Many of you might remember the big news from Aftenposten back in December 2014 about IMSI-catchers being detected in OSLO, and how they spy on everything from the political elite, to business executives to companies doing R&D.
After this episode that caused a lot of commotion in the parliament, money was granted to search and stop said surveillance, and after that things went quiet.
We know the money have been put to good use, and we have no doubt that the Norwegian authorities are doing their best within the limitations of their budgets to hunt down the illegitimate use of IMSI-catchers, but is that enough to really stop IMSI-catchers from being a problem?
First, for those of you who wonder what an IMSI-catcher is and what it does, here is a very short explanation:
An IMSI-catcher is also called a fake base station. This means that it acts and looks like a Telco’s cell tower when you look at it from the outside. However, they are anything but. They are devised to interact with your smartphone in order to track you, see who is where at any give time, but also to do MITM (Man In The Middle) attacks, eavesdropping on your conversations, SMS’s and Internet traffic, but finally – in some instances – to inject malicious code into the lower levels of your smartphone where the code cannot be detected to spy on all the contents on the smartphone and even download it to a server without your knowledge or consent.
In other words, scary stuff ranging in price from less than 100 $ to several hundred thousand $ depending on their capabilities.
Well, we do work in the field of uncovering IMSI-catchers, and we thought it was time now to see whether the situation is different from now from what it was some three years ago.
So, we decided to do a test in one of the areas that were mentioned in the Aftenposten articles, Norway’s financial centre, Aker Brygge and Tjuvholmen.
So, what we did was to go to a number of companies and ask them to allow us to place one of our sensors in their offices over a period of roughly three months. We got a good number of companies volunteering to host our sensors and ended up having fifteen sensors placed in the area during Q4 2017.
The collected material was massive. We actually made over one million measurements. That is a lot of data, and massively more than Aftenposten gathered during their tests, as well in a more confined area.
The reason for collecting such vast amounts of data was to be able to rule out ‘false positives’. A false positive may be a cell from a Telco that behaves out of the ordinary, meaning that it is not working properly. In the test performed by Aftenposten this was an issue since they didn’t collect enough data to determine this. The other reason was to establish how the cellular network looked in a state of normalcy, meaning daily operations. This is an important baseline to establish before starting to look at the deviations.
What then remains is what we scrutinized to see what was lurking in the shadows of our financial centre.
So, did we find anything? Yes, we did.
1.1 SHORT SCANS IN THE TJUVHOLMEN AREA.
We have a lot of data from Tjuvholmen, which is the outer part of this area, and furthest from Oslo overlooking the Oslo fjord. This area is mostly industrial, but also residential with some very upscale and expensive housing complexes.
In this area we found a number of short scans. A short scan is when a mobile transmitter is seen with a very high signal strength for only a few seconds, and then it will disappear. The ones we recorded had cell-ID’s different from any cell-ID’s recorded in this area, and the signal strength (transmission power) was way above what a normal transmitter would use.
We found eight instances of such short scans with high transmission power and unknown ID’s, and the purpose of such scans is to see who is in this area. It is in other words a location scan, either seeing in general who is nearby, or to see in particular if a certain smartphone is in the area, establishing that its owner is also nearby.
We also see that in several cases the IMSI-catchers were operating only a minute or a few minutes apart from each other. This indicates either that there are several IMSI-catchers working in concert, using several devices to triangulate exact positions, or it can be the same IMSI-catcher being reconfigured so that it is less likely to get caught. Our data cannot conclusively determine whether it is one or the other.
A couple of them are also suspicious since they were caught at 2 am. This indicates that they are most likely targeting people living in the residential area of Tjuvholmen. It is a common scenario for IMSI catchers who wants to attack, infect and drain data from smartphones to do so at night, since it takes a while do drain that phone of all it’s data (between 20 and 40 minutes typically). The chances of success are much higher if this is done at a time where the owner is asleep. We would still only see a short scan from our sensors, because the IMSI catcher is devised such that when it finds its intended target, it will lock onto that target and refuse connections to any other device.
Our sensors were not likely targets, so we would only see the short scans and not the connection over time to the intended target. Of course, we cannot prove this without having our sensor software on the actual target phone itself, so at this point it is a likely explanation rather than a fact.
However, there is no doubt that the eight occurrences, each lasting only a few seconds and seen only ONCE during a period of three months were IMSI-catcher attacks.
1.2 Fixed IMSI-CATCHER
Imagine someone placing an IMSI-catcher pretending to be from your Telco to monitor who enters and leaves the financial district by checking your smartphone. The thought is a bit intimidating, isn’t it? Big brother watches you and all that. There’s something Orwellian about it, and for good reason. Well, that is exactly what our data suggests.
Our data suggests that someone has placed an IMSI catcher near the little roundabout where the pedestrian area of Aker Brygge starts. We cannot locate it, but due to the signal strength it has to be in close proximity to this location.
We know this because we see that there is one transmitter that goes on for a few seconds, scans with an extremely high power setting, and then goes quiet for a few minutes or even hours in some cases. Since it is seen daily in short bursts from time to time over a period of months we suspect that it is permanently installed in this area. This is also a scanning IMSI-catcher, and we believe that its intention is to establish exactly who enters and leaves the financial district over time.
We have done a substantial research effort before concluding that this is the case, after all it is a serious thing. We have located all nearby transmitters and checked distances, expected power levels, cell-ID’s and more.
Even after extensive checking we cannot entirely discard the possibility that this is a misbehaving cell.
There are several entry points to this area, and we would like to stress that we have only checked one of them. We have no data from the other entry points to this area, so we won’t speculate whether there are similar installations in those locations.
1.3 THE WHO OF IT
Of course, what everyone wants to know is who owns and operates these devices. There is no doubt that some of what we have found belongs to Norwegian authorities that legally uses them and reports their usage appropriately the way they should.
Norwegian authorities have reported that they have used IMSI-catchers in 107 cases in 2017. We presume that this mean that they have used IMSI-catchers multiple times in each of those 107 cases.
That is a lot. However, given the data collected not only in the Aker Brygge / Tjuvholmen area but also many other places not mentioned here, our data suggests that there is a lot more activity from IMSI-catchers than what the 107 cases mentioned can represent.
Also, we fully recognize that Norwegian authorities does their utmost in order to uncover and stop illegal use of IMSI-catchers in Norway, but we also recognize that it is a nearly impossible task to successfully do so in our long country. We respect their work greatly, and hope that our system for detecting IMSI-catchers may be a good supplement in their endeavour to keep our country and companies safe from espionage.
Rosberg as a company will not and cannot speculate as to who is behind these IMSI-catchers, our task is to uncover IMSI-catcher usage using affordable tools, and not speculate as to who is using them. We provide the facts. It will be up to others to use that information to make sure that the usage of these devices is limited to those Norwegian entities who are legally allowed to use them.