[Gsmmap] Newbro here, False positives

Emanuel emanuel at srlabs.de
Tue Dec 20 12:30:53 CET 2016


Dear James,

To answer your questions,

On Thu Dec 1 00:48:13 CET 2016, James L wrote:
> weak ciphers seem to be common in UK and particularly in 1G cells?

Not sure this is what you really meant. 1G systems is using analog
modulation to transmit data as a continuously varying waveform, and
does not have any encryption. If you meant 2G, then see below.

> Is it possible to see specifically, crypto downgrading in same
> cell by same carrier, or when any cell sets to A5/0?

Yes, that is part of what Snoopsnitch does. The question is, why
would a mobile service provider downgrade your crypto algorithm?
They generally don't, unless their equipment in wrongly
configured or malfunctioning. So if you see this, and you're
not moving around between cells, then you're probably dealing
with an attack/interception using a fake basestation.

> A5/2 is a weaker export version of A5/1?

Yes, that's correct, but A5/1 can now be cracked in near realtime.
So if you're concerned about this, then you need to look for
downgrades from A5/3 (or above) to any of A5/0,1,2.

A5/0: no encryption
A5/1: the "original" unweakened GSM encryption algorithm
A5/2: the "export variant" weakened version of A5/1
A5/3: Based on KASUMI algorithm and used in 3G GEA1 etc.
A5/4: Based on SNOW algorithm and used in 3G and 4G LTE networks.

> The scoring mechanism is good as a scale but remains vague.

It's pretty clear here:
https://opensource.srlabs.de/projects/snoopsnitch/wiki/IMSI_Catcher_Score

How these parameters are tuned to trigger an alarm also
depend on each other and that is done by SQL within our
database and in the analysis stage. All code is open for
your inspection.

I hope this helps answering your questions.

Best Regards,
Emanuel
(Security Research Labs)


More information about the Gsmmap mailing list