University researchers craft protocol to defeat IMSI-catchers

US researchers have discovered that the presence of “rogue base stations” – more formally known as IMSI catchers – can be revealed by synchronising the clocks of a legitimate base station and the mobile device.

One of the most notorious IMSI catchers is offered by Cellebrite, which in Australia has been used for everything from criminal investigations to checking on Centrlink recipients’ relationship status.

In a preprint published at arXiv, Santosh Ganji and PR Kumar of Texas A&M University lay out a protocol they call REVEAL.

“The REVEAL protocol creates a sequence of challenge packets where the transmission times of the packets, their durations, and their frequencies, are chosen to create conflicts at the MiM, and make it impossible for the MiM to function," they write.

The protocol is based on clock synchronisation that’s intrinsic to mobile networks, and that are used to schedule communications between the mobile and the base station.

IMSI catchers can operate in one of three modes: half duplex, in which the IMSI catcher only handles traffic in one direction at a time; full duplex, in which it can forward messages while listening, but only in one direction; and double full duplex, in which the “thing in the middle” both listens for and forwards packets in both directions at the same time.

The researchers said half duplex IMSI catchers are the easiest to detect: “Packets passing through a half-duplex node are delayed at least by the length of the packet”.

Long packets introduce long delays not present without the IMSI catcher, and during those delays, the receiver of the message will experience the silence as a period of poor signal-to-noise ratio and low received power, which are easy to detect.

If the IMSI catcher is configured in full duplex mode, packets are forwarded as they arrive, but only in one direction at a time. 

Under REVEAL, the mobile and the base station coordinate to send packets to each other at the same time.

If a full duplex IMSI catcher is present, it will have to drop packets in one direction (for later retransmission).

“By checking if they have received each other’s packets, the base station and mobile can detect the failure of the MiM to forward both packets”, the paper states.

A double full duplex IMSI catcher is more difficult to detect, the paper explained: “The time-driven conflicts that the REVEAL protocol uses to expose half and full duplex MiMs cannot detect a double full duplex MiM.”

However, in double full duplex mode, the IMSI catcher has to carry out spectrum channel sensing to find available spectrum for both the uplink and the downlink.

Mobiles hop around frequencies depending on the state of a link; because of that, the MiM has to keep up with changing frequencies, and while that happens, the IMSI catcher introduces some packet loss into the link.

That packet loss is detected using the REVEAL protocol.