IMSI Catcher

An IMSI catcher is an electronic device that tracks and intercepts mobile phone communications.

An IMSI catcher is an electronic device that tracks and intercepts mobile phone communications. IMSI catchers are also called Stingrays, rogue cell towers, fake cell towers, rogue base stations, cell site simulators, cell site emulators, or drop boxes. IMSI stands for International Mobile Subscriber Identity, and an IMSI number uniquely identifies a mobile device to a network operator. IMSI catchers work by mimicking an official cell tower and convincing nearby phones that the IMSI catcher should connect them; once connected, this allows it to collect their IMSI number, which enables it to track location and activity as well as intercept text messages, calls, and data traffic of target phone(s).

2023 Global Mobile Threat Report

Are IMSI Catchers legal?

While IMSI catchers are legitimate law enforcement tools in some countries, civil libertarians have voiced serious concerns about privacy risks and have called for more information and safeguards. Criminals and hackers use IMSI Catchers to spy on individuals or steal their data. State actors, allegedly including Russia and China, have also been reported to use the technique for their purposes, raising concerns about using these devices on US soil. 

How IMSI Catchers Work

IMSI catchers simultaneously deploy a man-in-the-middle (mitm) attack, presenting the fake mobile phone to the genuine base station and the fake base station to the actual mobile phone. IMSI catchers can determine the IMSI numbers of nearby mobile phones, which is the trademark capability from which they get their name. Using the IMSI, they can then identify and target mobile traffic on the network for interception and analysis.

Because the 2G protocol has a lot of security flaws that make spying easier, IMSI catchers will frequently try to force communication over 2G. For one thing, encryption isn’t always necessary. If so, many underlying cryptographic methods (such as A5/1) can be broken in real-time.

IMSI catchers with more advanced capabilities can intercept text messages and listen in on phone calls. They may also be able to intercept data transmissions, such as phone numbers dialed, web pages browsed, and other data. IMSI catchers are frequently equipped with jamming technology (to cause 3G and 4G phones to connect at 2G speeds) and other denial-of-service features. Some IMSI catchers may be able to retrieve things such as images and SMS from the target phone.

A Technical Overview of an IMSI Catcher Attack

A primary IMSI catcher simply records nearby IMSIs and then doesn’t interact with their target phones in a significant way beyond that. They record IMSIs by pretending to be base stations and then release the target phones. 

GSM phones are designed to connect to the base station broadcasting the highest signal strength. When the phone initiates a connection to that base station, the base station responds, requesting the phone’s encryption capabilities. If the base station is an IMSI catcher rather than a cell tower, it can either ignore the response or set it to have no encryption. 

The next step in the connection handshake is for the base station to send an Identity Request. The phone responds to the Identity Request with the IMSI number stored on the phone’s SIM card. The Identity Request aims to confirm that the user is a current subscriber to the mobile carrier’s network. After receiving the IMSI, the IMSI catcher releases your phone back to the actual network.

From here, many more sophisticated attacks can be launched, but that’s how the most basic IMSI catchers work: they collect IMSIs during the connection procedure, abort it, and move on to their next target. More recent smartphones (e.g., 4G/LTE) are a bit smarter about not connecting to any random base station with high signal strength, so an attacker needs more complex techniques to convince a phone to connect to their IMSI catcher. 

GSM communication interception

IMSI catchers target GSM networks for communication interception because GSM networks are not always encrypted or use older encryption algorithms that are broken or can be compromised in real time.

To launch an attack, the IMSI catcher must position itself between the phone and the tower to do so, which is usually referred to as a “machine in the middle” (MitM) attack. Executing a man-in-the-middle attack requires IMSI catchers to convince the network that it’s the targeted mobile phone (i.e., spoofing authentication) and disable or break any enabled encryption. 

LTE IMSI catcher connection techniques

It’s also possible for an IMSI catcher to circumvent LTE and other mobile protocol safeguards that are designed to stop phones from connecting to any base station with enough power.

In GSM, phones are constantly scanning, looking for a tower with a higher signal strength to connect to. However, in LTE, if the signal strength is above a certain sufficient threshold, the phone will not scan for other towers to connect to save power. An IMSI catcher can take advantage of this network design by masquerading as a cell tower in the nearest neighbor’s list (e.g., same frequency, same cell id, etc …) and transmit at a higher power, so the phone will eventually switch over.

Another approach relies on the fact that LTE frequencies are assigned various priorities (this is referred to as “absolute priority-based cell reselection”). If a phone sees a base station operating on a higher priority frequency than the one it’s on, it must switch to it, regardless of its signal strength. An attacker can extract the unencrypted configuration messages from base stations to discover the higher-priority frequencies used in the given area, 

Using these techniques, attackers can probably force even an LTE phone to connect to their IMSI catcher, compromising the phone.

Location tracking attacks

Often when the dangers of IMSI catchers are discussed, the focus is on communication interception. However, in practice, the consequences of real-time location tracking are often much more severe. There are generally two types of location tracking that IMSI catcher can execute: Presence testing checks if a phone is present or absent from a cell tower location area. Fine-grained location calculates the GPS coordinates of a mobile phone through either cell tower triangulation or by forcing the device to communicate its exact GPS coordinates.

Denial of Service and Downgrading

Cell network denial of service and protocol downgrade attacks are possible. Downgrade attacks force the target phone to switch to a less secure protocol, from which a more severe invasive attack can be launched.

For a more detailed technical overview of how IMSI catchers compromise mobile devices, please visit the EFF.

How do hackers use IMSI catchers?

An IMSI catcher thus provides threat actors with several alternatives based on the device’s capabilities and the cellular protocol in use.

Location tracking. An IMSI catcher can force a targeted smartphone to respond with its specific location using GPS or the signal strength of cell towers near the phone. This allows trilateration based on these towers’ known locations. When a threat actor knows where a target is, they can learn more about them, such as their exact location within a large office complex or the sites they frequent, or just track them across the coverage area.

Data interception. Some IMSI catchers allow operators to reroute calls and texts, alter communications, and impersonate a user’s identity in calls and texts.

Spyware delivery. Some of the more expensive IMSI catchers claim to be able to transmit spyware to the target device. Spyware can ping the target’s position without using an IMSI catcher and discreetly gather images and sounds through the device’s cameras and microphones.

Data extraction. An IMSI catcher may also gather metadata such as phone numbers, caller IDs, call durations, the content of unencrypted phone conversations and text messages, and some forms of data consumption (like websites visited).

Detecting an ISMI Catcher

There is no guaranteed way for a smartphone user to know if their device is linked to an IMSI catcher, much alone prohibiting connections with IMSI catchers. Slow cellular connections and a change in the band in the status bar (for example, from LTE to 2G) are indicators. However, slow connections also happen to unaffected users, and specific IMSI catchers can operate in 4G.

IMSI catcher detection applications (such as the open source Android IMSI Catch Detector, aka AIMSICD) are only available for Android, and they require rooting the device – which is a security flaw – to access the cellular network communications open through the smartphone baseband’s diagnostic interface. Popular IMSI catcher detection software includes SnoopSnitch, SecurCube, ComSec, Cell Spy Catcher, and Darshak (in addition to AIMSICD.)

More reliable hardware options are available for identifying IMSI catchers, which makes sense for protecting several smartphone users in a single location, such as a business headquarters or military post. A typical configuration includes a fixed, embedded system with sensor hardware and a cellular modem for continually monitoring the broadcast signals of nearby base stations and a database to which data can be uploaded for analysis. When an IMSI catcher is found, alarms can be sent to all smartphone users in the organization.

Protecting Yourself Against IMSI Catchers

Use a VPN. A VPN with VPN encryption makes it more difficult for IMSI catchers to intercept cell transmissions.  

Keep your phone software updated. Most updates include security patches that help protect from IMSI catchers.

Be mindful of your surroundings. If you are participating in high-risk situations such as protests or political rallies, such as IMSI catchers should always be on the lookout. If any suspicious devices resembling cell towers come your way, it would be wise to avoid them if possible. Below are additional tips on warding off IMSI catchers:

Switch your phone into airplane mode when not in use. Airplane mode prevents your phone from connecting to any cell towers – including IMSI catchers – which could expose it. Also, consider investing in a Faraday cage: this metal box that blocks radio waves may help to shield your phone against IMSI catchers.

Be cautious about sharing sensitive data like your location or travel plans on your phone. Doing so could compromise your privacy.

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today