Conversation
@jiska First, thanks for nice talk at 37c3. I don't have an iPhone, but catching IMSI catchers is cool. OTOH it is also too late -- by the time you analyze your logs, IMSI catcher already has your position logged.

Early gsm phones (like Nokia 5110) had service menus with capabilities such as 'lock to specific cell tower' which could be used to prevent that -- just lock your phone to "known good" cells. Have you seen similar functionality in modern modems?
1
0
2

@pavel that would require patching CommCenter/rild if not even the baseband firmware. On iOS that means jailbroken (insecure) phones, on Android that might work with custom ROMs.

IMHO location tracking is not that severe. An RBS could take over the whole communication like SMS, Internet, etc. or be the entry point for RCE in the baseband firmware.

2
0
1

@pavel
Limiting cells to known good ones might not be feasible for protesters, journalists, etc. in practice.

Also attackers could use the same "good" cell ID for an RBS. The phone would then attempt to connect to it, especially if it has a stronger signal. Indicators for compromise here would be the signal strength and, if the attacker does not collaborate with telcos, a failed authentication attempt. Both is used as detection criteria by CellGuard.

0
0
1
@jiska Dunno. Location tracking is easy to do on mass scale, while you are defending against targeted attacks. The location tracking data are collected, and they'll probably find a way to bad hands sooner or later. I'd prefer not to be part of that database. Anyway, if you ever find phone that can lock on given BTS, I'll be very interested :-).
0
0
0