An IMSI catcher – also known as a cell-site simulator, fake cell tower, rogue base station, StingRay or dirtbox, to name a few of its many descriptors – is a portable device designed to mimic a real cell tower in order to capture cellular data (like locations and call/text metadata) from a connected smartphone. The device does this in part by “catching” the phone’s international mobile subscriber identity (IMSI).
At a basic level, an IMSI catcher consists of two main parts: a radio frontend for sending and receiving radio waves and a network backend for simulating a cellular core network. Today, anyone with a software-defined radio (SDR) and a computing device running an open-source base station program (like OpenBTS) can effectively operate an IMSI catcher.
An IMSI catcher uses different tricks to force a connection based on the given cellular protocol. With 4G (LTE), phones are designed to maintain a connection with their current cell tower if the signal strength is above a certain threshold and to connect to neighboring cell towers if a connection is lost. IMSI catchers overcome this by masquerading as a neighboring tower or by operating at a higher-priority frequency. Some IMSI catchers even jam the 3G/4G frequencies with white noise to eliminate real cell towers as connection options.
The use of IMSIs has been deprecated in the 5G protocol, replaced with a subscription permanent identifier (SUPI) that is never disclosed in the clear when a mobile device is establishing a connection. However, because most recent phone models are designed to also operate in 3G and 4G networks, IMSI catchers can downgrade service to an earlier protocol.
Once connected to a targeted smartphone, an IMSI catcher is essentially performing a man-in-the-middle (MITM) attack, situating itself between the target’s smartphone and their cellular network in order to both remove the phone from the real network and to clone the target’s identity.
The capabilities of an IMSI catcher vary by model and by the cellular protocol being used. Key risks to users include the following.
There isn’t a surefire way for a smartphone user to tell if their device is connected to an IMSI catcher, much less prevent connections with IMSI catchers. We recommend using Vault™ – our two-in-one RF shielding and audio masking device – to evade IMSI catchers when on the go, especially in areas where IMSI catchers are likely to appear, including airports, border crossings and foreign hotel zones. And we recommend using SafeCase™ – our smartphone-coupled security device – to deny audio and video capture in the event that one’s phone has been undetectably compromised.