[Catchercatcher] Status flag/parameter specifications
vonankh at gmail.com
Sun Jan 15 18:49:59 CET 2012
I would like to implement some of the features of "catchercatcher"
into an open-source Android application. But since I am neither an
Android developer nor a hardcore GSM hacker, I have quite a few
questions. But in order not to confuse the mailing list response to
these questions, I will try to send/post them separately.
My first post concerns the output & results from the OsmocomBB
"catchercatcher". After having inspected some of the source code of
the OsmocomBB, without much enlightenment, I need to better understand
the relationship of the typical "catchercatcher" output and the list
of IMSI catcher detection parameters as presented on the Wikipage.
Param Flag Evidence
S1 R No encryption after using encryption with the same operator before
S2 Y Cipher mode complete message is sent more than twice
S3 R ... more than four times
S4 Y IMEI not requested in Cipher Mode Complete message
L1 Y The LAC of a base station changes
L2 R The LAC changes more than once
L3 Y The LAC differs from all neighboring cells
L4 Y The network queries the phones IMEI during location update
L5 Y The registration timer is set to a value < 10 minutes
L6 Y The "IMSI attach procedure" flag is set
L7 Y Receive a silent text message
L8 R You are paged, but do not enter any transaction
L9 R Being assigned a traffic channel but not entering call control
state/receiving a text message for 2 seconds
L10 B ... 10 seconds
L11 Y You do not receive a call setup message while already being on
a traffic channel for 2 seconds
L12 R ... 10 seconds
L13 Y Your phone sends at the highest possible power
OsmocomBB catchercatcher output:
> show catcher
Catcher status for MS '1'
rach sent: 2
high pwr: 0.00
no cipher: 0
no IMEISV: 1
first alg: A5/1
last alg: A5/1
MCC: 610 (610, 0)
MNC: 31 (31, 0)
LAC: 213 (213, 13)
IMSI req: 1
IMEI req: 0
status flag: RED
So the general form of my question is: "How does the various detection
parameters correlate to the output of OsmocomBB?"
But to answer this, we probably need to address the following questions:
1. How is the "status flag: X" calculated from the other parameters
(directly above it)?
2. How does this output correlate to the various S/L detection parameters?
3. Some of the detection criteria is obvious, but others remain
cryptic at best. I need to understand what you mean with the following
ones. Could you elaborate on the following items & comments:
S2/3: If I have understood the ciphermode/attachment procedure right,
then it is the MS that sends ciphermode complete (CIPH_MOD_COM)
message, after it has received the Set Cipher Mode Command
Question 3a: Why do you care about how many times the handset sends,
instead of how many times it receives the request?
S4: This is not clear, it just doesn't make sense.
Question 3b: Where does it say that the IMEI should also be
transferred (in this response)?
L1/2: This is okay, but need improvement: Your MS better be still,
because just waving my MS around I can get it to change LAC.
L4: I read somewhere that the network always should query the IMEI
after location update, i.e. its standard.
Question 3c: Did I miss something? And if I did miss something, how
would this query fit in with normal operation procedures?
L5: Question 3d: What do you mean with "registration timer"?
L6: Since when an MS is switched on in a new LAC, it sends an "IMSI Attach"
request, which is cancelled after receiving the MS acknowledgment message.
Question 3e: Shouldn't this rather be a timing limit, and not a flag?
L7: Ok, but:
a) What is the SMS class enumeration (TS 23.038) for this?
(CLASS_1, CLASS_2 or something else?)
b) How is this checked? In what layer/sublayer?
L8: Question 3g: If you by "paging" mean the (MT) RR Paging Request,
this should also be a timing "flag", right?
L9/10: Please elaborate!
L11/12: Please elaborate!
In general it would be more helpful if you could provide the general
(or standardized) names of these different flags as related to the
functions defined by the GSM documentation, if possible?
Question 4: It would also be of help to know which of these you
consider more important? (How do you arrive at giving the parameters a
particular flag color?)
Question 5: Could someone please better describe and elaborate on the
"show catcher" output?
I know this is a full load of questions, but I appreciate your
patience and any other useful information you may provide. More
questions will be posted later.
Thanks in advance,
More information about the Catchercatcher