In September 2019, Israel was recognized for IMSI hunters found in Washington, DC, two years earlier, illuminating the spread of these types of spy devices. Once used only by law enforcement as a way to find international identity of a mobile subscriber (IMSI), associated with a SIM card of a suspect in a crime for the purposes of the investigation, now almost anyone can acquire or build an IMSI hunter to intercept the communications of the target. With such low barriers to entry, it’s not just the bad guys who have to worry about these devices.
How IMSI Catchers work
At the basic level, an IMSI hunter – also known as a cell site simulator, fake cell tower, deceptive base station, StingRay or dirtbox, to name just a few of its many descriptors – consists of two main parts: a radio interface for sending and receiving radio waves and a network backend for simulation of a cellular core network. Today everyone with software defined radio (SDR) and a computing device executing an open source base station program (such as OpenBTS) I can to effectively manage an IMSI hunter.
The IMSI hunter is designed to mimic a real cell tower to lure one or more smartphones (or other devices with an activated cellular network) into an area to connect to it. In the era of 2G (GSM), this was simple enough, as the phones were designed to connect to the tower with the highest signal strength, and as base stations were not required to authenticate to the phones. Accordingly, the IMSI hunter simply had to emit (or appear to emit) a much stronger signal than the cell towers around it. But in the era of 4G (LTE), phones are designed to stay in touch with their current cell tower if the signal strength is above a certain threshold, and to connect to neighboring cell towers if a connection is lost. Current IMSI hunters overcome this by disguising themselves as an adjacent tower or by operating at a higher priority frequency. Some IMSI catchers even mute 4G / 3G frequencies with white noise to eliminate real cell towers as connectivity options.
IMSI interceptors usually try to force communication over 2G, as the 2G protocol suffers from a number of security loopholes that facilitate espionage. First, encryption is not always required. And if so, many basic cryptographic algorithms (such as A5 / 1) can be broken in real time.
Once connected to a target smartphone, the IMSI interceptor essentially performs a “middle man” attack (MITM), positioned between the target’s smartphone and their cellular network to remove the phone from the real network and clone the target’s identity. In an IMSI 2G environment, the catcher simply uses an IMSI stolen from the smartphone to fulfill the cellular network identity request and then uses the target device to fulfill a challenge requiring the SIM card’s secret key.
How criminals use IMSI Catchers
Hence, the IMSI capture gives the threat participants several options, depending on the capabilities of the device and the cellular protocol used.
- Location tracking: The IMSI hunter can force the target smartphone to respond either with its exact location via GPS or with the signal strength of the neighboring cell towers of the phone, which allows trilateration based on the known locations of these towers. With the known location of the target, the threat actor can understand the specifics of them – their exact location in a large office complex or places they often visit, for example – or simply trace them throughout the coverage area.
- Data retrieval: The IMSI interceptor can also capture metadata, including information about calls made (phone numbers, caller ID, call duration, etc.), as well as the content of unencrypted phone calls and text messages, and some types of data use (such as websites visited).
- Data interception: Some IMSI capture devices even allow operators to divert calls and text messages, edit messages, and tamper with the user’s identity in calls and texts.
- Spyware delivery: Some higher-end IMSI devices advertise the ability to deliver spyware to the target device. Such spyware can be used to ping the target’s location without the need for an IMSI hunter, and also secretly capture images and audio through the device’s cameras and microphones.
For obvious reasons, we don’t have much detail on how criminals and foreign intelligence use IMSI hunters against business and governments, but a few cases shed light on their potential for espionage. In 2015, two criminals in South Africa used an IMSI hunter manipulate and blackmail people in powerful positions. And in the case of the captured IMSIs stationed near the White House, Israeli intelligence probably succeeded. eavesdrop on phone calls made by President Trump or some of his best advisers. In both cases, targeted espionage is used to gather valuable information that can be used for personal or national gain.
At this point, there is no sure way for a smartphone user to know if their device is connected to an IMSI capture, much less to prevent connections to an IMSI capture. Stories include a slow cellular connection and a change in the status bar (for example, from LTE to 2G), but slow connections occur to unaffected users and some IMSI capture devices can run in 4G.
There are IMSI catcher detection apps only available for Android, but they require the device to be rooted – the security slot itself – to access the cellular messages available from the diagnostic interface on the smartphone’s main bar. And unfortunately, the opening is a mixed bag. Because cellular standards vary widely between countries and carriers, and since relatively little is known about how IMSI capture devices work, there is no definitive list of heuristics that can be applied. Therefore, each IMSI catcher detection application has its own set of IMSI catcher performance indicators, such as unexpected identity requests and removal of encryption from the cellular connection. False positive results are common, as test equipment, temporary equipment (for major events) and tower restarts tend to trigger warnings from users.
There are more reliable hardware options for detecting IMSI capture devices that make sense when protecting multiple smartphone users on a single site, such as a corporate headquarters or military base. Typically, such a setup includes a fixed, embedded system comprising sensor hardware and a cellular modem for continuously monitoring the transmitted signals of the surrounding base stations, along with a database in which the data is uploaded for analysis. When an IMSI catcher is detected, alerts can then be sent to all smartphone users in the organization.
5G takes IMSI Catchers
Given that IMSI capture devices exploit shortcomings inherent in cellular networks and are difficult to detect, 3GPP, the organization responsible for defining the 5G protocol, insists on removing the possibility for IMSI capture devices to use this standard. Crucially, 5G is designed so that the IMSI (or other so-called persistent subscription identifier) is it is never clearly revealed when a mobile device establishes a connection. Instead, 5G uses only a temporary paging ID, which must be updated after each use.
While this is a huge leap forward for privacy in cellular networks, there are a few warnings that mean IMSI hunters will stay for a while.
- Errors: As usual with the new protocols, security researchers found dozens of bugs in 5G, including a Deficiency in the Authentication Protocol and Key Agreement (AKA). Although they are viewed quickly, it is important to remember that no standard is perfect and that manufacturers of commercial IMSI hunters will no doubt use these shortcomings to develop 5G-specific models.
- Poor carrier performance: Although the 5G protocol is relatively secure, it still depends on the operators to implement it properly. We have already seen some carriers mess at the beginning of 5G releases in a way that would allow the IMSI capture devices to change the specified device number during the connection process and therefore operate as usual.
- Downgrade attacks: Although 2G is largely obsolete by operators in the United States, it is still widespread around the world, which means that most phones are designed to work on a 2G network. Therefore, reducing attacks to 2G will be possible in the foreseeable future, even in a non-2G environment.
Although the fight against IMSI hunters is largely beyond our control, there are still a few steps you (and any high-ranking goals in your organization) can take to mitigate personal and organizational risk:
- If your smartphone allows it, turn off 2G support. This significantly reduces the capabilities of IMSI capture devices.
- When traveling through suffocation points (such as airports and border crossings) where there is a greater chance of catching IMSI, turn off your smartphone or use an RF shielding device, such as a Faraday bag. Neither option completely reduces RF emissions, but can minimize them.
- Use communication applications that include end-to-end encryption, ensuring that captured content cannot be easily decrypted by threat participants.
Perhaps most importantly, simply recognizing that your cellular connections cannot be trusted can help you think twice about the information you share through your cellular network. Your protective posture will be better for him.
This article was originally published in Security Magazine.