Newer systems using 3GPP-type authentication (LTE, and I think UMTS) require mutual authentication between the SIM and the network (details in [1] section 6.3). If the network doesn't provide a satisfactory AUTN, the mobile can't proceed with connecting to the network because later steps in the connection procedure need some keys derived from the authentication procedure.

I think in older GSM-derived systems, the SIM just computed an authenticator based on a nonce provided by the network.

I know for sure that CDMA (IS-95 and 2000) and later AMPS systems supported one-way authentication or not, as selected by the network.

I've heard rumors that attackers have to force a protocol downgrade to something without mutual authentication by jamming the legitimate signal. The other options for the attack would seem to include

- obtaining the secret key value (or a set of authentication vectors) from the legitimate network. Either of these seems more difficult to obtain than the actual locations that the attackers claim to want.

- obtaining K from SIM manufacturers, which has happened [2].

- exploiting implementation defects in SIMs or mobiles.

[1] 3GPP/ETSI TS 133 102 "3G security: security architecture", http://www.etsi.org/deliver/etsi_ts/133100_133199/133102/13....

[2] https://hn.algolia.com/?query=gemalto&sort=byPopularity&pref...

Thanks, that made it much more clear to me :)

I now also read about "femtocells" used among else by Verizon (which dievices have been hacked) that are used to extend the signal coverage by costumers. It is an interesting topic overall. I think i will dive more into it...

> costumers

interesting, never saw this kind of typo before, since those two letters are quite far off..

:D

Sorry, i do all kind of weird typos, sometimes i do not spot them.

First one looks a little sketch, second one is more well known I think. Here's an open-source one: Android IMSI-Catcher Detector (https://cellularprivacy.github.io/Android-IMSI-Catcher-Detec...)

Here's a list of apps to get cell data: http://wiki.opencellid.org/wiki/Data_sources

If you're using a CDMA phone and are still concerned, you can try modifying your own PRL and blocking carrier updates.

CDMA is largely immune to this, largely owing to the lack of implementations of a CDMA BSM

It's moderately interesting how these work, they basically check if you're connecting to a "new" tower.

Another app is called aimsicd, I use it personally. Not paranoid, but there's no reason not to use it really. No noticeable drain on battery, and it would be interesting to know if it ever did throw anything.