IMSI-catcher

Last updated

An international mobile subscriber identity-catcher, or IMSI-catcher, is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users. [1] Essentially a "fake" mobile tower acting between the target mobile phone and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack. The 3G wireless standard offers some risk mitigation due to mutual authentication required from both the handset and the network. [2] However, sophisticated attacks may be able to downgrade 3G and LTE to non-LTE network services which do not require mutual authentication. [3]

Contents

IMSI-catchers are used in a number of countries by law enforcement and intelligence agencies, but their use has raised significant civil liberty and privacy concerns and is strictly regulated in some countries such as under the German Strafprozessordnung (StPO / Code of Criminal Procedure). [1] [4] Some countries do not have encrypted phone data traffic (or very weak encryption), thus rendering an IMSI-catcher unnecessary.

Overview

A virtual base transceiver station (VBTS) [5] is a device for identifying the temporary mobile subscriber identity (TMSI), international mobile subscriber identity (IMSI) of a nearby GSM mobile phone and intercepting its calls, some are even advanced enough to detect the international mobile equipment identity (IMEI). It was patented [5] and first commercialized by Rohde & Schwarz in 2003. The device can be viewed as simply a modified cell tower with a malicious operator, and on 4 January 2012, the Court of Appeal of England and Wales held that the patent is invalid for obviousness. [6]

IMSI-catchers are often deployed by court order without a search warrant, the lower judicial standard of a pen register and trap-and-trace order being preferred by law enforcement. [7] They can also be used in search and rescue operation for missing persons. [8] Police departments have been reluctant to reveal use of these programs and contracts with vendors such as Harris Corporation, the maker of Stingray and Kingfish phone tracker devices. [9]

In the UK, the first public body to admit using IMSI catchers was the Scottish Prison Service, [10] though it is likely that the Metropolitan Police Service has been using IMSI catchers since 2011 or before. [11]

Body-worn IMSI-catchers that target nearby mobile phones are being advertised to law enforcement agencies in the US. [12]

The GSM specification requires the handset to authenticate to the network, but does not require the network to authenticate to the handset. This well-known security hole is exploited by an IMSI catcher. [13] The IMSI catcher masquerades as a base station and logs the IMSI numbers of all the mobile stations in the area, as they attempt to attach to the IMSI-catcher. [14] It allows forcing the mobile phone connected to it to use no call encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode), making the call data easy to intercept and convert to audio.

The 3G wireless standard mitigates risk and enhanced security of the protocol due to mutual authentication required from both the handset and the network and removes the false base station attack in GSM. [2] Some sophisticated attacks against 3G and LTE may be able to downgrade to non-LTE network services which then does not require mutual authentication. [3]

Functionalities

Identifying an IMSI

Every mobile phone has the requirement to optimize its reception. If there is more than one base station of the subscribed network operator accessible, it will always choose the one with the strongest signal. An IMSI-catcher masquerades as a base station and causes every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request, it is able to force the transmission of the IMSI. [15]

Tapping a mobile phone

The IMSI-catcher subjects the phones in its vicinity to a man-in-the-middle attack, appearing to them as a preferred base station in terms of signal strength. With the help of a SIM, it simultaneously logs into the GSM network as a mobile station. Since the encryption mode is chosen by the base station, the IMSI-catcher can induce the mobile station to use no encryption at all. Hence it can encrypt the plain text traffic from the mobile station and pass it to the base station.

A targeted mobile phone is sent signals where the user will not be able to tell apart the device from authentic cell service provider infrastructure. [16] This means that the device will be able to retrieve data that a normal cell tower receives from mobile phones if registered. [16]

There is only an indirect connection from mobile station via IMSI-catcher to the GSM network. For this reason, incoming phone calls cannot generally be patched through to the mobile station by the GSM network, although more modern versions of these devices have their own mobile patch-through solutions in order to provide this functionality.

Passive IMSI detection

The difference between a passive IMSI-catcher and an active IMSI-catcher is that an active IMSI-catcher intercepts the data in transfer such as spoke, text, mail, and web traffic between the endpoint and cell tower.

Active IMSI-catchers generally also intercept all conversations and data traffic within a large range and are therefore also called rogue cell towers. It sends a signal with a plethora of commands to the endpoints, which respond by establishing a connection and routes all conversations and data traffic between the endpoints and the actual cell tower for as long as the attacker wishes.

A passive IMSI-catcher on the other hand only detects the IMSI, TMSI or IMEI of an endpoint. Once the IMSI, TMSI or IMEI address is detected, the endpoint is immediately released. The passive IMSI-catcher sends out a signal with only one specific command to the endpoints, which respond to it and share the identifiers of the endpoint with the passive IMSI-catcher. The vendors of passive IMSI-catchers take privacy more into account.

Universal Mobile Telecommunications System (UMTS)

False base station attacks are prevented by a combination of key freshness and integrity protection of signaling data, not by authenticating the serving network. [17]

To provide a high network coverage, the UMTS standard allows for inter-operation with GSM. Therefore, not only UMTS but also GSM base stations are connected to the UMTS service network. This fallback is a security disadvantage and allows a new possibility of a man-in-the-middle attack. [18]

Tell-tales and difficulties

The assignment of an IMSI catcher has a number of difficulties:

  1. It must be ensured that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the mobile station, there is no need to log into the simulated base station.
  2. Depending on the signal strength of the IMSI-catcher, numerous IMSIs can be located. The problem is to find out the right one.
  3. All mobile phones in the area covered by the catcher have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers. Only the observed person has an indirect connection.
  4. There are some disclosing factors. In most cases, the operation cannot be recognized immediately by the subscriber. But there are a few mobile phones that show a small symbol on the display, e.g. an exclamation point, if encryption is not used. This "Ciphering Indication Feature" can be suppressed by the network provider, however, by setting the OFM bit in EFAD on the SIM card. Since the network access is handled with the SIM/USIM of the IMSI-catcher, the receiver cannot see the number of the calling party. Of course, this also implies that the tapped calls are not listed in the itemized bill.
  5. The assignment near the base station can be difficult, due to the high signal level of the original base station.
  6. As most mobile phones prefer the faster modes of communication such as 4G or 3G, downgrading to 2G can require blocking frequency ranges for 4G and 3G. [19]

Detection and counter-measures

Some preliminary research has been done in trying to detect and frustrate IMSI-catchers. One such project is through the Osmocom open source mobile station software. This is a special type of mobile phone firmware that can be used to detect and fingerprint certain network characteristics of IMSI-catchers, and warn the user that there is such a device operating in their area. But this firmware/software-based detection is strongly limited to a select few, outdated GSM mobile phones (i.e. Motorola) that are no longer available on the open market. The main problem is the closed-source nature of the major mobile phone producers.

The application Android IMSI-Catcher Detector (AIMSICD) is being developed to detect and circumvent IMSI-catchers by StingRay and silent SMS. [20] Technology for a stationary network of IMSI-catcher detectors has also been developed. [13] Several apps listed on the Google Play Store as IMSI catcher detector apps include SnoopSnitch, Cell Spy Catcher, and GSM Spy Finder and have between 100,000 and 500,000 app downloads each. However, these apps have limitations in that they do not have access to phone's underlying hardware and may offer only minimal protection. [21]

See also

Footnotes

  1. 1 2 "Police's growing arsenal of technology watches criminals and citizens". Star Tribune. Retrieved 30 April 2017.
  2. 1 2 "Analysis of UMTS (3G) Authentication and Key Agreement Protocol (AKA) for LTE (4G) Network" (PDF). Retrieved 30 April 2017.
  3. 1 2 Shaik, Altaf; Borgaonkar, Ravishankar; Asokan, N.; Niemi, Valtteri; Seifert, Jean-Pierre (2015). "Practical attacks against privacy and availability in 4G/LTE mobile communication systems". arXiv: 1510.07563v1 [cs.CR].
  4. "Section 100i - IMS I-Catcher" (PDF), The German Code Of Criminal Procedure, 2014, pp. 43–44
  5. 1 2 EP 1051053,Frick, Joachim&Bott, Rainer,"Verfahren zum Identifizieren des Benutzers eines Mobiltelefons oder zum Mithören der abgehenden Gespräche (Method for identifying a mobile phone user or for eavesdropping on outgoing calls)",issued 2003-07-09
  6. MMI Research Ltd v Cellxion Ltd & Ors [2012] EWCA Civ 7 (24 January 2012), Court of Appeal judgment invalidating Rohde & Schwarz patent.
  7. Farivar, Cyrus (13 April 2015). "County prosecutor says it has no idea when stingrays were used, so man sues". Ars Technica. Retrieved 12 March 2016.
  8. "Wingsuit-Flieger stürzt in den Tod". Blick (in German). 10 July 2015. Retrieved 11 July 2015.
  9. "Police's growing arsenal of technology watches criminals and citizens". Star Tribune. Retrieved 30 April 2017.
  10. "Prisoners outwit £1.2m mobile phone blocking trial in Scots jails". 25 May 2016.
  11. Corfield, Gareth (27 February 2017). "New prison law will let mobile networks deploy IMSI catchers". The Register. Retrieved 27 February 2017.
  12. "The body-worn 'IMSI catcher' for all your covert phone snooping needs". Ars Technica . 1 September 2013.
  13. 1 2 "Digitale Selbstverteidigung mit dem IMSI-Catcher-Catcher". c't (in German). 27 August 2014.
  14. "The Spyware That Enables Mobile-Phone Snooping". Bloomberg View . 27 November 2013.
  15. Rolón, Darío Nicolás (22 December 2017). "Intercepción de metadatos de comunicaciones por teléfonos móviles. El IMSI-Catcher y su regulación en el ordenamiento procesal penal alemán". Revista de Estudios de la Justicia (27): 61–79. Retrieved 4 January 2018.
  16. 1 2 Jeong, Ha-Myoung (28 February 2019). "The U.S. Supreme Court's Recent Decision About historical Cell Site Location Information: Carpenter v. U.S." IT & Law Review. 18: 95–120. doi:10.37877/itnlaw.2019.02.18.4. ISSN   1975-8766. S2CID   230381898.
  17. Chris Mitchell, Paulo Pagliusi: Is Entity Authentication Necessary?, in Security Protocols, Springer LNCS 2845, pages 20-29, 2004
  18. Meyer, Ulrike; Wetzel, Susanne (1 October 2004). "A Man-in-the-Middle Attack on UMTS. ACM workshop on Wireless security, 2004" (PDF). Retrieved 12 March 2016.
  19. "The effectiveness of a homemade IMSI catcher build with YateBTS and a BladeRF" (PDF). Kenneth van Rijsbergen: 8–9. Retrieved 7 July 2017.
  20. "Android IMSI-Catcher Detector (AIMSICD) Wiki, Development status". GitHub . 9 December 2015. Retrieved 10 October 2016. In alpha stage in October 2016.
  21. "IMSI Catcher Detection Apps Might Not Be All That Good, Research Suggests". Motherboard. 14 August 2017. Retrieved 14 August 2017.

    Further reading

    Related Research Articles

    <span class="mw-page-title-main">GSM</span> Cellular telephone network standard

    The Global System for Mobile Communications (GSM) is a standard developed by the European Telecommunications Standards Institute (ETSI) to describe the protocols for second-generation (2G) digital cellular networks used by mobile devices such as mobile phones and tablets. GSM is also a trade mark owned by the GSM Association. GSM may also refer to the Full Rate voice codec.

    The Universal Mobile Telecommunications System (UMTS) is a third generation mobile cellular system for networks based on the GSM standard. Developed and maintained by the 3GPP, UMTS is a component of the International Telecommunication Union IMT-2000 standard set and compares with the CDMA2000 standard set for networks based on the competing cdmaOne technology. UMTS uses wideband code-division multiple access (W-CDMA) radio access technology to offer greater spectral efficiency and bandwidth to mobile network operators.

    In telecommunication, a public land mobile network (PLMN) is a combination of wireless communication services offered by a specific operator in a specific country. A PLMN typically consists of several cellular technologies like GSM/2G, UMTS/3G, LTE/4G, NR/5G, offered by a single operator within a given country, often referred to as a cellular network.

    <span class="mw-page-title-main">SIM card</span> Integrated circuit card for a mobile device

    A SIM card is an integrated circuit (IC) intended to securely store an international mobile subscriber identity (IMSI) number and its related key, which are used to identify and authenticate subscribers on mobile telephone devices. Technically the actual physical card is known as a universal integrated circuit card (UICC); this smart card is usually made of PVC with embedded contacts and semiconductors, with the SIM as its primary component. In practice the term "SIM card" refers to the entire unit and not simply the IC.

    <span class="mw-page-title-main">3G</span> Third generation of wireless mobile telecommunications technology

    3G is the third generation of wireless mobile telecommunications technology. It is the upgrade over 2G, 2.5G, GPRS and 2.75G Enhanced Data Rates for GSM Evolution networks, offering faster data transfer, and better voice quality. This network was superseded by 4G, and later on by 5G. This network is based on a set of standards used for mobile devices and mobile telecommunications use services and networks that comply with the International Mobile Telecommunications-2000 (IMT-2000) specifications by the International Telecommunication Union. 3G finds application in wireless voice telephony, mobile Internet access, fixed wireless Internet access, video calls and mobile TV.

    <span class="mw-page-title-main">International Mobile Equipment Identity</span> Cellphone identification code

    The International Mobile Equipment Identity (IMEI) is a numeric identifier, usually unique, for 3GPP and iDEN mobile phones, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone but can also be displayed on-screen on most phones by entering the MMI Supplementary Service code *#06# on the dialpad, or alongside other system information in the settings menu on smartphone operating systems.

    The GPRS core network is the central part of the general packet radio service (GPRS) which allows 2G, 3G and WCDMA mobile networks to transmit Internet Protocol (IP) packets to external networks such as the Internet. The GPRS system is an integrated part of the GSM network switching subsystem.

    Mobility management is one of the major functions of a GSM or a UMTS network that allows mobile phones to work. The aim of mobility management is to track where the subscribers are, allowing calls, SMS and other mobile phone services to be delivered to them.

    Network switching subsystem (NSS) is the component of a GSM system that carries out call out and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobile phone operators and allows mobile devices to communicate with each other and telephones in the wider public switched telephone network (PSTN). The architecture contains specific features and functions which are needed because the phones are not fixed in one location.

    Authentication and Key Agreement (AKA) is a security protocol used in 3G networks. AKA is also used for one-time password generation mechanism for digest access authentication. AKA is a challenge–response based mechanism that uses symmetric cryptography.

    <span class="mw-page-title-main">Telcel</span> Mexican wireless telecommunications company

    Radio Móvil Dipsa S.A.U., doing business as Telcel, is a Mexican wireless telecommunications company, owned by América Móvil. Founded in 1984 and based in Mexico City, Telcel is the leading provider of wireless communications services in Mexico. As of December 31, 2006, Telcel's cellular network covered more than 63% of the geographical area of Mexico, including all major cities, and 90% of Mexico's population. Telcel holds concessions to operate a wireless network in all nine geographic regions in Mexico using both the 850 megahertz and 1900 megahertz radio spectrum. According to Cofetel, as of July 2008, Telcel's subscribers represented an estimated 77.2% share of the Mexican wireless market. Telcel is the largest wireless carrier in Mexico, with 77.2 million subscribers as of March 2020.

    Wi-Fi calling refers to mobile phone voice calls and data that are made over IP networks using Wi-Fi, instead of the cell towers provided by cellular networks. Using this feature, compatible handsets are able to route regular cellular calls through a wireless LAN (Wi-Fi) network with broadband Internet, while seamlessly change connections between the two where necessary. This feature makes use of the Generic Access Network (GAN) protocol, also known as Unlicensed Mobile Access (UMA).

    A mobile equipment identifier (MEID) is a globally unique number identifying a physical piece of CDMA2000 mobile station equipment. The number format is defined by the 3GPP2 report S.R0048 but in practical terms, it can be seen as an IMEI but with hexadecimal digits.

    <span class="mw-page-title-main">Femtocell</span> Small, low-power cellular base station

    In telecommunications, a femtocell is a small, low-power cellular base station, typically designed for use in a home or small business. A broader term which is more widespread in the industry is small cell, with femtocell as a subset. It connects to the service provider's network via broadband ; current designs typically support four to eight simultaneously active mobile phones in a residential setting depending on version number and femtocell hardware, and eight to sixteen mobile phones in enterprise settings. A femtocell allows service providers to extend service coverage indoors or at the cell edge, especially where access would otherwise be limited or unavailable. Although much attention is focused on WCDMA, the concept is applicable to all standards, including GSM, CDMA2000, TD-SCDMA, WiMAX and LTE solutions.

    Phone cloning is the copying of identity from one cellular device to another.

    <span class="mw-page-title-main">Mobile phone signal</span> Signal strength received by a phone from a network

    A mobile phone signal is the signal strength received by a mobile phone from a cellular network. Depending on various factors, such as proximity to a tower, any obstructions such as buildings or trees, etc. this signal strength will vary. Most mobile devices use a set of bars of increasing height to display the approximate strength of this received signal to the mobile phone user. Traditionally five bars are used.

    In telecommunications, long-term evolution (LTE) is a standard for wireless broadband communication for mobile devices and data terminals, based on the GSM/EDGE and UMTS/HSPA standards. It improves on those standards' capacity and speed by using a different radio interface and core network improvements. LTE is the upgrade path for carriers with both GSM/UMTS networks and CDMA2000 networks. Because LTE frequencies and bands differ from country to country, only multi-band phones can use LTE in all countries where it is supported.

    The Um interface is the air interface for the GSM mobile telephone standard. It is the interface between the mobile station (MS) and the Base transceiver station (BTS). It is called Um because it is the mobile analog to the U interface of ISDN. Um is defined in the GSM 04.xx and 05.xx series of specifications. Um can also support GPRS packet-oriented communication.

    <span class="mw-page-title-main">Stingray phone tracker</span> Cellular phone surveillance device

    The StingRay is an IMSI-catcher, a cellular phone surveillance device, manufactured by Harris Corporation. Initially developed for the military and intelligence community, the StingRay and similar Harris devices are in widespread use by local and state law enforcement agencies across Canada, the United States, and in the United Kingdom. Stingray has also become a generic name to describe these kinds of devices.

    This page is based on this Wikipedia article
    Text is available under the CC BY-SA 4.0 license; additional terms may apply.
    Images, videos and audio are available under their respective licenses.