Detection 2: Abnormal TMSI changes

[E3V3A]

Under normal circumstances, the TMSI is saved to the SIM card and only changes occasionally (upon request) and when modem is booted up in a different network environment. Most likely due to to the BTS ..blah blah not finding your last TMSI in the VLR. However, this also occurs when a fake BTS is trying to force a location update. Thus if your TMSI suddenly changes you're more likely to be tracked by an IMSI-Catcher.

How to find the TMSI?

We can find TMSI by using either:

1. The SIM Apllication Toolkit (SAT) AOS API for reading SIM card files
2. The AT command for looking at AT files
3. Looking and using the modem debug output/interface.
4. The ServiceMode app (if using a Samsung and some others)

Here's some code:
http://www.devlper.com/2009/07/reading-imsi-tmsi-iccid-mnc-mcc-and-lac-using-simreadrecord-api/

Difficulty: Some other parameters need to be monitored as well, to avoid false positives.

Relevant Documents:

1. 3GPP ETSI 100-929

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[andr3jx]

Here is described how to obtain TMSI and Kc using AT commands:
http://ferrancasanovas.wordpress.com/2014/01/28/get-kc-key-and-tmsi-number/
http://domonkos.tomcsanyi.net/?p=369

[E3V3A]

@andr3jx Those doesn't work on my device, see latest post on XDA.

[Ueland]

We could do the same here as discussed about the neighboring cells issue, simply do a try/catch for each known method until we get a working result back.

[E3V3A]

Yes, I was thinking about this the other day. Since this is a more general problem we face, I suggest we build a Device Type Selector "module", to determine what device we are dealing with and selecting the most suitable (or available) mechanism. I've already produced a simple flow chart or this, and will hopefully upload this soon.

[ga900]

Forget detecting catcher by TMSI change. In my country TMSI is changed on one network at the begining of any phone activity (call, sms or even location update), on second network on the end of call. For other networks I will have to look at my notes... Suspicious behaviour is if network that uses TMSI asks for acccess authorization with IMSI and IMEI on LAC change (and gives you a reject eg. forbidden LAC after).

[E3V3A]

Hi @ga900 and welcome! Thanks for useful comment. What country is that? Would be nice to list how various operators change TMSI and the time between. Perhaps we should test for NOT changing TMSI then?

[ga900]

Thanks for welcome. For some personal reasons I would prefer not to name the country, but TMSI change interval is depending on phone activity. Test for IMSI/IMEI (authorization) request on location update.

[E3V3A]

Test for IMSI/IMEI (authorization) request on location update.

Unfortunately we don't have access to this info from API and we still don't have raw /dev/diag qmi data access.

[ga900]

That is a problem...as catcher does not have a connection to HLR, only way to identify phone/simcard is asking for IMSI/IMEI.

[Mahmoudshakra]

Hi E3V3A ,
can you help me to get my TMSI i tried to get it by " obtain TMSI and Kc using AT commands:
http://ferrancasanovas.wordpress.com/2014/01/28/get-kc-key-and-tmsi-number/
http://domonkos.tomcsanyi.net/?p=369 " with no gain

[SecUpwN]

Good evening @Mahmoudshakra, E3V3A has left our project. Please do not contact him. Since our app is still in ALPHA development mode, you may not be able to Issue the correct AT command through the AT Command Interface, but feel invited to try your luck. Maybe @ga900 can help you a bit here.