Hacking 101 : IMSI Catchers

Well, of all the techniques that is used in surveillance, one of the methods that can be literally used by anyone to spy a persons mobile is by using a device known as a IMSI-Catcher.

IMSI catcher uses a hole in GSM technology to literally spy on a person or a group of people, identify to whom they are making the calls literally without the knowledge of the person. What’s more shocking is that these devices can be made in less than 100$ and can be literally used by anyone to spy on anyone. However implementations have been made to advanced 3G and LTE standards to prevent spying by home made IMSI catchers, but still devices are present in the market that can spy in a person in 3G or LTE networks.

IMSI stands for International Mobile Subscriber Identity. It is used to identify you in a cellular network. It is a 64-bit information that is present in your sim card that contains the details like your identification number and your service provider. IMSI is used to authenticate you into a cellular network.

In a wireless network, you constantly need to be connected with the cellphone tower. Your cell phone transmits your IMSI information to the base station and the base station responds back establishing a connection between you and the base station. This is where the IMSI catcher comes in. The IMSI catcher acts as a middle man. It spoofs itself as it is the base station and catches the IMSI information that is being transmitted. A simple home made IMSI catcher can identify your location but however it’s pretty hard to hear your conversations.

Advanced IMSI catchers on the other hand, establishes the connection between you and itself and relays the data to the tower. Just like a middle man attack. It is the base station that establishes the method of encryption between the user and the station. This flaw makes IMSI catcher to force the user to transmit the data un-encrypted this would be able to record your calls.This flaw however was rectified in UMTS (3G) networks, but to provide wide coverage, UMTS allows inter-operation with GSM, thus GSM base stations are allowed to connect to UMTS ones. This falls as a drawback and increases the possibility of a middle man attack.

Methods have been developed to identify IMSI catchers, by monitoring the signal strength continuously, presence of IMSI catchers in the vicinity could be identified and android applications has been developed for this cause. But the implementation of these applications by the manufacturers is yet to be seen.

DISCLAIMER:

The links are provided for educational purposes only and not for hacking. Using IMSI catchers without a warrant is crime in many countries.

IMSI catcher with python and some hardware (https://github.com/Oros42/IMSI-catcher)

IMSI detector application (https://github.com/CellularPrivacy/Android-IMSI-Catcher-Detector) (OpenSource)