-- Android-based project to detect and avoid fake base stations (IMSI-Catchers) in GSM/UMTS Networks. Feel free to read the Press Releases about us, spread the word with our Media Material and help us solving current challenges!

• Introduction
• IMSI-Catchers
• Project Goals
• Limitations
• Roadmap
• WIP-RELEASES
• Requirements
• Installation
• General (non-geek)
• Technical (geek)
• User Guide
• Disclaimer
• Privacy
• Building
• Changelog
• Discussion
• Contributing
• Bugs
• FAQ
• Support
• Sources
• Credits
• License
• Contact
• Recommendations

Both law enforcement agencies and criminals use IMSI-Catchers, which are false mobile towers acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man In the Middle (MITM) attack. The FBI or local police might deploy the device at a protest to obtain a record of everyone who attended with a cell phone. In the USA this technology is known under the name "StingRay", which is even capable to track the people who are traveling together with an owner of a targeted phone across the country. Here you can see alleged StingRay tracking devices mounted to the roof of three SUVs. IMSI-Catchers can allow adversaries to intercept your conversations, text messages, and data. Police can also use them to determine your location, or to find out who is in a given geographic area at what time. Identity thieves might sit with an IMSI-Catcher in a parked car in a residential neighborhood, stealing passwords or credit card information from people nearby who make purchases on their phones.

There is more: Powerful, expensive IMSI-Catchers are in use at federal agencies and some police departments. And if you think that IMSI-Catchers are not used in your own town, think twice! If you ever happen to be near a riot or demonstration (hint: leave you phone at home if participating), pay close attention to cars standing along the path of the demonstration - those might be IMSI-Catchers. It is common practice for police to position IMSI-Catchers at the beginning as well as the end of roads where the demonstrating crowd moves to capture and compare data in order to find out who participated. But most of the time IMSI-Catchers are well hidden and can be even body-worn - therefore you won't even discover these creepy devices. Current technology shrinks them to be as tiny as your phone! So again, if you really have to participate in a riot or demonstration, leave your phones at home or build yourself a signal blocking phone pouch!

YouTube: DEF CON 18 - Practical Cellphone Spying with Kristin Paget (click picture)

Unfortunately it seems that IMSI-Catchers have been exponentially popular lately, with an explosion of various "bastards" with governments and criminals all the same, using it. Anyone can now buy an IMSI-Catcher (or build a cheap one on his own). Sending spam and phishing SMS via fake base stations is already a lucrative underground market, particularly in Russia, China and Brazil (see The Mobile Cybercriminal Underground Market in China). For example in China, 1.530 people got arrested for using this kind of equipment. Just recently, hackers decided to start reverse-engineering the NSA toolset and are releasing tools like TWILIGHTVEGETABLE - an easy to use, boot and pwn toolkit for passive monitoring of GSM communications as well as DRIZZLECHAIR as an extension to that system on a 2TB harddrive with all the tools required to crack A5/1 as well as the rainbow tables. It's just a matter of time of when your own neighbor will spy on you with simple self-build tools!

In addition, all IMSI-Catchers can crack A5/1 encryption, which is most commonly used for GSM traffic, on the fly (passively)! A5/3 encryption which is used for securing 3G and is offered as new security standard for GSM encryption remains secure in practice while susceptible to theoretical attacks. Although 3G and 4G offer sufficient protection from eavesdropping, the security measures can be bypassed by IMSI-Catchers forcing a mobile device into 2G mode and downgrade encryption to A5/1 or disable it.

There are almost no phones on the market which offer an option to check what kind of encryption is used to secure GSM traffic. And although the Issue of not having a convenient display of the Ciphering Indictor has been assigned to Google since 2009, it seems they're getting paid (or are forced to) blatantly ignoring it. The only way to protect a mobile device from downgrade attacks is to disable 2G if this option is available. In this case the phone will not be able to receive or make calls in areas without 3G coverage. This is why the original author named "E:V:A" started this project. Let's detect and protect against these threats! Never think you've got "nothing to hide".

Some examples to make you familar with the most common IMSI-Catcher threats:

• NSA-Killings with IMSI-Catcher drones.
• How easy it is to clone phones.
• Talk by Karsten Nohl and Luca Melette on 28c3: Defending mobile phones.
• Stingrays: Biggest Technological Threat.
• GSOC reveals hidden IMSI-Catcher.

They come in uncountable shapes and sizes:

• Current IMSI-Catchers can be as tiny as the portable Septier IMSI-Catcher Mini.
• Below, the smartphone takes up the most space. IMSI-Catchers will even get smaller!

• This picture has been taken during the riots on Taksim Square in Instanbul:

• Above example is way too conspicuous and you'll likely never encounter these.
• Todays IMSI-Catchers can be body-worn or are hidden in GSM Interceptor vehicles:

Search for "GSM Interceptor", "IMSI-Catcher", "StingRay" or a combination thereof.

• Detects IMSI based device location tracking
• Provides counter measures against tracking
• Can provide swarm-wise-decision-based cellular service interruption
• Can provide secure wifi/wimax alternative data routes through MESH-like networking
• Detect and prevent remote hidden application installation
• Detect and prevent remote hidden SMS-based SIM attacks
• Prevent or spoof GPS data
• Does NOT secure any data transmissions
• Does NOT prevent already installed rogue application from full access
• Aims to be recommended and added to the Guardian Project's list of secure Apps
• Aims to be recommended by the SSD Project of the Electronic Frontier Foundation
• Aims to be recommended by Privacy International (and like-minded organizations)

• Provide full device encryption
• Provide secure application sand-boxing
• Provide secure data transmission
• Provide firewalls (recommended: AFWall+)

In short: We're merely using any possible way to overcome the ridiculous AOS limitations on displaying highly important and relevant network variables and data. One of those is the Ciphering Indicator that has been 3GPP "required" for the last 10-15 years, but which Google and most Network providers choose to ignore. (Since they didn't want to implement better encryption, until very recently.) Another is finding the Timing Advance and various Network (RRC) Timers.

1. There are several types of silent SMS, most of which are already detectable and there is nothing strange with that. It does need further testing for a greater variety of devices, and to see what would happen on a real IMSI-Catcher.

2. Sending AT commands to the baseband processor and use the results to detect anomalies is an ongoing challenge because certain basebands do not expose enough usable information. The whole detection process is strongly hardware dependent, some basebands expose everything (MTK) and others (Qualcomm) expose very little, since they have their own protocols (DM/QMI). But the SIM card filesystem does provide useful info. So a combination of AT commands, SIM card readings and also API access to Service Mode (Samsung) menus, can provide all that we need and more. But it is a rather technical challenge for our developers to do this, and to collect all support material needed. That's where YOU come into play. Check our open Issues and help us!

3. OBB support would be crucial, but we're not really proposing this. Very few people would bother going through the pain of finding an appropriate OBB compatible phone, less implementing it as a piggy-back to an Android. So unless some OBB developer serves the required Java + binaries to us on a silver platter, this will not be a feature of AIMSICD.

Below structure does NOT mean we will create 3 Apps. It will be "1 App to Rule Them ALL".

• a. collects relevant RF related variables using public API calls. (LAC etc)
• b. puts them in an SQLite database
• c. catches hidden SMS's
• d. catches hidden App installations

• e. opens a device local terminal root shell
• f. uses (e.) to connect to modem AT-Command Processor ATCoP via shared memory interface SHM
• g. displays results from sent AT commands
• CRUCIAL to our project: Please help E:V:A develop a Native AT Command Injector!

• h. use the OTG (USB-host-mode) interface to use FTDI serial cable to interface with another OsmocomBB compatible phone (using Android host as a GUI host)
• i. uses the "CatcherCatcher" detector SW on the 2nd phone
• j. can inject fake 2G GSM location data
• k. find out how to access L0-L2 data using the ATCoP connection
• l. use a statistical algorithm on the DB data to detect rogue IMSI-Catchers
• m. combine all of the above (steps h to l) into a BETA App for testing, add languages
• n. improve BETA app by adding (many more) IMSI-Catcher counter measures

For your and our own safety, here's our Disclaimer.

Please follow how to correctly submit Issues!

Although this project is fully Open Source, developing AIMSICD is a lot of work and done by enthusiastic people during their free time. If you're a developer yourself, we welcome you with open arms! To keep developers in a great mood and support development, please consider making a fully anonymous donation through sending DarkCoin to our DONATION ADDRESS: XxEJvrYtkTZzvMUjtbZwPY34MyCGHSu4ys

All collected donations will be split into appropriate pieces and directly sent to developers who contribute useful code. The amount of DarkCoins each developer receives will vary with the value of each merged commit. To be perfectly clear: We will NOT reward junk, only awesome stuff. Additionally, donations will be used to support these organizations:

If you are unsure how to donate, visit our WIKI-Page on Anonymous Donations.

This project is completely licensed GPL v3+.

Our project would not have been possible without these awesome people. HUGE THANKS!