On Tue, Mar 28, 2017 at 12:27 AM, Tomcsányi, Domonkos <domi@tomcsanyi.net> wrote:

Hi Gerard

2017. márc. 28. dátummal, 9:10 időpontban Gerard Pinto <gerardfly9@gmail.com> írta:
> 2) I have been trying something different with OsmocomBB, osmo-sim-auth and Tor lately - I would like to hear your views on the same.
> Attack Model: Geo-Location Anonymous calling in GSM.
>
> Description:
> 1. The attacker uses OsmocomBB phone to make a call using a sim card service. (No sim card present in the phone).
> 2. For this, I have taken the SIM card outside OsmocomBB and re-written all SIM API's in osmo-sim-auth (which is the sim card service).
> 3. This sim card service is deployed over Tor network, so no one can actually know the location of the SIM card service.
> 4, The osmocombb connects to the network and uses this sim card service for authentication etc.
> 5. The whole setup of calling etc is initiated by the sim card service, which is itself behind Tor.
>
> 6. Now, This SIM card service can be used my multiple phones, so now you are not exactly going to track the phone since if I use the SIM card service to another phone (cell area) the DB entry in VLR has changed which says the location has changed.
> 7. My experiments worked well on a LIVE network, understanding the delay in Tor the network, still, the BTS was accepting RES response challenge from the SIM card service behind Tor - I still have to calculate the exact max acceptable delay in sending RES back to BTS to confirm this!

This is a very interesting idea, I like it! I wanted to mention the SAP protocol that is available in OsmocomBB's mobile app via a Unix domain socket since some time now. It might be even easier to use it for your idea. I used it via an external card reader and softSIM to provide a SIM card for OsmocomBB.

Cheers,

Domi