Another indicator of IMSI catcher activity (compare public IP with announced IP ranges)

[MatejKovacic]

There is an app, called Wiretap Detector that compares your public IP with the announced IP ranges of the mobile operator (of course, you should not be using VPN).

It is using ip.guide service.

With wget, you can get:

• ASN organization: wget -qO- ip.guide | grep -E 'organization' | sed -E 's/.*"([^"]+)".*/\1/'
• country: wget -qO- ip.guide | grep -E 'country' | sed -E 's/.*"([^"]+)".*/\1/'
• your public IP address: wget -qO- ip.guide | grep -E 'ip' | sed -E 's/.*"([^"]+)".*/\1/'
• ASN number of your network: wget -qO- ip.guide | grep -oP '"asn":\s*\K\d+'

Storing and comparing those data when there is some suspicious network change/activity, would be useful.

[MatejKovacic]

Actually, TP-Link devices have wget, which do not support HTTPS.

So, Go app would be a solution:

package main

import (
	"io"
	"net/http"
	"os"
)

func main() {
	// URL to fetch IP information
	url := "https://ip.guide"

	// Create a new HTTP GET request
	req, err := http.NewRequest("GET", url, nil)
	if err != nil {
		panic(err)
	}

	// Set the User-Agent header to mimic a browser request
	req.Header.Set("User-Agent", "curl/7.64.1")

	// Send the request using the default HTTP client
	client := &http.Client{}
	resp, err := client.Do(req)
	if err != nil {
		panic(err)
	}
	defer resp.Body.Close()

	// Check if the response status code is OK (200)
	if resp.StatusCode != http.StatusOK {
		panic("Failed to fetch IP information: " + resp.Status)
	}

	// Copy the response body to stdout
	_, err = io.Copy(os.Stdout, resp.Body)
	if err != nil {
		panic(err)
	}
}

Cross compile for ARM32:

GOOS=linux GOARCH=arm GOARM=7 go build -o ip_guide_arm32 ip_guide.go

It should return you a JSON with IP and network data:

{
  "ip": "xx.xx.xx.xx",
  "network": {
    "cidr": "xx.xx.xx.0/19",
    "hosts": {
      "start": "xx.xx.xx.1",
      "end": "xx.xx.xx.254"
    },
    "autonomous_system": {
      "asn": xxxxx,
      "name": "xxx d.o.o.",
      "organization": "xxx d.o.o.",
      "country": "SI",
      "rir": "RIPE NCC"
    }
  },
  "location": null

[cooperq]

I think this is a daemon we could integrate into rayhunter if we wrote it in Rust. My question is how up to date is the ip.guide service and is this likely to give us false positives? I would want to give it lots of thought and testing before integrating it into rayhunter since we very much want to avoid false positives.

[cooperq]

Also definitely would want to write this in rust for consistency across the project.

[MatejKovacic]

I guess ther eshould not be too much false positives. I believe that mobile networks are pretty much stable, i.e. ASN numbers, IP ranges and BGP data do not change very frequently.

But I agree, we need a lot of testing. This indicator could be introduced, but should have very low weight at the beginning (until tested enough). What do you think?

[cooperq]

hmm but wouldnt' this trigger if someone was connected to say a femto-cell? Perhaps not but I woudl want to test it.

The other concern I have is that this requires an active sim to connect to ip.guide service so we would need to make sure we don't run this heuristic on devices that don't have an active subscription. Other than that I'm fine with this and would welcome a PR for a heuristic with a low warning level for now.