Advanced Mobile Threats 101: IMSI catcher
An IMSI catcher – also known as a cell-site simulator, fake cell tower, rogue base station, StingRay or dirtbox, to name a few of its many descriptors – is a portable device designed to mimic a real cell tower in order to capture cellular data (like locations and call/text metadata) from a connected smartphone. The device does this in part by “catching” the phone’s international mobile subscriber identity (IMSI).
At a basic level, an IMSI catcher consists of two main parts: a radio frontend for sending and receiving radio waves and a network backend for simulating a cellular core network. Today, anyone with a software-defined radio (SDR) and a computing device running an open-source base station program (like OpenBTS) can effectively operate an IMSI catcher.
How does an IMSI catcher work?
An IMSI catcher uses different tricks to force a connection based on the given cellular protocol. With 4G (LTE), phones are designed to maintain a connection with their current cell tower if the signal strength is above a certain threshold and to connect to neighboring cell towers if a connection is lost. IMSI catchers overcome this by masquerading as a neighboring tower or by operating at a higher-priority frequency. Some IMSI catchers even jam the 3G/4G frequencies with white noise to eliminate real cell towers as connection options.
The use of IMSIs has been deprecated in the 5G protocol, replaced with a subscription permanent identifier (SUPI) that is never disclosed in the clear when a mobile device is establishing a connection. However, because most recent phone models are designed to also operate in 3G and 4G networks, IMSI catchers can downgrade service to an earlier protocol.
Once connected to a targeted smartphone, an IMSI catcher is essentially performing a man-in-the-middle (MITM) attack, situating itself between the target’s smartphone and their cellular network in order to both remove the phone from the real network and to clone the target’s identity.
What are the key risks of connecting to an IMSI catcher?
The capabilities of an IMSI catcher vary by model and by the cellular protocol being used. Key risks to users include the following.
Location tracking: An IMSI catcher can force a targeted smartphone to respond either with its precise location via GPS or with the signal strengths of the phone’s neighboring cell towers, enabling trilateration based on the known locations of these towers. With a target’s location known, a threat actor can figure out specifics about them – their exact location within a large office complex or places they frequent, for example – or simply just track them throughout the coverage area.
Data extraction: An IMSI catcher can also capture metadata, including information about calls made (phone numbers, caller identities, call durations, etc.), as well as the content of unencrypted phone calls and text messages and certain types of data usage (like websites visited).
Data interception: Certain IMSI catchers even allow operators to divert calls and text messages, edit messages and spoof a user’s identity in calls and texts.
Spyware delivery: Some higher-end IMSI catchers advertise the ability to deliver spyware to the target device. Such spyware can be used to ping the target’s location without the need for an IMSI catcher and also secretly capture images and audio through the device’s cameras and microphones.
How can Privoro help you protect yourself from IMSI catchers?
There isn’t a surefire way for a smartphone user to tell if their device is connected to an IMSI catcher, much less prevent connections with IMSI catchers. We recommend using Vault – our two-in-one RF shielding and audio masking device – to evade IMSI catchers when on the go, especially in areas where IMSI catchers are likely to appear, including airports, border crossings and foreign hotel zones. And we recommend using SafeCase – our smartphone-coupled security device – to deny audio and video capture in the event that one’s phone has been undetectably compromised.