IMSI Catchers and Mobile Security: What You Need to Know

In our increasingly connected world, where our smartphones are central to our daily lives, privacy concerns have never been more relevant.

While we’re aware of various surveillance methods, from security cameras to data collection practices, there’s one technology that often flies under the radar: International Mobile Subscriber Identity (IMSI) catchers.

These devices mimic cell phone towers, tricking our phones into revealing sensitive information.

By understanding how they work, the data they collect, and the potential risks they pose, we can take informed steps to protect our privacy.

In this article, we’ll shed light on how IMSI catchers work, the types of information they can collect, and how criminals use them. We’ll also discuss steps you can take to protect yourself.

What Is an IMSI Catcher?

As mentioned above, an IMSI catcher is a sophisticated surveillance device that mimics a cell phone tower, tricking nearby phones into connecting to it instead of a legitimate tower. It can then intercept data and track the location of those phones.

IMSI catchers go by many names, including “cell-site simulator,” “dirt boxes,” “rogue base stations,” and “fake cell towers.” They are also known as “Stingrays”.

The name Stingray comes from the brand name of a specific commercial model of IMSI catcher made by the Florida-based Harris Corporation. This briefcase-sized device can be operated from a vehicle while plugged into the cigarette lighter.

Image Credit: Help Net Security

Although IMSI catchers have been around since the 1990s, their use has recently come under scrutiny. In the United States, law enforcement agencies have extensively deployed these devices to track suspects in drug and other criminal investigations.

However, their use has extended beyond criminal investigations and has been used to surveil Black Lives Matter protesters and activists opposing the Dakota Access pipeline.

If this technology can be used against protesters, it’s not out of the realm of possibility that these devices could fall into the hands of hackers seeking to steal personal information or conduct other malicious activities.

How Do IMSI Catchers Work?

For obvious reasons, government agencies and the companies that manufacture these devices are notoriously tight-lipped about their technical details.

As a result, most of the information available to the public comes from academic research and the efforts of ethical hackers attempting to reverse-engineer their functionality.

While the exact methods aren’t clear with more advanced Cell Site Simulators (CSS for short), fortunately, we do understand the key principles, which we’ll discuss in more detail below.

The core concept

Classic IMSI catchers operate in a relatively straightforward way. Their primary goal is to collect a specific piece of data: the International Mobile Subscriber Identity (IMSI). This is a unique 15-digit number stored on every SIM card used to recognize individual subscribers of a mobile network.

International Mobile Subscriber Identity, IMSI, is a unique number automatically generated and stored in the SIM. It identifies every mobile phone subscriber on a UMTS or GSM network. The number is stored on the SIM card and is not moved or changed when that mobile number (MSISDN) is ported to a different SIM card

Here’s a breakdown of how they work:

1. Mimicry: IMSI catchers exploit the design of GSM (2G) mobile devices, which are programmed to connect to the base station broadcasting the strongest signal.
2. Initial connection: When a phone detects this stronger signal, it automatically attempts to connect, believing it’s the most reliable network.
3. Encryption negotiation: Cell site simulators then request the phone’s encryption capabilities but either ignore the response or disable encryption entirely. We’ll discuss this in more detail below. This weak encryption makes the target mobile phone vulnerable to data interception.
4. “Catch”: The fake tower then asks the target device to identify itself by sending an ID request. The phone responds with its international mobile subscriber identity (IMSI). It does this to ensure that you are a paying customer and provide you access to the network.
5. Release: Once the IMSI is captured, the IMSI catcher releases the phone back to the real network. It will then move on to the next unsuspecting device, continuously gathering IMSIs from the surrounding area.

This is how the most basic IMSI catchers work — they collect IMSIs during the connection procedure, abort it, and move on to their next target.

From here, more sophisticated attacks can be launched. Below, we’ll discuss four different types of attacks and how they are executed.

How Do Criminals Use IMSI Catchers?

#1 Intercepting communication

An IMSI catcher can be used to intercept the unencrypted phone conversations and text messages of target mobile devices.

The general consensus is that this can only be done on a 2G cellular network (also known as GSM) because this older type of network does not always require encryption. If encryption is required, it can be broken in real-time.

To execute this type of attack, the cell site simulator (CSS) must be able to situate itself between the phone and the legitimate cell tower. This is known as a “Man-in-the-middle” (MiTM) attack.

There are two steps:

1. Spoofing authentication: The CSS needs to convince the network that it’s actually the targeted mobile phone.
2. Downgrading encryption: Handle any encryption the network sets.

We’ll discuss these steps in more detail below:

Spoofing authentication

1. At this point, the CSS has already obtained the target phone’s IMSI (we discussed this above)
2. The CSS reaches out to the legitimate cell tower to request an update on the location of the target phone. Phones need to do this periodically throughout the day to be able to route calls and messages.
3. The cell network will then ask the CSS to identify itself using an ID request. Here, the CSS steps in. It will respond using the stolen IMSI.
4. Next, the tower responds with a cryptographic challenge that needs a secret key which is stored in a SIM card to solve. The phone solves this challenge and passes it on to the CSS, which in turn passes it onto the network.
5. Now, the network will authenticate the connection.

Downgrading encryption

GSM networks use various encryption algorithms (basically, methods for scrambling data) to protect your calls and messages from eavesdropping.

These algorithms have names like A5/1, A5/2, etc. A5/0 means no encryption at all — your communication is sent in plain text, like a postcard anyone can read.

If the real network wants to use encryption (like A5/1), the attacker’s CSS device can lie and say it doesn’t support encryption.

This forces the communication to use A5/0, meaning no encryption at all. The attacker can now read everything the target sends and receives.

If the network decides to use the A5/1 algorithm to communicate, this type of encryption can be broken in real time.

At this point, the CSS has now completed the MiTM attack and can read plain text messages being sent between the phone and the network.

You are probably wondering if this attack can be made on other networks besides GSM. Theoretically, the answer is yes. And it’s the second type of attack that an IMSI catcher can be used to execute.

#2 Service downgrading

Even if your phone normally uses newer 3G, 4G (LTE) or 5G networks which have stronger security, attackers can trick it into using the older and more vulnerable 2G (GSM) network.

Here’s how a network downgrade attack could work:

• Initial connection: When a phone connects to a fake cell tower (IMSI catcher), it sends a message to update the network on its location (called a TAU Request).
• Rejection message: The IMSI catcher sends back a rejection message (TAU Reject) with a specific error code (EMM cause number 7).
• Forced downgrade: This error code triggers the phone to delete information about the real network it was connected to and believe its SIM card is invalid for LTE (the most modern network type).
• Search for older networks: The phone then starts searching for older networks like 3G or GSM to connect to.
• Stuck on older networks: Until the phone is restarted, it won’t try to connect to LTE again.

This process may not even be necessary. A security researcher, Roger Piqueras Jover, discovered that 4G / LTE authentication occurs after a phone has already exposed its IMSI number to an IMSI catcher.

#3 Location tracking attacks

IMSI catchers can also be used to track a target phone’s location, determining if it’s present in a specific area or even pinpointing the exact cell tower it’s connected to.

Let’s explore two methods used for this purpose:

1️⃣ Basic location area test

This method determines if a target phone is within a broader geographic area known as a Location Area (LA). Here’s how it works:

1. Trigger paging: The attacker initiates multiple calls to the target phone, hanging up before the user notices. This triggers the network to send “RRC paging messages” to every cell tower in the phone’s last known LA.
2. Monitor and match: The attacker simultaneously monitors these paging messages. Since they know when they triggered the calls, they can identify the target’s temporary identifier (also known as the “TMSI”) in the messages.
3. Confirm presence: If the attacker sees the target’s TMSI in the paging messages, they know the phone is within that LA.

While this method confirms the presence in a general area, there is a limitation: the radius of an LA can be quite large (potentially several kilometers).

2️⃣ Smart paging test (Pinpointing the cell tower)

This more precise method narrows down the target phone’s location to the specific cell tower it’s connected to, typically within a two-kilometer radius. Here’s how it works:

1. Send data messages: Instead of calls, the attacker sends low-priority data messages (e.g. ping requests). These messages trigger “smart paging,” meaning the network only pages through the last cell tower the phone used.
2. Cell-by-cell search: The attacker moves between cell towers, sending messages and monitoring for the target’s TMSI in the paging responses.
3. Identify cell tower: When the attacker detects the TMSI in a specific cell’s paging messages, they’ve successfully identified the tower the target phone is connected to, thus pinpointing its location.

It’s important to note that this method requires either multiple IMSI catchers in different cells or someone who can physically move between cells while conducting the test.

3️⃣ Active location tracking

Criminals or law enforcement can also use cell-site simulators to track the active location of target cellular devices.

Here is how it works, assuming a cellular device is already connected to a simulated network operator:

1. The attacker sends an RRC Connection Reconfiguration Command to the phone. This command typically adjusts connection settings, but the attacker has a different purpose.
2. Embedded within the command are the IDs and connection details of several nearby cell towers (not necessarily the attacker’s).
3. The phone, following standard protocol, responds with information about the signal strength it receives from each of these specified towers.
4. The attacker can use the signal strength data to calculate the phone’s exact location through trilateration (using the signal strength to estimate the distance from each tower).

#4 Malware attacks

While primarily known for surveillance and tracking, IMSI catchers can also be used to infect phones with malware.

While not all IMSI catchers have this capability, those used by military and intelligence agencies often possess the advanced functionality to infect targeted phones.

There are two primary ways that the malware could be delivered:

1️⃣ Malicious websites

The IMSI catcher can redirect the phone’s browser to a website rigged with malware. If the browser has a vulnerability, the malware can be downloaded and installed, often without the user’s knowledge.

2️⃣ Direct injection

More sophisticated IMSI catchers can inject malware directly into the phone’s baseband (the part responsible for cellular communication).

This is harder to detect and can turn the phone into a listening device for spying on conversations.

In 2019, Amnesty International reported that two Moroccan activists may have had spyware installed on their phones through network injection attacks with tools allegedly created by the NSO Group