Over the weekend I stumbled upon this paper: The diverse and variegated reactions of different cellular devices to IMSI catching attacks.

I have no idea how this paper fell under my radar, but I already tweaked a bit my alerts from Google Scholar and ResearchGate so, hopefully, I don’t miss such a paper again.

This paper presents a very (very!) interesting study of how different mobile handsets behave in the presence of an IMSI catcher, with or without the presence of an extra jammer. Really great paper by Ivan Palama and team at the University of Rome Tor Vergata.

The authors implement an LTE IMSI catcher with srsLTE and with Open Air Interface. My very first LTE IMSI catcher ever was written using openLTE, but ever since 2015 I have done all my work using srsLTE. I never did any work with Open Air Interface, but I would assume that turning it into an IMSI catcher should be as simple as with srsLTE. The IMSI catcher is implements a couple of the standard techniques to force an LTE handset to disclose its IMSI in the clear, namely:

  • Service Reject message, with EMM cause code 0b00001001 (“UE identity cannot be derived by the network”)
  • Tracking Area Update Reject, with EMM cause code 0b00001001 (“UE identity cannot be derived by the network”)

In parallel, they implement a derivation of what I used to refer to as “smart jamming” in LTE back in 2014. Interestingly, they have open-sourced their jammer.

The results of the paper can be summarized in Table I:

IMSI_catcher_behavior

Fascinating at the very least. As I was expecting when I started reading the paper, the behavior when facing an IMSI catcher is independent of the mobile operator. However, the results show some quite distinct behavior in Android devices when compared to iOS. For iPhone 8s and beyond, the device is not fooled by the IMSI catcher unless the jammer is applied. And, even with the jammer, the authors observed the devices often downgrading to 3G or GSM instead of disclosing their IMSI (“If we run LTE jammers over non-priority frequencies, often when we start the malicious eNodeB the iPhone automatically downgrades to 3G or even GPRS without providing IMSI to our IMSI Catcher“).

These results are very interesting. Most of the behavior when facing an IMSI catcher would be driven by the cellular modem’s, and these interesting “resiliency” to IMSI catchers seems to start appearing when Apple started using Intel cellular modems.

The modem used by the iPhone XS (Intel XMM 7560) is also used in the HP Spectre Folio laptops. I would run the same experiments with one of these HP laptops and see what happens. If the behavior is different when compared to the iPhone XS, this could indicate that this is partially (or mostly) related to the OS, with iOS exhibiting some interesting partial resiliency to IMSI catchers. There’s some things that could potentially be done from the OS, despite the response to an IMSI catcher happening mostly on the modem. However, it could also be a custom configuration or tweak of the modem’s FW for the Apple phones too.

Although some interesting technique to flag eNodeBs that appear to be suspicious (similar to what SnoopStitch or Crocodile Hunter do, with both approaches being very different, though), simply refusing the disclose the IMSI would be a simple viable approach as well. The likelihood to see an EMM cause code 0b00001001 ((“UE identity cannot be derived by the network”) in the wild for a legitimate reason is very low. Just refusing the disclose the IMSI and downgrading to 3G instead is a valid approach against a not-too-sophisticated attacker. Arguably, with a few laptops and a few SDRs one can set up a rogue LTE eNodeB, jam LTE, jam 3G, jam GSM and set up a rogue GSM BS. But this is not the standard setup an adversary would have. I am unfamiliar whether an actual commercial IMSI catcher used by, for example, law enforcement, can account for devices refusing to disclose their IMSI on LTE and downgrading to 3G or GSM.

Regardless, having the OS and/or the modem and/or both refuse to disclose its IMSI and, instead, downgrade, substantially raises the security bar against many IMSI catchers.

Really interesting paper indeed!!!

Ps. I need a new template/style for my blog so I can show figures larger. Any suggestions?