In September 2019, Israel was given credit for the IMSI catchers discovered in Washington two years earlier, shedding light on the proliferation of these types of spying devices. Once used solely by law enforcement as a way to locate international identity of the mobile subscriber (IMSI) associated with a criminal suspect’s SIM card for investigative purposes, almost anyone can now acquire or build an IMSI catcher to intercept a target’s communications. With such low barriers to entry, it’s no longer just the bad guys who have to worry about these devices.
How IMSI catchers work
At the basic level an IMSI hunter – also known as a cell site simulator, fake cell tower, fake base station, StingRay or dirtbox, to name a few of its many descriptors – consists of two main parts: a radio interface for sending and receiving radio waves and a network backend for simulating on a cellular core network. Today, anyone with a software defined radio (SDR) and a computing device running an open source base station program (such as OpenBTS) I can to effectively work with an IMSI catcher.
An IMSI catcher is designed to mimic a real cell tower to trick one or more smartphones (or other cellular-enabled devices) in a given area into connecting to it. In the 2G (GSM) era, this was simple enough because phones were designed to connect to the tower with the highest signal strength, and because base stations weren’t required to verify their identity to phones. Accordingly, the IMSI catcher had to simply emit (or appear to emit) a much stronger signal than the cell towers around it. To see also : Form 10-Q Ondas Holdings Inc. For: Sep 30. But in the 4G (LTE) era, phones are designed to stay connected to their current cell tower if the signal strength is above a certain threshold and connect to neighboring cell towers if the connection is lost. Current IMSI catchers overcome this by masquerading as a neighboring tower or by operating on a higher priority frequency. Some IMSI catchers even jam the 4G/3G frequencies with white noise to eliminate real cell towers as connection options.
IMSI hunters usually try to force communication over 2G, as the 2G protocol suffers from a number of security flaws that make spying easier. First, encryption is not always necessary. And if so, many of the major cryptographic algorithms (like A5/1) can be broken in real time.
Once connected to a target smartphone, the IMSI catcher essentially performs a man-in-the-middle (MITM) attack by placing itself between the target’s smartphone and their cellular network to remove the phone from the real network and clone the target’s identity. In a 2G environment, the IMSI catcher simply uses the IMSI stolen from the smartphone to fulfill the identity request from the cellular network and then uses the target device to complete a challenge requiring the SIM secret key.
How criminals use IMSI Catchers
From there, the IMSI catcher gives threat actors several options depending on the device’s capabilities and the cellular protocol being used. This may interest you : Form 20-F EHang Holdings Ltd For: Dec 31 – StreetInsider.com.
- Location Tracking: An IMSI catcher can force a targeted smartphone to respond with either its exact location via GPS or the signal strength of the phone’s neighboring cell towers, enabling trilateration based on the known locations of those towers. With a target’s location known, a threat can learn details about them—their exact location within a large office complex or places they frequent, for example—or simply simply track them throughout their coverage area.
- Data retrieval: IMSI catcher may also capture metadata, including information about calls made (phone numbers, caller ID, call duration, etc.), as well as the content of unencrypted phone calls and text messages and certain types of data usage (such as websites visited).
- Data Capture: Some IMSI catchers even allow operators to forward calls and text messages, edit messages, and spoof the user’s identity in calls and text messages.
- Spyware Delivery: Some higher-end IMSI catchers advertise the ability to deliver spyware to the target device. Such spyware can be used to ping the target’s location without the need for an IMSI catcher and also secretly capture images and audio through the device’s cameras and microphones.
For obvious reasons, we don’t have many details about how criminals and foreign intelligence agencies use IMSI catchers against businesses and governments, but a few cases shed light on their spying potential. In 2015, two criminals in South Africa used an IMSI catcher to manipulate and blackmail people in powerful positions. And in the case of the IMSI interceptors placed near the White House, it is likely that Israeli intelligence was able to wiretapping President Trump’s phone calls or some of his best advisers. In both cases, targeted spying was used to gather valuable information that could be used for personal or national gain.
Discovery options
At this point, there is no surefire way for a smartphone user to know if their device is connected to an IMSI catcher, much less prevent connections to IMSI catcher. This may interest you : A former Sheriff’s deputy who is facing over a dozen felony charges is released on bond. Alerts include a slow cellular connection and a bandwidth change in the status bar (from LTE to 2G, for example), but slow connections do occur to unaffected users, and some IMSI catchers can work in 4G.
There are IMSI catcher apps available only for Android, but they require rooting the device – a security hole in itself – to access the cellular network messages available from the smartphone’s mainband diagnostic interface. And unfortunately, the opening is a mixed bag. Because cellular standards vary widely between countries and carriers, and because relatively little is known for sure about how IMSI catchers work, there is no definitive list of heuristics that can be applied. Therefore, each IMSI catcher detection application has its own set of indicators of IMSI catcher operation, such as unexpected identity requests and cellular data encryption removal. False positives are common because test equipment, temporary equipment (for large events) and tower restarts usually trigger warnings to users.
There are more reliable hardware options for detecting IMSI catchers that make sense when protecting multiple smartphone users at a single site, such as a corporate headquarters or military base. Typically, such a setup includes a fixed, embedded system containing sensor hardware and a cellular modem to continuously monitor the broadcast signals of surrounding base stations, along with a database into which data is uploaded for analysis. When an IMSI catcher is detected, alerts can be sent to all smartphone users in the organization.
5G tackles IMSI Catchers
Given that IMSI catchers exploit flaws inherent in cellular networks and are difficult to detect, there has been pressure from 3GPP, the organization responsible for defining the 5G protocol, to remove the ability for IMSI catchers from devices using that standard. Critically, 5G is designed so that the IMSI (or other so-called persistent subscriber identifier) is is never clearly revealed when a mobile device establishes a connection. Instead, 5G uses only a temporary paging identifier that must be refreshed after each use.
While this is a giant leap forward for privacy on cellular networks, there are a few caveats that mean IMSI catchers will be around for a while.
- errors: As is common with new protocols, security researchers are finding numerous bugs in 5G, including a flaw in the Authentication and Key Agreement (AKA) protocol.. Although these are being quickly resolved, it is important to remember that no standard is perfect and that manufacturers of commercial IMSI catchers will no doubt exploit these flaws to develop 5G-specific models.
- Poor operator implementation: Although the 5G protocol is relatively secure, it is still up to operators to implement it correctly. We’ve already seen some carriers irregular early 5G launches in a way that would allow IMSI catchers to change the specified device category number during the connection process and therefore work as usual.
- Downgrade Attacks: While 2G has been largely abandoned by carriers in the United States, it is still common around the world, meaning that most phones are designed to work on a 2G network. Therefore, downgrading attacks to 2G will be possible for the foreseeable future, even in non-2G environments.
Mitigation steps
While the fight against IMSI catchers is largely out of our control, there are still a few steps you (and any high-level targets in your organization) can take to reduce personal and organizational risk:
- If your smartphone allows it, turn off 2G support. This greatly reduces the capabilities of IMSI catchers.
- When traveling through bottlenecks (such as airports and border crossings) where there is a higher chance of IMSI capture, turn off your smartphone or use an RF shielding device such as a Faraday bag. Neither option completely reduces RF emissions, but can significantly minimize them.
- Use communication applications that include end-to-end encryption, ensuring that captured content cannot be easily deciphered by threats.
Perhaps most importantly, simply realizing that your cellular connections can’t be trusted can help you think twice about the information you share over your cellular network. Your security posture will be better for it.
Comments are closed.