Changing LAC on same CID

[He3556]

The LAC (Location Area Code) describes a set of Cell Towers (with different IDs) like below:

Step 1 of the IMSI-Catcher (picture 1): Masquerade like a real BTS and send with more power than the original, so a cell phone would connect to it. But if the connection is established it is still using the TIMSI (Temporary IMSI).

Step 2 of the IMSI-Catcher (picture 2): One possibility to get the IMSI:

• Change the LAC of the BTS (picture 2), so that the Location Update Procedure is initiated.

If the MSC (Controller of a group of BTS) is also changing with this location update, then the phone would have to send the IMSI. Or if the location update fails it will also send the IMSI.
See Figure 4.1.1.1 [http://www.qtc.jp/3GPP/Specs/23012-520.pdf]

However, the Catcher-Catcher Project gives a yellow or a even a red flag if the LAC is changing, so we really should implement this. It is also quite simple to do, because we have the values LAC and CellID. If the CellID changes the LAC over the time – we can show a yellow flag – if it changes more than once we show a red flag. This happens while the IMSI-Catcher is catching IMSI’s – not when a call is established. So you don’t have to be the victim to detect a fake BTS.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[SecUpwN]

Thanks for opening this Issue, @He3556. Makes sense to me and is in line with the Status Icons. But should we really be showing Status Red when it changes more than once? Guess Orange for "HIGH" would be better in this case until we can add additional tests to verify that this particular user is being traced. @E3V3A, your opinion? @xLaMbChOpSx, how far away is this "easy" implementation for you?

[He3556]

yes right, we have orange, so let's use this first.

[E3V3A]

He3556 : Very clean and nice description. Thanks. We probably don't wanna make it "red" immediately (which is why we have that score table) because it could easily change under simple conditions such as:

1. You're moving your phone around (don't be when using AIMSICD)
2. You're just between two or more cell towers or inside a building where you have one on one side of the house and another on the other side.
3. Your phone is connected to a UMTS cell and you just sat down at some place where there is also a GSM cell, and you have set your phone's settings to prefer GSM cells. (or vice versa)

[SecUpwN]

1. You're moving your phone around (don't be when using AIMSICD)

@E3V3A: Rather "Impossible" since I always run AIMSICD while on the move. @He3556 does it, too.

[E3V3A]

Yes, so here is a good place we can actually use signal strength. Because when connected normally, you will have one, and if for some reason another one pops up with a completely new a better signal, with the same LAC/CID that is rather abnormal. So it's use would be a "relative" signal strength, that suddenly changes in time, but not place.

[He3556]

Wouldn't it (signal strength) belong to the statistic detection? Because you need data of the BTS history, so you can tell if the signal is changing in a abnormal way. A changing LAC you can detect immediately, event if you are in a new area and without data from the CellID db.

And than, if both values change (LAC and Signal Strength) you can be quite sure, that there is something going on.

So let's separate the 2 strategies and maybe open a new Issue "Detection 3: Changing Signal Strength"?

[E3V3A]

You're absolutely right!

[He3556]

First "rough" detection flow chart of this issue