Protecting High-Level Personnel from IMSI Catchers

In September 2019, attribution was given to Israel for the IMSI catchers discovered in Washington, D.C. two years earlier, shining light on the prevalence of these types of spying devices. Once used solely by law enforcement as a way of finding the international mobile subscriber identity (IMSI) linked to a criminal suspect’s SIM card for investigative purposes, now just about anyone can acquire or build an IMSI catcher to intercept a target’s communications. With such low barriers to entry, it’s no longer just the bad guys who need to be worried about these devices.

How IMSI Catchers Work

At a basic level, an IMSI catcher – also known as a cell-site simulator, fake cell tower, rogue base station, StingRay or dirtbox, to name a few of its many descriptors – consists of two main parts: a radio frontend for sending and receiving radio waves and a network backend for simulating a cellular core network. Today, anyone with a software-defined radio (SDR) and a computing device running an open-source base station program (like OpenBTS) can effectively operate an IMSI catcher.

An IMSI catcher is designed to mimic a real cell tower in order to trick one or more smartphones (or other cellular-enabled devices) within a given area into connecting to it. In the 2G (GSM) era, this was simple enough, since phones were designed to connect to the tower with the highest signal strength and since base stations were not required to verify their identities to phones. Accordingly, an IMSI catcher needed to just broadcast (or appear to broadcast) a much stronger signal than the cell towers around it. But in the 4G (LTE) era, phones are designed to maintain a connection with their current cell tower if the signal strength is above a certain threshold and to connect to neighboring cell towers if a connection is lost. Current IMSI catchers overcome this by masquerading as a neighboring tower or by operating at a higher-priority frequency. Some IMSI catchers even jam the 4G/3G frequencies with white noise to eliminate real cell towers as connection options.

IMSI catchers will usually try to force communication over 2G, since the 2G protocol suffers from a number of security holes that make spying easier. For one, encryption isn’t always required. And if it is, many of the underlying cryptographic algorithms (like A5/1) can be broken in real time.

Once connected to a targeted smartphone, an IMSI catcher is essentially performing a man-in-the-middle (MITM) attack, situating itself between the target’s smartphone and their cellular network in order to both remove the phone from the real network and to clone the target’s identity. In a 2G environment, the IMSI catcher simply uses the IMSI stolen from the smartphone to fulfill the identity request from the cell network and then uses the target device to complete a challenge requiring the SIM card’s secret key.

How Criminals are Using IMSI Catchers

From there, an IMSI catcher gives threat actors several options, depending on the capabilities of the device and the cellular protocol being used.

• Location tracking: An IMSI catcher can force a targeted smartphone to respond either with its precise location via GPS or with the signal strengths of the phone’s neighboring cell towers, enabling trilateration based on the known locations of these towers. With a target’s location known, a threat actor can figure out specifics about them – their exact location within a large office complex or places they frequent, for example – or simply just track them throughout the coverage area.
• Data extraction: An IMSI catcher can also capture metadata, including information about calls made (phone numbers, caller identities, call durations, etc.), as well as the content of unencrypted phone calls and text messages and certain types of data usage (like websites visited).
• Data interception: Certain IMSI catchers even allow operators to divert calls and text messages, edit messages and spoof a user’s identity in calls and texts.
• Spyware delivery: Some higher-end IMSI catchers advertise the ability deliver spyware to the target device. Such spyware can be used to ping the target’s location without the need for an IMSI catcher and also secretly capture images and audio through the device’s cameras and microphones.

For obvious reasons, we don’t have many specifics about how criminals and foreign intelligence services are using IMSI catchers against businesses and governments, but a couple of cases shed light on their potential for spying. In 2015, two criminals in South Africa used an IMSI catcher to manipulate and blackmail people in powerful positions. And in the case of the IMSI catchers placed near the White House, it’s likely that Israeli intelligence was able to eavesdrop on the phone calls made by President Trump or some of his top advisers. In both of these cases, targeted spying was used to gather valuable information that could be leveraged for personal or national gain.

Detection Options

At this point, there’s no surefire way for a smartphone user to tell if their device is connected to an IMSI catcher, much less prevent connections with IMSI catchers. Tells include a slow cellular connection and a change in band in the status bar (from LTE to 2G, for example), but slow connections happen to unaffected users and some IMSI catchers can operate in 4G.

There are IMSI catcher detection apps available for Android only, but they require rooting of the device – itself a security hole – in order to access the cellular network messages available from the diagnostic interface of the smartphone baseband. And unfortunately, detection is a mixed bag. Because cellular standards vary wildly between countries and carriers and because relatively little is known for certain about how IMSI catchers work, there’s isn’t a definitive list of heuristics that can be applied. Therefore, each IMSI catcher detection app has its own set of indicators of IMSI catcher operation, such as unexpected identity requests and removal of encryption from the cellular connection. False positives are common, as testing equipment, temporary equipment (for large events) and tower restarts tend to trigger user alerts.

There are more reliable hardware options available for detecting IMSI catchers, which make sense when protecting multiple smartphone users in a single site, like a corporate headquarters or military base. Typically, such a setup involves a fixed, embedded system containing sensor hardware and a cellular modem for continuously monitoring the broadcast signals of the surrounding base stations, along with a database to which data is uploaded for analysis. When an IMSI catcher is detected, alerts can then be sent to all of an organization’s smartphone users.

5G Takes on IMSI Catchers

Given that IMSI catchers exploit flaws inherent in cellular networks and are difficult to detect, there’s been a push by 3GPP, the organization responsible for specifying the 5G protocol, to eliminate the possibility of IMSI catchers from devices using this standard. Critically, 5G has been designed so that the IMSI (or another so-called Subscription Permanent Identifier) is never disclosed in the clear when a mobile device is establishing a connection. Instead, 5G uses only a temporary paging identifier that must be refreshed after each use.

While this is a huge leap forward for privacy on cellular networks, there are a few caveats that mean that IMSI catchers will stick around awhile.

• Bugs: As is common with new protocols, security researchers are finding scores of bugs in 5G, including a flaw in the Authentication and Key Agreement (AKA) protocol. While these are being swiftly addressed, it’s important to remember that no standard is perfect and that makers of commercial IMSI catchers will no doubt be leveraging these flaws to develop 5G-specific models.
• Poor carrier implementation: Even though the 5G protocol is relatively secure, it’s still up to the carriers to implement correctly. We’ve already seen some carriers bungle early 5G rollouts in a way that would allow IMSI catchers to modify a device’s stated category number during the connection process and therefore operate as usual.
• Downgrade attacks: While 2G has largely been deprecated by carriers in the United States, it’s still prevalent throughout the world, meaning that most phones are designed to operate in a 2G network. Therefore, downgrade attacks to 2G will be possible for the foreseeable future, even in non-2G environments.

Mitigation Steps

Even though the fight against IMSI catchers is largely out of our control, there are still a few steps that you (and any high-profile targets within your organization) can take to mitigate personal and organizational risk:

• If your smartphone allows it, turn off 2G support. Doing so greatly reduces the capabilities of IMSI catchers.
• When traveling through chokepoints (like airports and border crossings) where there’s a greater chance of IMSI catchers, turn off your smartphone or use an RF-shielding device, such as a Faraday bag. Neither option completely reduces RF emissions but can minimize them greatly.
• Use communication apps featuring end-to-end encryption, ensuring that captured content cannot be easily deciphered by threat actors.

Perhaps most importantly, simply recognizing that your cellular connections can’t be trusted may help you think twice about the information you share via your cell network. Your security posture will be better off for it.

This article was originally published in Security Magazine.