Analysis of the Oslo IMSI-Catcher

Radio Surveillance Data

Torjus Bryne Retterstøl

IMSI-Catcher Seminar Simula Research Lab, Aug. 26, 2015

2

Torjus Bryne Retterstøl

• Education: NTNU M.Sc. / Siv.Ing. Communication Technology, Information Security Specialization

• Job: IT security Consultant at Accenture

Master thesis work in spring 2015with supervisor: prof. Stig F. Mjølsnes, Dep. of Telematics

«Base Station Security Experiments Using USRP» (June 2015)– Built an IMSI-catcher and did some experimentations

– Analyzed Aftenpostens investigations

4

Outline

1. Brief Background

o Cell selection/ reselection

o IMSI-catcher behavior

2. Some Data Analysis Results

o LAC Change

o Provider Anomaly

o Large reselection values

5

Cell Selection / Reselection

• ”Camp on a cell”: Connected to selected radio cell

• MS mobility requires selection & reselection of cells:

• Selection Criteria:– Path loss criterion: C1 (Determined by signal strength)

– Camp on the cell with the largest C1 value

• Reselection Criteria:– Cell reselection criteria: C2

Calculated from C1 and values broadcasted by the cell

– Continuously monitoring up to 6 cells with best signal strength, compute C1 and C2

– Reselect to the cell with largest C2 value (given some criterias)

6

C2

𝐶2 = 𝐶1 + 𝐶𝑒𝑙𝑙 𝑅𝑒𝑠𝑒𝑙𝑒𝑐𝑡 𝑂𝑓𝑓𝑠𝑒𝑡 𝐶𝑅𝑂 − TO ∗ H PT − T

Cell Reselect Offset (CRO) = {0,63}

– 2 dbm steps. For example CRO=3 6 dBm

– CRO cannot be odd

Temporary Offset (TO) = {0,7}

– 0…6 represent 0 – 60 dBm, 7 represents infinity

– TO cannot be odd, unless infinity

• C difference (C2-C1) Cannot be an odd value

7

IMSI-Catcher Behavior

• Goal: Retrieve IMSIs

• Boost C2 value – force camping on cell

• Broadcast different LAC than other, nearby cells

• Resulting in Location update including TMSI/IMSI

• MS must send a location update when

– Switch on and selects a cell

– Periodic intervals while camping on a cell

– Reselecting to a new location area/cell

9

Analysis

10

Cell/Channel LAC Change

• Only LAC changes, all other values static

• LAC changes only for onemeasurement (seconds)

• RxL does not fluctuate

• Likely same sender

• Observed other days withsimilar RxL and configuration

• LAC changes to anotheroperators LAC

11

12

Provider Anomaly

• Two Telenor cells appear in

the neighbour list of a

Network Norway cell

• Not typical IMSI-catcher

behavior

• Network Norway and

Telenor roaming

agreement

13

Cell 32478 Myntgata

• «Strongest evidence» of

IMSI-catcher activity

• LAC not used by any

other cell in Oslo

• Abnormal high C2 values

• C difference odd number

– Should not be possible

14

Explanations of Other Anomalies

• Misinterpretations of the data

• Misconfigurations by Norwegian operators

15

Conclusion

• Delma found anomalies, but did not analyze them

• No clear evidence of IMSI-catchers

• Two suspicious measurements

16

Thank you

• Full thesis available at

– http://1drv.ms/1Bx5vMq

– torjus.br@gmail.com