Visualizing Seaglass IMSI Catcher Detection Scans

Background

The Seaglass project is an initiative to collect information about the cellular network in a particular region with the goal of identifying anomalies that might be due to the deployment of so-called IMSI catcher devices.

Also known as Stingrays, these devices are a known surveillance tool employed by criminals and spies and by governments without sufficient public oversight.

IMSI catchers work by tricking cell phones in their vicinity to connect to them instead of to legitimate cellular towers. The Stingray then receives the unique IMSI number of the phone which can be easily associated with the identity of its owner. Thus, operators can learn who has visited a particular location where such a device is deployed.

A premise of the Seaglass project is that the use of IMSI catcher devices can be identified by finding anomalies in the configuration of cellular towers. Even though Stingrays aim to mimic the behavior of legitimate cells, they are often misconfigured both on purpose and by mistake. For instance, some IMSI catchers might try to convince cell phones to connect to them by claiming that they are broadcasting at a higher power. At other times, their operators might not know how to properly match the complicated behavior of the GSM protocol that cell phones use.

Instructions

  1. To populate the map, select a field from the drop down and a value of interest by clicking on the corresponding bar.
  2. Each point on the map represents a single measurement from a particular cell and unique cells are identified by different colors.
  3. Clicking on a point of interest filters the measurements so that only those from that particular cell are shown.
  4. The slider selects which days to show measurements for.

Click on a bar to visualize all measurements from all cells with the selected field and value.

More details about this visualization

This interactive visualization allows for exploratory analysis of data collected by Seaglass sensors that passively record the GSM packets that cells are broadcasting. First, users can select the GSM packet field they are interested in and see a distribution of values that this field took on over the entire course of data collection. The y-axis plots the number of cells that have been recorded as broadcasting the corresponding value on the x-axis at least once (so there is some intentional double-counting).

Next, users can click on any outliers that they notice - values that only a few cells broadcast in order to explore further. When you do that, the map further down visualizes all measurements of cells that took on that value. Each dot now represents a unique scan that received a GSM packet with that field set to the selected value.

Users can also use the slider to go through the different days on which data was collected. This merging of temporal and spatial information allows anybody looking at the data to quickly look for anomalies in when and where measurements with that field value were picked up. For instance, an IMSI catcher might show up only for a day in a particular spot and then disappear - behavior that a regular cell tower would not exhibit.

Finally, if users are interested in only a single cell, they can click on the map to display only the measurements from that cell. They can go back by clicking the "Visualize all cells" button which resets the visualization to their original selection of field, value pair.