AIMSICD vs SnoopSnitch & WebRTC Affects Mobile Users Too

The best security practices in the world may not protect your cellular communications, as it turns out. Even if you are running the most secure operating system in the world on your device, chances are your phone can still be used to spy on you, possibly even if the device is powered off. That's because of the baseband processor, which has it's own small O.S that is invisible, closed-source, insecure, and likely outdated.

The baseband is what controls the phone's radio functions, and hence all communications. The GPS, microphone, camera, and sensors are hard wired to it, and not much is known about how these chipsets work. However, over the last couple of years, significant progress had been made reverse engineering them. The Android applications AIMSICD and SnoopSnitch are both capable of interacting with the baseband processors on a limited scale.

I have long been a fan of the AIMSIDC project, despite limitations and the alpha development status. Recently, I discovered SnoopSnitch, which is another IMSI catcher detecting app. It currently only supports Qualcomm based phones, and requires a rooted phone to function. I am pretty impressed with it, because as far as I know, it is the only application that is capable of determining what kind of (if any) encryption is being used on your mobile network. It also claimed to detect an IMSI-catcher attack that AIMSICD did not detect. Of course, it is hard to confirm these events, this is a science that as of now, is it not well understood.

When comparing the two, AIMSICD has more features and is more portable, although some of these features are still in development. SnoopSnitch works great if you have a rooted phone with a Qualcomm processor, while AIMSICD does not require root or any specific baseband chip. What it boils down to is it's a shame that the developers of both are not able to combine their efforts to give us one awesome app. SnoopSnitch was developed by Security Research Labs, and apparently they were not interested in working with AIMSICD. Still, it's a great app for rooted Qualcomm users. They also offer 'active testing', which determines network information by sending and receiving a few calls and texts to their servers. Interestingly, it was during one of those tests on the train home from Boston that I got an IMSI attack alert.

Oh, one other thing. When I reported that Android devices are not affected by the WebRTC vulnerability, that was incorrect. Apparently, unknown factors can cause IP leaks at times. Edit: This problem can be patched the same way that Firefox can be patched on a desktop computer. Navigate to about:config and toggle media.peerconnection.enabled to false.

AIMSICD: A proof-of-concept app that helps identify mobile network attacks.

It gives detailed information about the base stations in your area, a feature SnoopSnitch lacks.

However, SnoopSnitch is unique in it's ability to determine what cipher/if any cipher is being used on your mobile network.

Sample AIMSICD map snapshot, showing base stations relative to location.

SnoopSnitch seems to work well on Qualcomm phones, and picked up at least one event AIMSICD did not.

From ipleak.net, connected to a VPN (openvpn) and still leaking local IP addresses.