Base Station Testing, IMSI Catching and SS7 Attacks on 3 Operator Networks Yoan Miche, Dare Abodunrin, Ian Oliver and Silke Holtmanns Nokia Networks Objective: Identify. . . 1. Unusually long network cuts, in 2G and 3G, while connected to BTS 2. Base stations with unusual LAC/CID/MNC 3. Base stations with unusual power 4. Sudden downgrades to 2G from 3G 5. Deactivation of encryption 6. Inavailability of encryption, especially status changes (A5/3 to A5/1/0) Overall Protocol 1. Reach one of the selected areas 2. Set phone networks to WCDMA mode only (3G) 3. Start data recording on both Snoopsnitch and AIMSI catcher 4. Run 5x4 tests in Snoopsnitch, several times 5. Walk around the area while running active tests 6. After one “tour” is done, switch all phone networks to 2G mode only 7. Restart the same experiments on 2G, with similar “tour” Area Maps and Events Locations a: Itinerary on Eira on 05/02/2015. b: Itinerary on Kulosaari on 13/02/2015. c: Itinerary on Kuusisaari on 20/02/2015. a: Itinerary on Eira on 03/03/2015. b: Itinerary on Kulosaari on 03/03/2015. c: Itinerary on Kuusisaari on 03/03/2015. Events @ Eira: Operator1 ▶ 2-5sec cuts over UMTS (no network) ▶ 27secs cut over UMTS (no network) ▶ 2mins lost network (switching 3G→2G); connected to one BTS, no network Events @ Eira: Operator2 ▶ Downgrade to 2G for 2min49sec ▶ Lost network for 8min51sec (switching 3G→2G); connected to 2 BTS, varying power Events @ Eira: Operator3 ▶ Nothing to remark Events @ Kulosaari: Operator1 ▶ Multiple cuts on 3G (UMTS); no CID or 29006/422217 ▶ Up to 3min cuts; connected to 29006/422217 ▶ Lost network for 1min (switching 3G→2G) Events @ Kulosaari: Operator2 ▶ Multiple cuts on 3G; up to 4min13sec ▶ Downgrade to 2G for 40sec Events @ Kulosaari: Operator3 ▶ Lost network for 1min13sec (switching 2G→3G);connected to one BTS, varying power ▶ Connected to unknown BTS for 20sec, varying power Events @ Kuusisaari: Operator1 ▶ Downgrade to 2G for 2min28sec ▶ Multiple LAC changes (might be normal) ▶ Lost 2G network for 1min45sec Events @ Kuusisaari: Operator2 ▶ Nothing to remark Events @ Kuusisaari: Operator3 ▶ Nothing to remark References and Links ▶ SnoopSnitch: https://opensource.srlabs.de/projects/snoopsnitch ▶ Android IMSI Catcher: https://secupwn.github.io/Android-IMSI-Catcher-Detector/ Contact Information ▶ Web: http://www.nokia.com ▶ Email: [email protected] ▶ Phone: +358 407 088 925 c ⃝Nokia Solutions and Networks [email protected]