Skip to content
GitLab
Open
Issue created by Administrator@rootContributor

Changing LAC on same CID

Created by: He3556

The LAC (Location Area Code) describes a set of Cell Towers (with different IDs) like below:

step_01

Step 1 of the IMSI-Catcher (picture 1): Masquerade like a real BTS and send with more power than the original, so a cell phone would connect to it. But if the connection is established it is still using the TIMSI (Temporary IMSI).

step_02

Step 2 of the IMSI-Catcher (picture 2): One possibility to get the IMSI:

  • Change the LAC of the BTS (picture 2), so that the Location Update Procedure is initiated.

unbenannt

If the MSC (Controller of a group of BTS) is also changing with this location update, then the phone would have to send the IMSI. Or if the location update fails it will also send the IMSI. See Figure 4.1.1.1 [http://www.qtc.jp/3GPP/Specs/23012-520.pdf]

However, the Catcher-Catcher Project gives a yellow or a even a red flag if the LAC is changing, so we really should implement this. It is also quite simple to do, because we have the values LAC and CellID. If the CellID changes the LAC over the time – we can show a yellow flag – if it changes more than once we show a red flag. This happens while the IMSI-Catcher is catching IMSI’s – not when a call is established. So you don’t have to be the victim to detect a fake BTS.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.