SigN: SIMBox Activity Detection Through Latency Anomalies at the Cellular Edge

TL;DR

SigN is a new method that detects SIMBox fraud in cellular networks by analyzing latency anomalies during device attachment, effectively identifying malicious devices with high accuracy and robustness.

Contribution

Introduces SigN, a novel latency-based detection technique for SIMBox devices at the cellular edge, addressing limitations of existing methods and enhancing practical deployment.

Findings

SIMBox devices cause significantly higher attachment latencies.

Latency during authentication can be up to 23 times higher for SIMBox.

The method is effective in both indoor and outdoor environments.

Abstract

Despite their widespread adoption, cellular networks face growing vulnerabilities due to their inherent complexity and the integration of advanced technologies. One of the major threats in this landscape is Voice over IP (VoIP) to GSM gateways, known as SIMBox devices. These devices use multiple SIM cards to route VoIP traffic through cellular networks, enabling international bypass fraud with losses of up to $3.11 billion annually. Beyond financial impact, SIMBox activity degrades network performance, threatens national security, and facilitates eavesdropping on communications. Existing detection methods for SIMBox activity are hindered by evolving fraud techniques and implementation complexities, limiting their practical adoption in operator networks.This paper addresses the limitations of current detection methods by introducing SigN , a novel approach to identifying SIMBox activity at the cellular edge. The proposed method focuses on detecting remote SIM card association, a technique used by SIMBox appliances to mimic human mobility patterns. The method detects latency anomalies between SIMBox and standard devices by analyzing cellular signaling during network attachment. Extensive indoor and outdoor experiments demonstrate that SIMBox devices generate significantly higher attachment latencies, particularly during the authentication phase, where latency is up to 23 times greater than that of standard devices. We attribute part of this overhead to immutable factors such as LTE authentication standards and Internet-based communication protocols. Therefore, our approach offers a robust, scalable, and practical solution to mitigate SIMBox activity risks at the network edge.