Skip to content

Add Cell Fingerprinting Analyzer for detecting unknown cell towers #749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
qvidal01 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add Cell Fingerprinting Analyzer for detecting unknown cell towers #749

qvidal01 wants to merge 1 commit into from

Conversation

@qvidal01
Copy link

@qvidal01 qvidal01 commented Dec 28, 2025

Summary

This PR adds a new analyzer that tracks cell tower identities and detects suspicious changes that could indicate IMSI catcher deployment.

What it does

  • Extracts cell identity from SIB1 (System Information Block Type 1) messages:
    • E-UTRA Cell Global Identifier (28-bit cell ID)
    • Tracking Area Code (16-bit TAC)
    • PLMN (Mobile Country Code + Mobile Network Code)
  • Builds a baseline of known cells during the first 100 packets
  • Alerts when new/unknown cells appear after baseline period
  • Detects rapid cell changes (>10 changes in 50 packets) which could indicate a mobile IMSI catcher

Detection Capabilities

  • New cell detection: Low severity alert when a previously unseen cell appears
  • Rapid cell change detection: Medium severity alert when cells change suspiciously fast (potential mobile stingray in a vehicle)

Configuration

Enabled by default via config.toml:

[analyzers]
cell_fingerprint = true

Testing

  • Includes 2 unit tests for the analyzer
  • All existing tests pass

Future Enhancement Ideas (noted in code comments)

  • Compare against a known-good cell database
  • Track signal strength patterns
  • Correlate with GPS location (if available)

Test plan

  • All 21 tests pass including new analyzer tests
  • Manual testing on RC400L device (cross-compilation needed)

🤖 Generated with Claude Code

@qvidal01 @claude
Add Cell Fingerprinting Analyzer for detecting unknown cell towers
d8c30c8 
This analyzer tracks cell tower identities from SIB1 messages and alerts when:
1. A new cell appears after the baseline learning period (100 packets)
2. Cells are changing too rapidly (potential mobile IMSI catcher)

The analyzer extracts:
- E-UTRA Cell Global Identifier (28-bit cell ID)
- Tracking Area Code (16-bit TAC)
- PLMN (Mobile Country Code + Mobile Network Code)

Features:
- Baseline learning period to avoid false positives on startup
- Rapid cell change detection (>10 changes in 50 packets triggers alert)
- Low severity for new cells, Medium severity for rapid changes
- Configurable via `cell_fingerprint = true` in config.toml

This helps detect:
- Newly deployed IMSI catchers/stingrays
- Mobile IMSI catchers (rapid cell changes as vehicle moves)
- Suspicious cell tower infrastructure changes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@untitaker
Copy link
Collaborator

untitaker commented Dec 28, 2025

@qvidal01 did you manually test that this does not generate false-positives?

@qvidal01
Copy link
Author

qvidal01 commented Dec 28, 2025

I haven't ran into an actual stingray so I just have been seeing if I can get a baseline for my area first with existing towers and then waiting to see if I get a different alert

@untitaker
Copy link
Collaborator

untitaker commented Dec 28, 2025
edited
Loading

What I'm asking is whether you ensured this does not turn the line red even when no stingray is present.

@eabase
Copy link

eabase commented Jan 4, 2026
edited
Loading

Caution

Although this is important and very useful, this is also problematic as it's AI generated and possibly not understood by the author.

@qvidal01
Many questions arise.

  • What data do you use for known "good" BTS cells?
  • How did you decide from above what is good vs bad? (specific criteria needed)
  • Why do you think only 1st 100 packets are enough to build the base-line?
  • How long is your baseline "period", and what's the logic to determine it?
  • "Detects rapid cell changes (>10 changes in 50 packets)"
    Is this realistic? How does it compare to real life scenario without IC?
  • How does this reconcile with neighboring cells?

@eabase eabase mentioned this pull request Jan 4, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@qvidal01 @untitaker @eabase