Would the approach be able to detect an AdaptOver/LTrack style attack?
LTrack is one of the stealthiest IMSI catchers I'm aware of, because it's almost entirely passive, and the victim never actually connects to the attacker. Radio Sentinel can detect AdaptOver style attacks that use empty paging requests for the DoS and downgrade attacks.
We are working on further improving Radio Sentinel to also detect suspicious "Attach Reject" and "Identity Request" messages used by LTrack. We're also adding methods to detect connected messages without a MAC, and repeated overshadowing messages, as described in the Detection section of the AdaptOver paper. Unfortunately LTrack was published just after we released the initial version of Radio Sentinel so it wasn't added, but we're continuing to improve it.
One big downside to the AdaptOver/LTrack style attacks is they require a signal at least 3dbm stronger than the real tower, which is not always feasible when dealing with noisy environments. This is a downside compared to traditional IMSI catchers that the victim directly connects to. In the AdaptOver paper they mention that even if the victim is 1km from the real tower, the attacker cannot be farther than 70m from the victim.
I‘m interested to see if Radio Sentinel could/will detect the new improved version! Would you be willing to provide us with a test version/device?
The only changes to the kernel required for our Radio Sentinel app are DIAG_CHAR=y when building.
Can you explain, how an IMSI catcher works on a protocol level?
1. Active interception. The IMSI catcher is actively transmitting data to the victim device and forcing it to connect, appearing to be a normal cell tower. These are the most common and can usually get a very accurate location. Because 4G and earlier don't require the tower to authenticate to the device, only the device to the tower, there really isn't any vulnerability required to do this. They use different tricks to entice the victim to connect or update its location ( e.g: falsely inflating it's signal strength, appearing to be the only tower in a location, increasing the frequency of location updates ) . Some of these techniques are mentioned in the "Warnings" section of another article describing our Radio Sentinel app: https://armadillophone.com/blog/radio-sentinel
2. Passive interception. The IMSI catcher doesn't transmit any data, or transmits very little data. It's able to gather data and location from the victim using unencrypted data sent over the control plane. These generally aren't able to extract as much data, or as accurately as active interception, but they're much harder to detect. Usually they aren't able to extract the device's IMSI for example. However, there was a recent paper describing a passive IMSI catcher that was both extremely hard to detect and great at tracking victims: https://www.usenix.org/system/files/sec22summer_kotuliak.pdf
If you'd like a more technical description about the techniques described I'd be happy to jump into that too.
