SigN: SIMBox Activity Detection Through Latency Anomalies at the Cellular Edge
Anne Josiane Kouam, Aline Carneiro Viana, Philippe Martins, Cedric Adjih, Alain Tchana
TL;DR
This work addresses SIMBox-based international bypass fraud and its QoS/security impacts by proposing SigN, an edge-based detector that leverages latency anomalies in the LTE network attachment to identify decoupled SIMBox devices. The approach is grounded in a latency model where SIMBox decoupling introduces additional IP-path interactions during authentication, yielding a measurable gap (up to $23\times$ in minimum latency) between decoupled and coupled devices. Through a controlled, indoor/outdoor testbed with 12 smartphones and 7 SIMBox appliances, the authors show that authentication latency distribution robustly separates SIMBox-decoupled from coupled devices, even under varying transport protocols and network conditions; they also quantify the contributions from standard LTE procedures and Internet vagaries. SigN is presented as a practical, privacy-preserving solution that can be deployed at the cellular edge to monitor latency distributions online, enabling operators to detect and mitigate SIMBox activity without excessive computational overhead. The authors release their datasets and code to support reproducibility and future validation, highlighting substantial potential impact for operators seeking scalable edge defenses against SIMBox fraud.
Abstract
Despite their widespread adoption, cellular networks face growing vulnerabilities due to their inherent complexity and the integration of advanced technologies. One of the major threats in this landscape is Voice over IP (VoIP) to GSM gateways, known as SIMBox devices. These devices use multiple SIM cards to route VoIP traffic through cellular networks, enabling international bypass fraud with losses of up to $3.11 billion annually. Beyond financial impact, SIMBox activity degrades network performance, threatens national security, and facilitates eavesdropping on communications. Existing detection methods for SIMBox activity are hindered by evolving fraud techniques and implementation complexities, limiting their practical adoption in operator networks.This paper addresses the limitations of current detection methods by introducing SigN , a novel approach to identifying SIMBox activity at the cellular edge. The proposed method focuses on detecting remote SIM card association, a technique used by SIMBox appliances to mimic human mobility patterns. The method detects latency anomalies between SIMBox and standard devices by analyzing cellular signaling during network attachment. Extensive indoor and outdoor experiments demonstrate that SIMBox devices generate significantly higher attachment latencies, particularly during the authentication phase, where latency is up to 23 times greater than that of standard devices. We attribute part of this overhead to immutable factors such as LTE authentication standards and Internet-based communication protocols. Therefore, our approach offers a robust, scalable, and practical solution to mitigate SIMBox activity risks at the network edge.