IMSI catchers, devices that masquerade as cell phone towers and surreptitously grab identifying information from passing mobile phones, are an established part of surveillance. Law enforcement agencies around the world use the technology, and sometimes criminals deploy IMSI catchers too.
In response, plenty of developers have made Android apps that attempt to warn a user if their phone is connecting to an IMSI catcher. But new research claims that the most popular of these apps may not be all that effective.
"Currently available ICD [IMSI catcher detector] apps on the markets can be easily defeated by simple circumvention techniques and have limited technical capabilities due to no access to underlying hardware of the mobile phones," Ravishankar Borgaonkar, one of the researchers, told Motherboard in an email. "Hence be aware that ICD apps are not silver bullets to rely on due to these fundamental limitations."
Borgaonkar and Andrew Martin from the Department of Computer Science at University of Oxford, as well as Shinjo Park, Altaf Shaik, and Jean-Pierre Seifert from TU Berlin and Telekom Innovation Laboratories, looked at five different IMSI catcher detection apps. These included SnoopSnitch, Cell Spy Catcher, and GSM Spy Finder, all of which have been downloaded between 100,000 and 500,000 times each, according to Google Play Store figures. The researchers will present the work at the USENIX Workshop on Offensive Technologies on Tuesday.
The group made their own IMSI catcher framework, called White-Stingray, which can carry out attacks on 2G and 3G networks. (The name of the framework is a play on Stingray, a particularly popular brand of IMSI catcher.) The idea was to mirror similar capabilities of commercial IMSI catchers, by referencing catalogues and patent information, and see how well the detector apps stood up. However, Borgaonkar said he was not sure if all of the circumvention techniques the group deployed are available in devices on the market.
"Our results show that all tested five ICD apps have little protection against common attacking techniques," the research paper reads. As Borgaonkar mentioned, much of this is because these apps typically only have limited access to a host phone's capabilities; meaning that for more effective countermeasures, developers may need additional support from mobile operators themselves.
"I agree with the conclusion 'no app is perfect,'" Luca Melette, one of the researchers linked to the popular SnoopSnitch app, told Motherboard in an email. "Unfortunately receiving no funding and very little support from the community the app has not the highest priority." One of the other apps, Darshak, was actually Borgaonkar's own project.
As for the future, researchers are running a project called 5G-Ensure, which aims to address the problem of IMSI catchers on 5G networks.
"Hopefully in 5G, it will be more and more difficult to run these IMSI catchers at least," Borgaonkar told Motherboard.