CellularPrivacy / Android-IMSI-Catcher-Detector

AIMSICD • Fight IMSI-Catcher, StingRay and silent SMS!
https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector/
GNU General Public License v3.0
4.75k stars 948 forks source link

Detection 3: Changing Signal Strength #97

Open E3V3A opened 10 years ago

E3V3A commented 10 years ago

A rapid change in signal strength when phone is not rapidly moving or "accelerating" and when the currently connected technology (LAC/CID/channel etc) remains the same, would indicate an abnormal and suspicious behavior.

However, a changing signal strength is a very bad indicator all by itself, at least for any phone not laying perfectly still, with people around staying perfectly still, which is a very unlikely scenario. Just waving your hand in front of your phone laying on a table can easily change the received signal strength.

Thus signal signal strength will not be used alone, but in combination with other variables.

Device dependence.

Unfortunately signal strengths is device dependent and thus pretty useless, apart showing your signal bars. In order to make any use of this, a relative signal strength may be more appropriate, where relative changes of several dBm would be more interesting.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

rtreffer commented 10 years ago

Another idea for this: Celltower report.

If you can get a full celltower report a single highly volatile dbm (while other dbm measurements are stable) would indicate a "mobile" tower.

SecUpwN commented 10 years ago

Thanks for chiming in, @rtreffer. This sounds interesting, how to get a full celltower report? Any code or projects you can recommend us to be reviewing or people to talk to about this?

rtreffer commented 10 years ago

@SecUpwN See getNeighboringCellInfo() and getAllCellInfo ().

This won't work on all phones. The result should be the same as a celltower report (strength of all cells around you).

If you poll that data you'll be able to find cells that move differently than most others. If you participate in a demonstration an IMSI-Catcher might have a stable dbm count while all other cells should be more unstable (or move out of sight).

AlexHarrowell commented 10 years ago

Needs careful sensing of device movement, which may mean lots of GPS polling.

rtreffer commented 10 years ago

@AlexHarrowell Not really. Detailed tower information is a working substitude for GPS. I've written https://github.com/rtreffer/LocalGSMLocationProvider which does exactly that (although I'll have to write a more battery friendly version). But yeah, the celltower report is a battery hog.

SecUpwN commented 10 years ago

Nice GitHub, @rtreffer - following you now! So you are basically saying that your LocalGSMLocationProvider does exactly provide the query of the full cell tower report? Not wanting to push you or anything, but could you have a look at our codebase, please? Would love to receive your pull request for this, I'm sure @E3V3A can provide some more insights if this approach is useful or not.

E3V3A commented 10 years ago

@rtreffer Can you post an example output from getNeighboringCellInfo() and getAllCellInfo ()? I doubt this will work an API <19. It doesn't provide any info on my API 17...

rtreffer commented 10 years ago

Sorry for the noise, it is used by Android-IMSI-Catcher-Detector, at least for the Neighboring Cells fragment. This won't work as implemented though, as the call to getNeighboringCells() may return an empty result (although it works well on my Nexus 4 after some time).

I've created a pull request that calls the getNeighboringCells more aggresively. Note that Samsung devices are known to ignore the call.

The pull request makes it possible to see neighboring cells directly after bootup (after a short lag).

PS: The layout is somehow b0rked on my N4?

E3V3A commented 10 years ago

@rtreffer Great I just checked and commented on your pull request. The neighboring cells is a different issue from this (signal strength). So I opened a new issue #100 and copied your post above to there. Also if you have a layout problem, please open a separate issue for that.

He3556 commented 10 years ago

This is a first simple draft to start implementing this issue.

detection issue signal strength 3 2

SecUpwN commented 10 years ago

@He3556, that's an awesome draft! Voting to include it in the General Overview.

E3V3A commented 10 years ago

At least for me the Tower Collector app work well presenting the Signal Strengths. And according to several sources, the getNeighboringCells() call doesn't work on most Samsung devices. In addition, on those Smasungs it is possible that not all SignalStrength functions work either. There are 5+1 of them:

SignalStrength
CellSignalStrength
CellSignalStrengthCdma
CellSignalStrengthGsm
CellSignalStrengthLte
CellSignalStrengthWcdma (API 18)
jh2910 commented 10 years ago

@He3556 , I'm confused.... I guess since Signal Strength changes a lot because of many variables, @E3V3A wants to get Signal Strength with other elements.. And I guess you made a draft to solve this question.. Ultimately it seems that we need to get Detection Table from the draft. But I have a question... What is the reason for detecting strange signal strength values and getting dbm difference to av. Signal Strength + absolute value on Signal Strength Table and Positive detection Table? And What is the reason for getting average deviation?? Could you explain a little bit? Thank you.

E3V3A commented 10 years ago

Hi @jh2910, and welcome to our discussion. The answer to your question is: "Why Shouldn't we?" I would be quite worried if I was sitting at my local spy hangout with a signal of 5 and suddenly my signal goes to 10 from the "same" BTS. The signal strength detection feature is really a show-stopper for portable IMSI-catchers, as they can do nothing about it, apart trying to measure RSSI at every possible location of an area to be under surveillance, or already be there since some time before. In fact, setting your phone to prefer weaker or average cells, over stronger ones, would be a great advantage for detection.

SecUpwN commented 10 years ago

Thank you for explaining this a little bit better, @E3V3A. I am aiming at putting clarifications like yours about detection methods into our General Overview. In fact, please don't hesitate to edit that file!

In fact, setting your phone to prefer weaker or average cells, over stronger ones, would be a great advantage for detection.

Oh, I would love our App to be able to set the preferred signal strength values! Awesome feature!

Ueland commented 9 years ago

What is the current status of this? Is the draft still being considered, is it under implementation or is it "up for grabs" to implement?

E3V3A commented 9 years ago

@Ueland If there's nothing written here in the last 10+ days its definitely up for grabs!

Ueland commented 9 years ago

Aight, i will sit down and code it then do a PR when i got something to show you guys, then i will let you guys check and see if it is as wanted or not. The first thing i have noticed is that we should decide what time period a and b is.

I will use 10 and 30 seconds during development for easier debugging, bit i have no strong options on what it should be afterwards

E3V3A commented 9 years ago

I have just asked @He3556 (who made the flowchart) to further clarify the purpose of T_A and T_B. I suspect that T_A was intended to loop the test, but that should be done from the main detection "looper" (whatever its called and wherever that one is?). And that perhaps T_B is some kind of settling time for DB updates to finish or something. (So basically I have no clear idea.)

He3556 commented 9 years ago

sorry for my delay. A is the time between the single measurements of signal strength. In this time the array gets filled up (loop at the left side while B is not finished). B is the time when the array is full and calculation (functions in the green box) takes place. I hope i could help you.

And like i wrote under "Development Status" > "prepared working package": Detection of changing Signal Strength: Besides implementation, this needs lot’s of reasearch and testing, if this is a possible way for detection and how it works on different phones (meassurement of signal strength)

E3V3A commented 9 years ago

So do you see this as a parallel thread to main detection loop then? Because, if not, it will block all other detections while running? (Perhaps I'm just missing something how these things are usually done in Java.)

He3556 commented 9 years ago

We could also implement it inside the loop. Counting the loops (A) before calculation (B) takes place. But then we will have a big rate of measurements. This would be better if we have to detect a short peak in the signal (see the red flash in the diagram) But for the calculation of average values (green box) it is not really necessary. And it will consume more computing power. So a thread for measurements (green box) would be better and the detection (red flash) we could place inside the loop. What does @Ueland and @tobykurien think about that approach?

Ueland commented 9 years ago

The CellTracker has a listener that triggers when signal strength change is detected, my suggestion is to let that class send the new signal to a SignalMonitor class that takes it in, but only stores it for later processing if last received signal strength was >=T_A seconds ago. The same function will also process all saved signal entries when appropriate time T_B has gone by. (The SignalMonitor should also only save signal changes received while the device is not moving, but that will also require a T_C, time without movement before saving signal measurements)

E3V3A commented 9 years ago

Yep, the movement thing has to be handled correctly. Many measurements are useless when device is moving, so in general we should have a no-movement requirement when doing an accurate scan. For movements we can only hope to collect some of the items on the Detection List (# 230).

He3556 commented 9 years ago

yes sounds good. we already check movement when we get the current location. Maybe we can interact with that function?

Ueland commented 9 years ago

I have started writing some code for this feature here: https://github.com/Ueland/Android-IMSI-Catcher-Detector/blob/SignalStrengthMonitor/app/src/main/java/com/SecUpwN/AIMSICD/utils/SignalStrengthMonitor.java

This will let CellTracker send new signals each time they change, but it will decide for it self if it want to use them based on last data recieved and device movement status.

He3556 commented 9 years ago

wow, that was quick. And everything is well commented. Can't find anything missing. Now we just need to compare the average value and the current signal strength, so the boolean "isMysterious" can result in "true". Or did i miss anything?

tobykurien commented 9 years ago

FYI, The AccelerometerMonitor is a movement sensor - I added that specifically to save battery power by not doing GPS requests when the device isn't moving. I am sure it can be repurposed here.

Ueland commented 9 years ago

@He3556 Correct, it is just pretty much skeleton code now, not sure how much i can get done with it before the week end though.

@tobykurien Hopefully :) Use the accelerometer if present, fall back to GPS if not.

Ueland commented 9 years ago

I have gone a bit off from the original draft after i started coding and looking into it, i will (for now) save the cell signal data in DB then calculate the average strength when needed (then cache it)

I have also noticed that i always get 99DB as the signal strength from the CellTracker, while RF Signal Tracker gives more expected results. Gotta check that out.

SecUpwN commented 9 years ago

Thanks for digging deeper into this and polishing up our code, @Ueland!

Ueland commented 9 years ago

Should i push my changes when ready straight into this repository or do you want me to keep it in a pull request for now? :)

Ueland commented 9 years ago

The cell signal strength monitor now works for me, and is ready to be pushed into the repo if wanted. Now we only need to figure out how/where/what we are going to use it ;)

SecUpwN commented 9 years ago

@Ueland, please stay with pull requests until @tobykurien has reviewed some more of your commits. I know your code is always awesome, but I'd like to have at least one professional coder have a look at it before merging directly. Once @E3V3A and @tobykurien allow you to always push directly, you are very welcome to do so. Please make sure you describe pull requests and merges thoroughly and add good code comments (I know you do). After you've pushed your latest changes I will bump the version and make a plan on which Issues to fix next. I cannot thank you enough for keeping such fast pace. :+1:

Ueland commented 9 years ago

Aight, no problem :)

He3556 commented 9 years ago

@Ueland thank's a lot! I know you are also a professional coder but it is good when somebody else take a look. Is there any output to the log?

As the LAC detetection is happening in the AIMSICDDBAdapter.java - maybe we can put all the detections in a extra class?

Let me know what you think about it @Ueland and @tobykurien ?

Ueland commented 9 years ago

Agreed :) And yes, loads of log data tagged with SignalStrengthMonitor, both informal and debugging levels.

SecUpwN commented 9 years ago

@Ueland, will #243 completely fix this Issue or is there something else missing afterwards?

Ueland commented 9 years ago

@SecUpwN: As @E3V3A mentions, "Thus signal signal strength will not be used alone, but in combination with other variables.", so i would say that this issue is not fixed until we actually have it in use somewhere.

E3V3A commented 9 years ago

Yes, we have to first check how it logs the signal strength, then we have to give it a score to add to the final detection status.

E3V3A commented 9 years ago

I just want to add some new OCID info from here.

GSM     RSSI in dBm in the range of [-51 to -113] or ASU in the range of [0 to 31]
UMTS    RSCP in dBm in the range of [-25 to -121] or ASU in the range of [-5 to 91]
LTE     RSRP in dBm in the range of [-45 to -137] or ASU in the range of [0 to 95]
CDMA    RSSI in dBm in the range of [-75 to -100] or ASU in the range of [1 to 16]

RSSI = Received Signal Strength Indication
RSCP = Received Signal Code Power
RSRP = Reference Signal Recieved Power
RSRQ = Reference Signal Received Quality (N x RSRP / RSSI)

[1] http://en.wikipedia.org/wiki/Received_signal_strength_indication [2] http://en.wikipedia.org/wiki/Received_signal_code_power [3] http://www.sharetechnote.com/html/Handbook_LTE_RSRP.html [4] http://s4gru.com/index.php?/blog/1/entry-308-rssi-vs-rsrp-a-brief-lte-signal-strength-primer/ [5] http://www.laroccasolutions.com/training/78-rsrp-and-rsrq-measurement-in-lte

But I don't suggest to do anything about this, right now. Just keep in mind that this SS business is not so trivial when considering different RAT, especially if phone get downgraded from 3/4G to 2G, or connects to a different BTS. So if we compare SS values, we have to compare them for the same RAT, which make the use of the EventLog and DBi_measure::rx_level tables crucial.

amolanil1234 commented 6 years ago

@E3V3A from the previous comment is this Implemented ? How do we get RSCP ? I think getting RSCP is more precise ans RSSI for the signal strength will also consider noise in the path.

amolanil1234 commented 6 years ago

3GPP TS 27.007 REL10 Section 8.69 will surely help in this regards. Can we extend android.telephony.CellSignalStrengthWcdma() based on this ?

milmarll commented 3 years ago

Some project in which to immerse myself to measure the intensity of the cellular signal, I was looking for NetMonster that is the ideal in github but it is not available in its repository. Does anyone know of any?