Skip to content

IMSI Catchers

by on November 20, 2013

Tapped_620x258

An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man-in-The-Middle (MiTM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones.

With the recent wave of femto cell technology  available to the general public; Hackers are turning these useful devices into devious wire-tapping machines.

What is an IMSI?

A unique  International Mobile Subscriber Identity (IMSI) is issued to every user of the GSM/UMTS/LTE System.

Composition of IMSI

Global-IMSI-Numbers-and-Networks
IMSI is composed of three parts:

  1. Mobile Country Code (MCC)consisting of 3 digits. The MCC identifies uniquely the country of domicile of the mobile subscriber;
  2. National Mobile Station Identity (NMSI):
    • MobileNetworkCode (MNC)consisting of 2 or 3 digits for GSM/UMTS applications. The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or three digits) depends on the value of the MCC. A mixture of two and three digit MNC codes within a single MCC area is not recommended and is outside the scope of this specification.
    • Mobile Subscriber Identification Number (MSIN) identifying the mobile subscriber within a PLMN.

Example IMSI:

234150999999999

  • MCC = 234 (UK)
  • MNC = 15 (02 UK)
  • MSIN = 0999999999

For a full list of MCCs and MNCs visit: http://en.wikipedia.org/wiki/Mobile_country_code

The National Mobile Subscriber Identity (NMSI) consists of the Mobile Network Code and the Mobile Subscriber Identification Number.

In order to support the subscriber identity confidentiality service the VLRs, SGSNs and MME may allocate Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers. The VLR, SGSN and MME must be capable of correlating an allocated TMSI with the IMSI of the MS (Mobile Subscriber or your physical phone ;))to which it is allocated.

VLRs, SGSNs, MME and more will be covered later….

IMSI Catcher

An IMSI catcher is essentially a false mobile tower acting between the target mobile phone(s) and the service providers real towers. As such it is considered a Man-in-The-Middle (MiTM) attack. It is used as an eavesdropping device used for interception and tracking of cellular phones and usually is undetectable for the users of mobile phones.

With the recent wave of femto cell technology  available to the general public; Hackers are turning these useful devices into devious wire-tapping machines.

How?

The GSM specification requires the handset to authenticate to the network, but does not require the network to authenticate to the handset. This well-known security hole can be exploited by an IMSI catcher.

The IMSI catcher masquerades as a base station and logs the IMSI numbers of all the mobile stations in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption (i.e., it is forced into A5/0 mode), making the call data easy to intercept and convert to audio.

IMSI catchers are used in some countries by law enforcement and intelligence agencies, but based upon civil liberty and privacy concerns, their use is illegal in others. Some countries do not even have encrypted phone data traffic (or very weak encryption) rendering an IMSI catcher unnecessary.

2 Comments
  1. For all of you that are sick of all this BS and want to do something about it, here’s a great project you should check out: The “Android-IMSI-Catcher-Detector (AIMSICD)”. It is an Android open-source based project to detect and (hopefully one day) avoid fake base stations (IMSI-Catchers) or other base-stations (mobile antennas) with poor/no encryption. This project aims to warn users if the ciphering is turned off and also enables several other protection-mechanisms. Since it is under constant development, we constantly search for testers and security-enthusiastic developers with balls. Don’t be shy, feel free to contribute, in any way you can on GitHub: https://github.com/SecUpwN/Android-IMSI-Catcher-Detector

Trackbacks & Pingbacks

  1. IMSI Catchers | ytd2525

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 130 other followers

%d bloggers like this: