64

There's been a lot of reporting in the past few years about law enforcement agencies using IMSI catchers (also known as Stingrays after a popular brand of them) to intercept cellular communications.

If I understand correctly, what IMSI catchers do is basically a man-in-the-middle (MITM) attack, by insinuating themselves between cell phones and cell towers.

However, in the context of the Internet, we've known how to defend against MITM attacks for decades (namely, through public-key cryptography).

Why aren't IMSI catchers rendered ineffective by similar defenses employed in cellular networks?

AndreKR
  • 498
  • 4
  • 9
HighCommander4
  • 1,182
  • 1
  • 10
  • 11
  • 1
    Not even public key cryptography as currently used in practice protects against all MitM attacks, particularly when meta-data is the target. It can't protect against malicious BGP announcements side-tracking and re-forwarding traffic, for instance, which is actually quite analogous to how IMSI catchers work. – Xander Mar 15 '16 at 16:13
  • 3
    Public key crypto *could* be used to protect against evil advertisements, if people would implement secure BGP, but nobody bothers. – Xander Mar 15 '16 at 16:17
  • At first I thought you meant the animal when I read the title in the sidebar. – Keavon Mar 15 '16 at 22:35
  • "The GSM specification [1990] requires the handset to authenticate to the network, but **does *not* require the network to authenticate to the handset**. This well-known security hole is exploited by an IMSI catcher." https://en.wikipedia.org/wiki/IMSI-catcher – Colonel Panic Jul 13 '16 at 10:56
  • @HighCommander4 "in the context of the Internet, we've known how to defend against MITM attacks for decades." You flatter that certificates authorities are a satisfactory solution to prove authencity. See http://privacy-pc.com/articles/ssl-and-the-future-of-authenticity-2-certificate-authorities.html – Colonel Panic Jul 13 '16 at 14:22
  • “So, certificate authorities was the deal”, and he [Kipp Hickman] said “Oh, that whole authenticity thing… We just threw that in at the end. We were designing SSL to prevent passive attacks for the most part, you know. We heard about this thing – the man-in-the-middle attack – and so we just threw that in at the end”. He’s like “Really, that whole thing with certificates, it was a bit of a hand wave. We didn’t think it was gonna work, we didn’t know”. – Colonel Panic Jul 13 '16 at 14:23

3 Answers3

68

tl;dr - the protocols were developed prior to MITM being perceived as a threat; the deployed infrastructure now serving billions of cell phones worldwide can't easily be changed to add cell tower validation; and governments have no interest in fixing this issue.

Cell phone protocols differ from IP protocols in that they were never a peer-to-peer network of untrusted devices. The original cell phones were analog, with only a small channel of digital data to carry call information. These analog protocols were developed in the 1970s when the micro CPUs had almost no power or storage, and the only security thought was to ensure accurate billing. Also working in the cellular companies' favor, the only equipment authorized to transmit on those frequencies was under full control of the cellular manufacturers; companies like Motorola had a virtual lock on all the equipment on both ends of the call. The protocol they created was such that the cell phones implicitly trust the cell towers for all operational information: signal strength measurements (for optimizing battery life), network IDs (for billing and roaming charges), and encryption requirements (which need to be turned off on a per-jurisdiction basis.) The phone responds with its ID in order to register to receive incoming call information, and the phone company authenticates the ID to ensure proper billing. But in all this, the phone never authenticates the tower.

Also, all this metadata is exchanged in cleartext. When digital cellular protocols like GSM arrived, nothing much had changed in the security model. In the 1990s, the main security threat was eavesdroppers, so laws were passed in the US prohibiting listening in on cell calls. Digital voice data was easy to encrypt to protect the privacy of the calls, (supposedly a government agency ensured that weak encryption algorithms were selected.) Otherwise, the existing cellular protocols continued to work without many security issues (security issues primarily being defined by the cellular companies as "people hacking our systems to make free calls".)

Stingrays and other IMSI-catchers violate the cell tower agreements by producing an illegal signal, pretending to be a cell tower. They forge a signal strength response of "excellent", which causes the phone to not switch towers. They identify themselves as various common network IDs, so the phones do not switch away to avoid roaming charges. They control the encryption flag, which will cause a phone to downgrade security either to the least secure algorithm, or disable encryption completely. As far as a MITM goes, they may pass along the phone call data to a legitimate tower, or they may simply send back an error code the user sees as a call failure.

Nowhere in the protocol designs was a thought given to malicious actors transmitting on their licensed frequencies. Illegal use of airwaves has long been a felony, and their original approach was legal: "if someone even tries to spoof a cell phone, we'll have them arrested and locked up for a decade."

But it turns out that not everyone is afraid of committing a crime, least of all police departments armed with warrants and Stingrays. Private researchers have also exploited loopholes in the law, where they transmit cell tower signals legally on unlicensed frequencies (the ISM band). This same band happens to be allocated for cell use in foreign countries, so a quad-band phone in the US will happily receive the faked signals.

John Deters
  • 33,897
  • 3
  • 58
  • 112
  • 5
    This story muddles two distinct origins of mobile phone technology. There's the US analog origin (no IMSI, no SIM) and the global digital origin (GSM, introduced IMSI, SIM, encryption and a raft of other standards). So the first paragraph ("before GSM arrived") is trying to explain pre-GSM technology as if it used GSM technology. – MSalters Mar 15 '16 at 09:06
  • 14
    Basically the cell companies and cell tech manufacturers are concerned with **their** security, not yours (ours). – Mindwin Remember Monica Mar 15 '16 at 15:32
  • The update incorrectly blames the NSA for the A5/1 weakness, it was GCHQ (British). And it's not the algorithm so much as a key size limitation. – MSalters Mar 15 '16 at 15:41
  • 1
    `They forge a signal strength response of "excellent", which causes the phone to not switch towers.` This is so, bad. – PyRulez Mar 15 '16 at 17:03
  • 1
    @PyRulez, it's evil, but absolutely brilliant. They make the IMSI catcher deliver the most appealing signal of all. Because the phone trusts the signal implicitly, it believes it's connected to a magical tower that will conserve battery life. – John Deters Mar 15 '16 at 18:52
  • 2
    Does LTE fix this? For some reason I thought it did, but I can't remember my sources now.. – Seth Mar 15 '16 at 21:13
  • @Seth: It certainly can't fix it if your phone is not configured for "LTE-only"; otherwise it will happily downgrade to a "higher-signal-quality" 2G-only tower. – R.. GitHub STOP HELPING ICE Mar 15 '16 at 21:24
  • @R.. Of course, but the MITM can't be performed over LTE, correct? – Seth Mar 15 '16 at 21:27
  • @Seth: I'm not sure. I would be very hesitant to say "can't be performed". It's plausible that there are no currently-practical attacks but you should ask someone better-informed than I am to determine if even that is the case. – R.. GitHub STOP HELPING ICE Mar 15 '16 at 21:36
  • @Seth Well technology, if they steal the phone on the other end, they could perform MITM. – PyRulez Mar 15 '16 at 21:44
  • @JohnDeters: This was a great answer! Any chance you could point to more reading on signal strength? I never realized it was the tower that calculates it; I thought it was the phone... more reading on this would be nice although I'm not sure what exactly I'm looking for either. – user541686 Mar 16 '16 at 07:11
  • 1
    @Mehrdad, search for the web for "chris paget imsi catcher defcon", where he presented his home-built IMSI catcher. In the talk, he spoke of the field values he needed to spoof in order to get a phone to connect to his fake tower. He mentioned the signal strength received at the tower is sent back to the phone; by spoofing a "good" value he found the trapped phones didn't switch away from his signal. If you can, watch the whole presentation, it was fantastic! – John Deters Mar 16 '16 at 16:13
  • @Seth: It *may* be fixable with LTE-only phones, but current LTE implementations are a security nightmare (there was a talk at 32C3). – Martin Schröder Mar 24 '16 at 21:33
16

Virtually all modern phones technology is rooted in GSM technology, which has been incrementally updated since (Japan is the main exception left). GSM originated in Europe in the 1980s, when all phone networks were (quasi) state-run. In addition, this was in an age when encryption was still banned for export purposes, so the GSM standard was intentionally designed to be able to run with weak encryption. This allowed the export of GSM to Eastern Europe.

Despite this rather Cold War view, GSM was definitely intended as a global standard, so GSM phones by design believe a network that claims not to support encryption.

Of course, in todays world, a honest phone maker would intentionally ignore such vulnerable networks. The fact that they don't is probably a good indication of how much you should trust your phone vendor. It's fair to say that your phone intentionally connects to a base station that is known to be spoofed. The MITM attack window is by design.

MSalters
  • 2,699
  • 1
  • 15
  • 16
  • 1
    Do you have any references you could link? (Especially for the last paragraph.) – glibdud Mar 15 '16 at 14:53
  • 1
    @glibdud: The GSM intentional weak cypher is `A5/2`, which is about as safe as ROT-13. The last paragraph is straight logic: since all trustable networks have encryption turned on, any network claiming to have encryption turned off is already untrustworthy. And besides, the global number of networks is about 1000. You shouldn't trust anything the network claims. Ship public keys with the device. If the network claims to be AT&T, use the hardcoded AT&T keys. Real cops use GSM 03.33 anyway to listen in at the carrier network level, they don't need stingrays. – MSalters Mar 15 '16 at 15:12
  • 6
    I agree with your view on this, it's just that the last paragraph (except for the last sentence) comes off as more editorial than factual. – glibdud Mar 15 '16 at 15:20
  • 5
    @glibdud: Well, you won't get many vendors to admit on the record that their phones are insecure by design. But note that BlackBerry, who historically did care, used its own encryption channel. Everyone in the business knew that was because network level encryption was _de facto_ absent. – MSalters Mar 15 '16 at 15:33
9

You can compare the IMSI catcher with and SSL downgrading attack. If you look at how GSM works, it supports different protocols, classic GSM, GPRS, HSDPA, 3G, 4G, ...

Each of these was developed at their own time and the most basic protocol allowed for optional encryption or was using a "proprietary" encryption protocol that was vulnerable.

Cellphones need to support different protocols, because not all countries have the latest protocol in place. This means your iPhone can still speak basic, vulnerable GSM.

So what these stingrays do is downgrading the connection and forcing your phone to communicate a vulnerable version of the protocol

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 5
    Does that mean that a cell phone user can protect themselves against IMSI catchers by modifying their cell phone's software to refuse to downgrade to insecure protocols (assuming the cell towers in their area support the secure protocols)? – HighCommander4 Mar 15 '16 at 04:51
  • 1
    Yes, but the usability will be reduced significantly. Also you aren't covering against attacks that may happen behind the base station. – Lucas Kauffman Mar 15 '16 at 05:53
  • 2
    Why will the usability be reduced, if cell towers support the secure protocols? – HighCommander4 Mar 15 '16 at 07:05
  • 4
    @HighCommander4 not all areas have 3G or 4G coverage, so disable other protocols and you can't call anymore. – Lucas Kauffman Mar 15 '16 at 08:29
  • 1
    Is this definitely the case - is it only downgrading to 2G that's vulnerable? – pjc50 Mar 15 '16 at 12:16
  • @pjc50 No, for actual Stingrays yes this is the case, later products can spoof 3g and 4g towers though – draksia Mar 15 '16 at 17:04
  • @Draksia you have some links or examples? I haven't seen it yet and I'm curious to read up on it – Lucas Kauffman Mar 15 '16 at 23:33
  • Sorry nothing specific, I just know some one that worked on the project – draksia Mar 15 '16 at 23:42
  • @LucasKauffman I assume spoofing 3G/4G needs carrier cooperation to give them the required keys to spoof the tower. – André Borie Mar 16 '16 at 10:36
  • @LucasKauffman See this article, not confirmation by any means http://arstechnica.com/tech-policy/2014/09/cities-scramble-to-upgrade-stingray-tracking-as-end-of-2g-network-looms/ – draksia Mar 16 '16 at 17:28