of the Imzi catchers cause a very simple mode and you can recognize these simple Imzi catchers is the fact that you can no longer make calls. You don't get an uplink and you can't really make any calls SMSs no longer reach their recipient and that's a great way to notice simple Imzi catchers but of course initially you're cut off and you don't really notice what's happening. It's more difficult with 4G again I have a paper from the Technical University of Berlin where they're using a similar thing to the location update in this case it's a tracking area update where the mobile tells the network that it wants to enter the next tracking area and then the network tells or in this case the Imzi catcher tells the handset that it's not allowed along with a special reject code which causes the mobile device to think that it's no longer allowed to use the 4G network and it never does again until you take out and reinsert the SIM card. It's somewhat more secure in 4G but it still is possible and I'm going to come back to that later this is all happening where normal phones are not showing anything because the baseband is just a black box and the baseband is a black box and even with smartphones there are no APIs even with smartphones there are no APIs which will let you see what's going on and you get an MCC from your phone operator and that's all there are some ways which are known from FUNK and FUNK 70% of the phone operators are using Qualcomm and there are some ways of using Qualcomm and there are several projects finding ways in this context the call problem is it's a debug interface that Qualcomm has built for themselves as a serial import as soon as you use a baseband which can be used for debugging and Linux is able to use this kernel patches and this way it's possible to get hands on all three raw data which are being forwarded the baseband is possible to identify the baseband data and things like the OsmoocomStake can be used to get this so that you can use Wireshark to see what's going on and we have used this to make some kind of baseband firewall so you can see on your own handy if you're on a launcher and we can place sensor devices so to detect changes in the environment if someone is starting an MCC catcher when you collect the data this is data from a live session one can identify some base stations which are invented some base stations have no identity and no location at all and some of them have location codes which are not correct compared this is a trick which is being made to make this handset to ask for a new location for a new connection this is a location update where the handset is requesting a location update at timeout or by changing the location the network is asking for identification the smartphone is sending an authentication and the answer is Cyphering commands so you can use to identify MCC catchers at last there is a timsey assigned to the handset and this could be a temporary ID which will identify the MCC catchers as well the algorithms one of the possibilities is to use a fake cypher to stop the use of the A5 algorithm at all the T3, 212 is available in 2, 3 and 4G there is a live system broadcast when the timeout has occurred the handset will be requested to make another update and send a request for location this is a live session recording O2net from Germany where you would expect the location to be you can locate the time between requests were 39 minutes and it changed to 2 and this is a giveaway for the existence of MCC catcher if you see all these parameters you can see pictures like this he is allowed to make a telecom cell and he has made some error he locates base stations in the vicinity and makes a slight change to the name there is a new location code for the existing base station one can find a new base station signal strength is quite high the first observation is being tampered with there is an unusual value this is quite obvious quite obvious it is a giveaway this is quite easy it is an old protocol from the 80s where it was not normal to be asked for an identification and 3G, 4G unfortunately important communications are taking place before the identification the encrypted identification the methods are swell jamming the 3G, 4G frequencies so the handset will switch back to 2G automatically it is possible to make a remote update downgrade of the handset using the SS7 protocol to make it use a 2G network this makes it harder to do things in 3G, 4G there are these known attacks but it is still not secure and there are several attacks that are based on these principles who are presented in talks and papers and there are important steps taken before the security mode is activated in 4G, 5G it is expected that most of these will still be possible there will be a later talk on this subject but we expect MCCatchers to be a problem in the future as well the request we have to state are the we don't the principles of having black boxes delivered by the things we need are open basebands the problem is that the software is proprietary Qualcomm and you have to write a thousand MDAs to sign a thousand MDAs at Qualcomm to get your hands on anything and I think that is an important demand to forbid MCCatchers a proper demand that was my overview of playing tag or hide and seek with MCCatchers and now we have time for questions and answers you know how the game works, we have a microphone angel just wave to them or if you are watching the stream then go to the chat and ask your question there there is a question from the internet already, the internet wonders what software was being used in the screenshots that you showed these are screenshots from our system that we use to it is proprietary software we use you can ask me in person how do we contact you then gsmk.de, there are email addresses and contact forms or you, do you have a question over there somebody has raised the hand is there an overview of the MCCatchers that exist on the market I know in North Westphalia we have devices from Rode and Schwarz, is there any overview of how to recognize these yes, looking for patents is really helpful in discovering these manufacturers I don't have a list myself but these are the big players Rode and Schwarz, Israeli manufacturers, Swiss manufacturers but there is no one list, at least not that I have found you could maybe start compiling one in Wikipedia back please I was wondering about the remote downgrade over SS7 that it manipulates data at the home provider did I get that right and does that require their permission or do you open a new one it's interesting, it's a very new method we wonder how they might be pulling that off they're advertising it but it's very new, you need to be able to access SS7 and once you have that there is generally a certain trust, it's a very old protocol and you're basically allowed to do what you want because it's assumed that it's only being used by benevolent actors so I imagine you need access to SS7 not much more is there a way to prevent the 2G downgrade and to only allow your phone to use 3G and 4G, maybe even to restrict it to certain encryptions there are telephone settings for this but because the baseband is a black box I'm not sure how trustworthy these are, I think it's a good idea if you live in a city that has good 4G coverage, you can do that in your Android ROM or whatever but I wouldn't trust it 100% because at the end of the day you don't know what the baseband is doing but it's a good idea to try so, do we have another question? what kind of components do you need to build an IMSI catcher how complicated is that? you basically need well, there are USB sticks that have Qualcomm baseband that are LTE modules you need a Linux, you can open the DIAC interface as a serial interface and there's a DIAC password that's really helpful that allows you to read the communication of the interface and then Wireshark on top lets you dig for things in the output and then you'd need to put it all together and look for these parameters but it's essentially a fairly simple setup are there other methods than apps such as Loopsnitch for discovering or avoiding IMSI catches? not that I know of there's AEM, something that they don't use the DIAC interface, instead they try to play numbers games and look up cell IDs and open cell IDs and other data I don't think that gets you far enough you can see certain things when they're sufficiently rough with certain IMSI catches but you basically have to dig deep into the protocol you haven't seen any that do this so I'd have to say that Snoopsnitch has done a pretty good job at this I have a question how about other vendors than Qualcomm's for example MediaTek or Intel or Infinion chips they have the same problem they talk the GSM 3G 4G specs and that makes them vulnerable to IMSI catches and at the same time you don't have an interface such as DIAC to observe them or at least I don't know that they have one Intel base bands used to have a method of looking deeper into this but I'm not sure if that's still possible hi you spoke of methods of analysis and defense but do you know any offensive methods to work with IMSI catches or what do you think about this I think it's something we have to consider and we have to think about the scenario would be to simply DOS the IMSI catcher with lots of base bands that try to dial in and thus exhaust its resources but the problem is that this would also endanger benevolent base stations so it's not really a scenario that I want to work on any further but a simple thing you can do is once you've recognized an IMSI catcher to find it physically and remove it but if you have a larger area that may not be quite as simple but that's the most useful scenario I can consider does the internet have any more questions perhaps somebody's coming IMSI catcher IMSI catches use IMSI and IMSI are there any methods to quickly change these numbers it's difficult the IMEI is fixed and unchangeable immutable in any baseband that's being assigned of course you could try to reverse engineer the software that's running on it and to manipulate certain values it's an idea it's possible but it's not really possible to spoof it you're not supposed to be able to do that as far as IMSI goes I don't see a lot of opportunity because it's the central element of authenticating with your operator which then allows you to use the telephone or the internet so once you spoof that you're no longer allowed to use the network so it's impossible for IMSI it's potentially possible for IMEI internet any questions from the internet everybody has melted applause