Thread level and score calculation - He3556/SDR-Detector GitHub Wiki
Thread Level, Score calculation
| NO. | description | score |
|---|---|---|
| 1.1 | Signal differ more than x% (default 20) | +50 |
| 1.2 | A new channel (ARFCN) is in use | +50 |
| 2.1 | LAC changed | +25 |
| 2.2 | LAC changed 2 times (each time) | +25 |
| 2.3 | Changed CID, MNC or MCC (same/used ARFCN) | +25 |
| 3.1 | Paging Counter, (tracking a IMSI) | +25 |
Details 1.1: The fake BTS had to raise its signal strength, so the mobiles would try to connect to the fake station. Signal Strength can differ over a (longer) period of time. Important to notice are quick changes. Details 1.2: A fake BTS could send on the same Channel (ARFCN of the original BTS) with a higher Signal Strength or it can use a free ARFCN and send with a common signal level.
Details 2.1: The “Changing LAC” is a common method to obtain the IMSIs from the surrounding actors. When a phone enters another LAC (Local Area Code) a procedure called “Location Update Request” is triggered. This informs the network of the actual LAC (if a incoming call or SMS occurs to a later time). Usually the TMSI (a temporary IMSI) is send to the network for data protection reasons. But there is a fall-back mechanism that let the mobile send its IMSI. This function is used by a fake BTS to catch IMSIs and to identify SIM cards (users) in this area. Details 2.3: A fake BTS does not need to use an existing CID or LAC – only the MNC and MCC must fit to a certain provider (for example, provider of the target person). If an amateur is using a fake BTS or the device is wrong configured, this can be detected easily.
Details 3.1: If one IMSI is being paged to many times. The counter shows the maximal page events per IMSI. This value is configured in the backend of the cell network and varies to other providers.