The Radio Sentinel app is our new solution, a combination of several offline heuristic detection methods designed to minimize false positives. It can detect not only IMSI catchers but also binary SMS, silent SMS and some SS7 attacks. You can read more in our followup article: https://armadillophone.com/blog/radio-sentinel
LTrack is one of the stealthiest IMSI catchers I'm aware of, because it's almost entirely passive, and the victim never actually connects to the attacker. Radio Sentinel can detect AdaptOver style attacks that use empty paging requests for the DoS and downgrade attacks.
We are working on further improving Radio Sentinel to also detect suspicious "Attach Reject" and "Identity Request" messages used by LTrack. We're also adding methods to detect connected messages without a MAC, and repeated overshadowing messages, as described in the Detection section of the AdaptOver paper. Unfortunately LTrack was published just after we released the initial version of Radio Sentinel so it wasn't added, but we're continuing to improve it.
One big downside to the AdaptOver/LTrack style attacks is they require a signal at least 3dbm stronger than the real tower, which is not always feasible when dealing with noisy environments. This is a downside compared to traditional IMSI catchers that the victim directly connects to. In the AdaptOver paper they mention that even if the victim is 1km from the real tower, the attacker cannot be farther than 70m from the victim.
There's a wide variety of attack methods, however most usually fall into one 1 of 2 types:
1. Active interception. The IMSI catcher is actively transmitting data to the victim device and forcing it to connect, appearing to be a normal cell tower. These are the most common and can usually get a very accurate location. Because 4G and earlier don't require the tower to authenticate to the device, only the device to the tower, there really isn't any vulnerability required to do this. They use different tricks to entice the victim to connect or update its location ( e.g: falsely inflating it's signal strength, appearing to be the only tower in a location, increasing the frequency of location updates ) . Some of these techniques are mentioned in the "Warnings" section of another article describing our Radio Sentinel app: https://armadillophone.com/blog/radio-sentinel
2. Passive interception. The IMSI catcher doesn't transmit any data, or transmits very little data. It's able to gather data and location from the victim using unencrypted data sent over the control plane. These generally aren't able to extract as much data, or as accurately as active interception, but they're much harder to detect. Usually they aren't able to extract the device's IMSI for example. However, there was a recent paper describing a passive IMSI catcher that was both extremely hard to detect and great at tracking victims: https://www.usenix.org/system/files/sec22summer_kotuliak.pdf
If you'd like a more technical description about the techniques described I'd be happy to jump into that too.
I fail to see how this is a major improvement over OMEMO? OMEMO is also an asynchronous multi-party chat algorithm, except it's already widely adopted by clients on several different platforms (Android, iOS, Windows, Mac) and has also received a significant amount of attention from security researchers.
OMEMO's cryptographic security has already been audited as well: https://conversations.im/omemo/audit.pdf . I should know as we (Pacific Research Alliance) funded the audit of OMEMO ;) . Auditing merely the protocol seems a little problematic, it's quite rare for vulnerabilities to be in an encryption protocol itself and much more common for it to be in the implementation. There doesn't seem to be any application which actually implements this library right now, let alone a network capable of supporting it. In OMEMO's case we also audited the OMEMO implementation in Conversations where it was originally conceived.
The only difference I can tell from their website is "Room consistency: Group chat participants are confident that they are in the same room". This seems like a pretty niche area to be concerned about, and in practice can be solved by a properly secured network. Although I am no cryptographer I believe OMEMO may offer the same quality as well, because all the messages must be encrypted for each participant, so at worst you could fake an identical room with identical participants, which doesn't really seem like a valid security problem.
While I love to see new research and further development into this area, it seems this is a little late to the party.
The technical details page says this works by running a VPN and intercepting all the traffic. Therefore it seems it would only work on unencrypted traffic.
This makes the following claim seem inaccurate:
> Our system is accurate, identifying 98.2% of leaks for the vast majority of flows in our dataset
There is no way <2% of the web and application traffic is encrypted. Bypassing all detection would be as easy as going to the HTTPS version of a website.
This also seems like it would pose a significant security risk as the servers would be a very juicy target to hack (holding all their customer's personal information and passwords) as well as ability for the staff themselves to surveil their users.