[Gsmmap] detect femtocell

Emanuel emanuel at srlabs.de
Fri Dec 16 15:16:28 CET 2016

Dear Joshua,

Thank you for the pcap traces.

Snoopsnitch "detects" all connections. But to specifically distinguish
between a normal BTS and a Femtocell is only possible if the femtocell
traces have any identifying and unique trace information that is
different from what you would find on a full BTS. However, this is not a
planned feature of Snoopsnitch, so we have not implemented any method to
detect this.

In the past there were some success of identifying some very specific
CDMA Femtocells, such as those provided by Verizon (US). That was
because they had a very specific and simple NID signature, a range of:
0xfa to 0xff. So unless the provider sets this and it is well known to
the public, it would be hard (if not impossible) to distinguish a real
Femtocell from the rest of the network, without network radio/packet

For GSM (and LTE) there have been other (less successful) proposals for
looking at LAC/RAC ranges. But this would also require you to know in
advance how they decided to allocate the Femtocell LAC/CID/RAC ranges
from each network provider, in each country. Which seem to be an
unlikely scenario.

(Security Research Labs)

On Tue Dec 13 20:04:01 CET 2016: Joshua Brindle wrote:
> Hello,
> Is it possible for Snoopsnitch to detect a connection to a femtocell?
> I connected to one in a ramsey box and only got a5=1, and presumably
> wouldn't even get that if there were other visible towers.
> Attached is a pcap, if it helps.
> Thank you.

More information about the Gsmmap mailing list