Solution Proposition

SITCH Overview Now, let’s consider how these methods come together IN 3)4#( 3)4#( USES AN 3$2 DEVICE FOR TRACKING THE OBSERVED POWER OF '3- CHANNELS 4HE 3$2 53" DONGLE USED IN DEVELOPMENT IS THE 24, 3$2 BASED .%3$2 842 FROM .OO%LEC 4HE OPEN SOURCE SOFTWARE TOOL used to operate the SDR dongle and process the signal is called Kalibrate.

+ALIBRATE TYPICALLY IS USED FOR DETERMINING THE FREQUENCY OFFSET FOR AN 3$2 DEVICE 4HIS IS NECESSARY BECAUSE THE TUNER COMPONENTS IN SOFTWARE DEFINED RADIOS ARE NOTORIOUS FOR DRIFTING HIGH OR LOW SOMETIMES JUST BECAUSE OF A VARIATION IN AMBIENT TEMPERATURE )M NOT USING +ALIBRATE FOR DETERMINING FREQUENCY OFFSET HERE THOUGH

+ALIBRATE PRODUCES A NUMBER REPRESENTING THE POWER OF THE SIGNAL FOR EACH CHANNEL IT DETECTS &OR THE REMAINDER OF THIS ARTICLE ) REFER TO THIS CHANNEL AS

!2&#. WHICH STANDS FOR !BSOLUTE 2ADIO &REQUENCY #HANNEL .UMBER 7ITHIN EACH !2&#. THERE IS A FREQUENCY CORRECTION CHANNEL 4HIS IS WHAT

'3-RADIOS USE TO CALIBRATE THEMSELVES 4HINK OF A MUSICIAN USING A TUNING FORK AS A REFERENCE PITCH FOR TUNING A HORN 4HE &REQUENCY #ORRECTION #HANNEL

&##( IS WHAT +ALIBRATE USES TO PRODUCE A LIST OF !2&#.S

4HE 3$2 APPROACH TAKES AROUND SEVEN MINUTES TO SCAN AN ENTIRE '3-BAND AND IT CAN POSITIVELY DETECT WHEN A FEMTOCELL GOES LIVE NEARBY

&EMTOCELLS ARE THE RANGE EXTENDER DEVICES THAT YOUR CELL PHONE PROVIDER WILL

FEATURE

SELL YOU IF YOU HAVE BAD RECEPTION INDOORS !LTHOUGH THESE DEVICES OFTEN ARE LEGITIMATE THEY HAVENT PROVEN INVULNERABLE ,IVE HACKING OF A FEMTOCELL HAS BEEN DEMONSTRATED HTTPSWWWNCCGROUPTRUSTUSABOUT USNEWSROOM AND EVENTSBLOGAUGUSTFEMTOCELL PRESENTATION SLIDES VIDEOS AND APP), and ITS JUST AS EFFECTIVE AS AN EVIL "43 AT CAPTURING COMMUNICATIONS TRAFFIC &OR A MORE SUBJECTIVE READING 3)4#( INTERROGATES A '3- RADIO TO DETERMINE THE "43ES IT PREFERS TO ASSOCIATE WITH WHICH TAKES INTO ACCOUNT MORE THAN just signal strength.

4HE USE OF A '3- RADIO CAN GET RESULTS IN SECONDS WHICH IS FAR BETTER THAN WAITING THE SEVEN MINUTES REQUIRED FOR THE 3$2 SCAN AND WITH MORE DETAILED INFORMATION THAN YOU GET USING +ALIBRATE 7HERE 3)4#(S 3$2 APPROACH IS LACKING IS IN PRODUCING INFORMATION YOU CAN USE TO IDENTIFY A SPECIFIC PROVIDERS NETWORK LIKE THE -OBILE #OUNTRY #ODE -## AND -OBILE .ETWORK #ODE -.#  WHICH ARE USED TO IDENTIFY A SPECIFIC CELLULAR NETWORK SERVICE PROVIDER 4HE INFORMATION PROVIDED BY THE '3- RADIO GOES EVEN FURTHER BY PROVIDING -## AND -.# ALONG WITH ,OCATION !REA #ODE

,!# AND #ELL)$ #)$  AND WHEN THESE NETWORK IDENTIFIERS ARE COMBINED

-##-.#,!##)$  YOU GET THE #ELL 'LOBAL )$ #')  9OU NEVER SHOULD SEE THE SAME #') IN TWO DIFFERENT LOCATIONS

4HE ACTUAL DETECTION PROCESS HAPPENS IN TWO STAGES 4HE FIRST PART OCCURS WITHIN THE 3)4#( SENSOR ITSELF 4HE INFORMATION GATHERED IS COMPARED

AGAINST TWO DATA FEEDS /NE FEED IS DERIVED FROM THE &## LICENSE DATABASE WHICH TELLS WHAT FREQUENCIES ARE LICENSED TO EACH PROVIDER AND THE GEO LOCATION OF THE TOWER PERMITTED TO OPERATE ON THAT FREQUENCY 4HE SECOND DATA FEED IS THE /PEN#ELL)$ DATABASE http://opencellid.org  4HIS IS A CROWD SOURCED FEED OF OBSERVED "43ES 5SING THESE TWO FEEDS WITH THE INFORMATION YOU COLLECT YOU CAN DETERMINE THE FOLLOWING

Q )S THE OBSERVED !2&#. LICENSED TO OPERATE IN THIS AREA !2&#. COMES FROM BOTH 3$2 AND '3- RADIO OBSERVATIONS

Q )S THE OBSERVATION OF THIS #') IN THIS AREA CORROBORATED BY THE

/PEN#ELL)$ FEED COMPARING '3- FINDINGS AND /PEN#ELL)$ DATABASE 

Q (AS THERE BEEN A CHANGE IN PREFERRED "43 TRACKING THE '3- RADIOS PREFERRED "43 

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

FEATURE

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

Q (AS AN !2&#. BEEN OBSERVED OVER THE SITE THRESHOLD ) SET ABLE TO SET A PER SENSOR !2&#. POWER THRESHOLD 

)N ADDITION TO TRACKING CELLULAR NETWORK INFORMATION FUNCTIONALITY RECENTLY HAS BEEN ADDED TO DETECT '03 SPOOFING HTTPWWWRTL SDRCOMSPOOFING GPS LOCATIONS WITH LOW COST TX SDRS), using GeoIP and a GPS dongle.

'03 SPOOFING HAS A GREAT POTENTIAL FOR MISCHIEF ESPECIALLY IF USED TO DEFEAT GEOLOCATION BASED PHONE UNLOCKING LIKE 'OOGLES 4RUSTED 0LACES

HTTPWWWANDROIDCENTRALCOMHOW ADD TRUSTED PLACE ANDROID  LOLLIPOP).

4HE SECOND METHOD OF DETECTION HAPPENS IN THE SERVICE SIDE OF 3)4#(

)M USING A TIME SERIES DATABASE TO TRACK MEASUREMENTS OVER TIME AND ) CAN USE THIS TO FIND ANOMALIES 4HIS IS ESPECIALLY USEFUL FOR TRACKING !2&#.

power as reported by Kalibrate.

SITCH System Details 3)4#( WAS DESIGNED SO THAT ONCE YOU HAVE THE BACK END SERVICES SET UP IT IS AS SIMPLE AS PLUGGING COMPONENTS INTO A 2ASPBERRY 0I  IMAGING AND INSTALLING AN 3$ CARD AND PROVIDING power and connectivity to the device. Device updates are managed by a service called Resin.io, so ideally, you never have to touch the DEVICE AGAIN EXCEPT TO DECOMMISSION IT .O MORE 3$ CARD RE IMAGING TO UPDATE THE SOFTWAREˆITS ALL DELIVERED AUTOMATICALLY TO ALL OF YOUR SENSORS WITHIN MINUTES OF BUILDING THE NEW VERSION OF THE SOFTWARE

!LL THE TELEMETRY INFORMATION FLOWS UP TO THE SERVICE WHICH YOU HOST WITH YOUR FAVORITE CLOUD PROVIDER  !LERTS GENERATED BY THE SYSTEM ARE DELIVERED THROUGH 3LACK AND YOU OPTIONALLY CAN FORWARD THE COLLECTED INFORMATION TO THE LOG AGGREGATION OR 3)%- SYSTEM OF YOUR CHOICE PROVIDED THERES A ,OGSTASH OUTPUT PLUGIN THAT WILL FACILITATE THE INFORMATION DELIVERY FOR YOU

4HE SERVICE SIDE OF THE 3)4#( SYSTEM IS COMPOSED OF A FEW COMPONENTS

2ESINIO IS USED FOR MANAGING THE DEVICE SOFTWARE AND RUNTIME VARIABLES

%LASTICSEARCH ,OGSTASH +IBANA %,+ STACK IS USED FOR AGGREGATION AND STORAGE 'RAPHITE AND )NFLUX$" ARE INTERCHANGEABLE IN THE 3)4#( SERVICE

(OWEVER TESTING UNCOVERED THE HAZARD OF USING 'RAPHITE7HISPER WHICH ALLOCATES FILES FOR THE ENTIRE LIFECYCLE OF A METRIC AS SOON AS ITS FIRST

observed, in an environment where the metric namespace can rapidly EXPAND 3LACK IS USED FOR ALERTING 6AULT https://www.vaultproject.io) IS USED FOR THE SECURE DISTRIBUTION OF CERTIFICATES AND KEYS TO SENSORS

FEATURE

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

!LTHOUGH IT SOUNDS LIKE A LOT TO MANAGE MUCH OF THIS HAS BEEN containerized and automated to get you up and running rapidly.

4HE 3)4#( SENSOR ITSELF IS BASED ON THE 2ASPBERRY 0I  PLATFORM 3$2 Figure 1. One code push to Resin causes all sensors to update, hands-free.

Figure 2. Kalibrate Scan Results Viewed in Elasticsearch

FEATURE

FEATURE: Cellular Man-in-the-Middle Detection with SITCH

FUNCTIONALITY IS PROVIDED BY A 53" 24, 3$2 DEVICE http://www.nooelec.com/

STORESDRSDR RECEIVERSNESDR XTR RTLU EHTML  4HE '3- MODEM USED IN TESTING IS A 3)- BUT THE !4 COMMAND SET USED FOR INTERACTING with the modem is general enough that many GSM modems will work.