IMSI-catcher
Encyclopedia
An IMSI catcher is an eavesdropping device used for interception of cellular phones and usually is undetectable for users of mobile phones. Such a virtual base transceiver station
(VBTS) is a device for identifying the International Mobile Subscriber Identity
(IMSI) of a nearby GSM
mobile phone
and intercepting its calls. It was patented and first commercialized by Rohde & Schwarz
.
The GSM specification requires the handset to authenticate to the network, but does not require the network to authenticate to the handset. This well-known security hole can be exploited by an IMSI catcher.
The IMSI catcher masquerades as a base station
and logs the IMSI numbers of all the mobile station
s in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption (i.e., it is forced into A5/0 mode), making the call data easy to intercept and convert to audio.
IMSI catchers are used in some countries by law enforcement
and intelligence agencies
, but based upon civil liberty and privacy concerns, their use is illegal in others. Some countries do not even have encrypted phone data traffic (or very weak encryption) rendering an IMSI catcher pointless.
, acting to them as a preferred base station in terms of signal strength. With the help of a SIM
, it simultaneously logs into the GSM network as a mobile station. Since the encryption mode is chosen by the base station, the IMSI-catcher can induce the mobile station to use no encryption at all. Hence, it can encrypt the plain text traffic from the mobile station and pass it to the base station.
There is only an indirect connection from mobile station via IMSI-catcher to the GSM network. For this reason, incoming phone calls cannot be patched through to the mobile station by the GSM network.
employs mutual authentication
, a man-in-the-middle attack as on GSM is not successful. But, to provide a high network coverage, the UMTS standard allows for inter-operation with GSM. Therefore, not only UMTS, but also GSM base stations are connected to the UMTS service network. This fallback is a disadvantage concerning the security and allows a new possibility of a man-in-the-middle attack. For further information see .
Base Transceiver Station
A base transceiver station or cell site is a piece of equipment that facilitates wireless communication between user equipment and a network. UEs are devices like mobile phones , WLL phones, computers with wireless internet connectivity, WiFi and WiMAX gadgets etc...
(VBTS) is a device for identifying the International Mobile Subscriber Identity
International Mobile Subscriber Identity
An International Mobile Subscriber Identity or IMSI is a unique identification associated with all GSM and UMTS network mobile phone users. It is stored as a 64 bit field in the SIM inside the phone and is sent by the phone to the network...
(IMSI) of a nearby GSM
Global System for Mobile Communications
GSM , is a standard set developed by the European Telecommunications Standards Institute to describe technologies for second generation digital cellular networks...
mobile phone
Mobile phone
A mobile phone is a device which can make and receive telephone calls over a radio link whilst moving around a wide geographic area. It does so by connecting to a cellular network provided by a mobile network operator...
and intercepting its calls. It was patented and first commercialized by Rohde & Schwarz
Rohde & Schwarz
Rohde & Schwarz is an independent group of companies specializing in electronics. Well known as a manufacturer of electronic test equipment, they also manufacture equipment used for broadcasting, radiolocation, and radio communications...
.
The GSM specification requires the handset to authenticate to the network, but does not require the network to authenticate to the handset. This well-known security hole can be exploited by an IMSI catcher.
The IMSI catcher masquerades as a base station
Base station
The term base station can be used in the context of land surveying and wireless communications.- Land surveying :In the context of external land surveying, a base station is a GPS receiver at an accurately-known fixed location which is used to derive correction information for nearby portable GPS...
and logs the IMSI numbers of all the mobile station
Mobile Station
The mobile station comprises all user equipment and software needed for communication with a mobile network.The mobile station refers to global system connected to the mobile network, i.e. mobile phone or mobile computer connected using a mobile broadband adapter. This is the terminology of 2G...
s in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption (i.e., it is forced into A5/0 mode), making the call data easy to intercept and convert to audio.
IMSI catchers are used in some countries by law enforcement
Law enforcement agency
In North American English, a law enforcement agency is a government agency responsible for the enforcement of the laws.Outside North America, such organizations are called police services. In North America, some of these services are called police while others have other names In North American...
and intelligence agencies
Intelligence agency
An intelligence agency is a governmental agency that is devoted to information gathering for purposes of national security and defence. Means of information gathering may include espionage, communication interception, cryptanalysis, cooperation with other institutions, and evaluation of public...
, but based upon civil liberty and privacy concerns, their use is illegal in others. Some countries do not even have encrypted phone data traffic (or very weak encryption) rendering an IMSI catcher pointless.
Identifying an IMSI
Every mobile phone has the requirement to optimize the reception. If there is more than one base station of the subscribed network operator accessible, it will always choose the one with the strongest signal. An IMSI-catcher masquerades as a base station and causes every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request, it is able to force the transmission of the IMSI.Tapping a mobile phone
The IMSI catcher subjects the phones in its vicinity to a man-in-the-middle attackMan-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
, acting to them as a preferred base station in terms of signal strength. With the help of a SIM
Subscriber Identity Module
A subscriber identity module or subscriber identification module is an integrated circuit that securely stores the International Mobile Subscriber Identity and the related key used to identify and authenticate subscriber on mobile telephony devices .A SIM is held on a removable SIM card, which...
, it simultaneously logs into the GSM network as a mobile station. Since the encryption mode is chosen by the base station, the IMSI-catcher can induce the mobile station to use no encryption at all. Hence, it can encrypt the plain text traffic from the mobile station and pass it to the base station.
There is only an indirect connection from mobile station via IMSI-catcher to the GSM network. For this reason, incoming phone calls cannot be patched through to the mobile station by the GSM network.
UMTS
Since UMTSUniversal Mobile Telecommunications System
Universal Mobile Telecommunications System is a third generation mobile cellular technology for networks based on the GSM standard. Developed by the 3GPP , UMTS is a component of the International Telecommunications Union IMT-2000 standard set and compares with the CDMA2000 standard set for...
employs mutual authentication
Mutual authentication
Mutual authentication or two-way authentication refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the...
, a man-in-the-middle attack as on GSM is not successful. But, to provide a high network coverage, the UMTS standard allows for inter-operation with GSM. Therefore, not only UMTS, but also GSM base stations are connected to the UMTS service network. This fallback is a disadvantage concerning the security and allows a new possibility of a man-in-the-middle attack. For further information see .
Disclosing facts and difficulties
The assignment of an IMSI catcher has a number of difficulties:- It must be ensured that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the mobile station, there is no need to log into the simulated base station.
- Depending on the signal strength of the IMSI-catcher, numerous IMSIs can be located. The problem is to find out the right one.
- All mobile phones in the catchment area have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers. Only the observed person has an indirect connection.
- There are some disclosing factors. In most cases, the operation cannot be recognized immediately by the subscriber. But there are a few mobile phones that show a small symbol on the display, e.g. an exclamation point, if encryption is not used. This "Ciphering Indication Feature" can be suppressed by the network provider, however, by setting the OFM bit in EFAD on the SIM card. Since the network access is handled with the SIM/USIM of the IMSI-catcher, the receiver cannot see the number of the calling party. Of course, this also implicates that the tapped calls are not listed in the itemized bill.
- The assignment near the base station can be difficult, due to the high signal level of the original base station.
Products
- Meganet
- VME Interceptor
- NeoSoft
- NS-17-1
- NS-17-2
- Shoghi Communications
- SCL-5020
- SCL-5020SE