An IMSI-catcher (International Mobile Subscriber Identity) is a telephony eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. Essentially a "fake" mobile tower acting between the target mobile phone(s) and the service provider's real towers, it is considered a man-in-the-middle (MITM) attack, and can be detected using tools like SnoopSnitch. IMSI-catchers are used in some countries by law enforcement and intelligence agencies, but based upon civil liberty and privacy concerns, their use is illegal in others. Some countries do not even have encrypted phone data traffic (or very weak encryption), thus rendering an IMSI-catcher unnecessary.
A virtual base transceiver station (VBTS) is a device for identifying the International Mobile Subscriber Identity (IMSI) of a nearby GSM mobile phone and intercepting its calls. It was patented and first commercialized by Rohde & Schwarz in 2003, although it would be hard to maintain such a patent, since in reality it is just a modified cell tower with a malicious operator. On 24 January 2012, the Court of Appeal of England and Wales held that the patent is invalid for obviousness.
The GSM specification requires the handset to authenticate to the network, but does not require the network to authenticate to the handset. This well-known security hole is exploited by an IMSI catcher. The IMSI catcher masquerades as a base station and logs the IMSI numbers of all the mobile stations in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode), making the call data easy to intercept and convert to audio.
Body-worn IMSI-catchers that target nearby mobile phones are being advertised to law enforcement agencies in the US.
Identifying an IMSI
Every mobile phone has the requirement to optimize the reception. If there is more than one base station of the subscribed network operator accessible, it will always choose the one with the strongest signal. An IMSI-catcher masquerades as a base station and causes every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request, it is able to force the transmission of the IMSI.
Tapping a mobile phone
The IMSI-catcher subjects the phones in its vicinity to a man-in-the-middle attack, acting to them as a preferred base station in terms of signal strength. With the help of a SIM, it simultaneously logs into the GSM network as a mobile station. Since the encryption mode is chosen by the base station, the IMSI-catcher can induce the mobile station to use no encryption at all. Hence it can encrypt the plain text traffic from the mobile station and pass it to the base station.
There is only an indirect connection from mobile station via IMSI-catcher to the GSM network. For this reason, incoming phone calls cannot generally be patched through to the mobile station by the GSM network, although more modern versions of these devices have their own mobile patch-through solutions in order to provide this functionality.
Universal Mobile Telecommunications System (UMTS)
False base station attacks are prevented by a combination of key freshness and integrity protection of signaling data, not by authenticating the serving network.
To provide a high network coverage, the UMTS standard allows for inter-operation with GSM. Therefore, not only UMTS but also GSM base stations are connected to the UMTS service network. This fallback is a security disadvantage and allows a new possibility of a man-in-the-middle attack.
Disclosing facts and difficulties
The assignment of an IMSI catcher has a number of difficulties:
- It must be ensured that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the mobile station, there is no need to log into the simulated base station.
- Depending on the signal strength of the IMSI-catcher, numerous IMSIs can be located. The problem is to find out the right one.
- All mobile phones in the catchment area have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers. Only the observed person has an indirect connection.
- There are some disclosing factors. In most cases, the operation cannot be recognized immediately by the subscriber. But there are a few mobile phones that show a small symbol on the display, e.g. an exclamation point, if encryption is not used. This "Ciphering Indication Feature" can be suppressed by the network provider, however, by setting the OFM bit in EFAD on the SIM card. Since the network access is handled with the SIM/USIM of the IMSI-catcher, the receiver cannot see the number of the calling party. Of course, this also implies that the tapped calls are not listed in the itemized bill.
- The assignment near the base station can be difficult, due to the high signal level of the original base station.
Detection and counter-measures
Some preliminary research has been done in trying to detect and frustrate IMSI-catchers. One such project is through the Osmocom open source Mobile Station software. This is a special type of mobile phone firmware that can be used to detect and fingerprint certain network characteristics of IMSI-catchers, and warn the user that there is such a device operating in their area. But this firmware/software-based detection is strongly limited to a select few, outdated GSM mobile phones (i.e. Motorola) that are no longer available on the open market. The main problem is the closed-source nature of the major mobile phone producers.
The application Android IMSI-Catcher Detector (AIMSICD) is being developed to detect and circumvent IMSI-catchers. Technology for a stationary network of IMSI-catcher detectors has also been developed.
- SnoopSnitch is an Android app that collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI-catchers), user-tracking and over-the-air updates. With SnoopSnitch you can use the data collected in the GSM Security Map at gsmmap.org and contribute your own data to GSM Map., SnoopSnitch Wiki.
- EP 1051053, Frick, Joachim & Rainer Bott, "Verfahren zum Identifizieren des Benutzers eines Mobiltelefons oder zum Mithören der abgehenden Gespräche [Method for identifying a mobile phone user or for eavesdropping on outgoing calls]", issued 2003-07-09
- MMI Research Ltd v Cellxion Ltd & Ors  EWCA Civ 7 (24 January 2012), Court of Appeal judgment invalidating Rohde & Schwarz patent.
- "Digitale Selbstverteidigung mit dem IMSI-Catcher-Catcher" (in German). c't Magazin. 27 August 2014.
- "The Spyware That Enables Mobile-Phone Snooping". Bloomberg View. 27 November 2013.
- "The body-worn "IMSI catcher" for all your covert phone snooping needs". Ars Technica. 1 September 2013.
- Chris Mitchell, Paulo Pagliusi: Is Entity Authentication Necessary?, in Security Protocols, Springer LNCS 2845,pages 20-29, 2004
- Ulrike Meyer and Susanne Wetzel: A Man-in-the-Middle Attack on UMTS. ACM workshop on Wireless security, 2004
- "Android IMSI-Catcher Detector (AIMSICD)". Retrieved 31 July 2014.
- Ashkan Soltani and Craig Timberg, "Tech Firm Tries to Pull Back Curtain on Surveillance Efforts in Washington," Washington Post, Sept. 17, 2014.
- Barrett, Devlin (13 November 2014). "Americans’ Cellphones Targeted in Secret U.S. Spy Program". Wall Street Journal. Retrieved 14 November 2014.
- Mobile Phone Networks: a tale of tracking, spoofing and owning mobile phones
- IMSI-catcher Seminar paper and presentation
- Mini IMSI and IMEI catcher
- The OsmocomBB project
- MicroNet: Proximus LLC GSM IMSI and IMEI dual band catcher
- MicroNet-U: Proximus LLC UMTS catcher
- iParanoid: IMSI Catcher Intrusion Detection System presentation