STICH: Inexpensive Coordinated GSM Anomaly Detection

Today's "interesting use case" is coming to you fresh from DEF CON 24, which just finished last weekened). If you haven't heard about it yet, DEF CON is the biggest annual hacker convention, which hosts a large number of computer security specialist and researchers, lawyers, students, hackers, and federal government employees. People often present their computer security related developments there, both software and hardware projects.

Ashmastaflash, a user, presented his project, which tries to answer the question:

In the last few years it has become easier and far less expensive to intercept and record cell phone conversations, so can we easily and inexpensively detect the presence of Man-in-the-Middle (MITM)-capable [GSM] devices?

He has built SITCH, which stands for Situational Information from Telemetry and Correlated Heuristics. It is using single board or small computers (such as Raspberry Pi, Intel NUC, Odroid C1+ or XU4), together with a software defined radio (SDR) and a GSM modem for signal detection.

SITCH hardware inventory

The image above illustrates the amount of hardware Ashmastaflash accumulated during the development process.

The software setup of the MkII version is outlined below. It uses both sensors, and include uses data feeds within their "enricher" setup to perform the actual detection and intelligence.


MkII can perform quite fine-grained anomaly detection, being able to sense

  • GSM signal being over threshold,
  • signal strength being outside forecast based on time series,
  • unknown base station,
  • primary base station change, and
  • when the tower should be out of range but it isn't.

These allow to tip the user off about a possible femtocell or other GSM network anomalies. And all in a ~$150 package: the MkII version was design designed to run on on Raspberry Pi 2, with NooElec NESDR (E4000) SDR and FONA 808 GSM peripheral devices. comes in the picture for device and firmware management. One can imagine having a number of such counter-surveillance devices around the facility or multiple facilities, and use to quickly bring up new devices, deploy changes to the detection software, or monitor the health of the devices (online/offline status, etc).

SITCH deployment pipeline

For future work he notes, that if gnuradio and GR-GSM can be optimized for ARM, GR-GSM's scanner can be used in place of the current GSM modem. That would allow to use an SDR-only setup, with it's improved flexibility for RF monitoring without specialized radio hardware.

Of course there's a lot more to SITCH than this, if interested, check out the whole presentation or the detailed writeup in the SITCH whitepaper, see the website and the source code on GitHub!

And also, follow Ashmastaflash on Twitter. :)

We love hearing about what do make with! Feel free to drop us a line any time at or chat with us on Gitter.

comments powered by Disqus
Terms of Service | Privacy Statement | Master agreement | Copyright 2019 Balena | All Rights Reserved