International Mobile Subscriber Identity (IMSI) catchers are basically spoofed cell towers. There are many different types of IMSI catchers, everything from a home built $1000 unit to a professional grade one which can cost substantially more. The NSA has their own “version” of a GSM IMSI catcher which is called CANDYGRAM. I talked about CANDYGRAM in my article NSA’s Version of a GSM IMSI Catcher CANDYGRAM.
International Mobile Subscriber Identity (IMSI) Catchers
As I said above IMSI catchers are basically spoofed cell towers. These spoofed cell towers simply go between you and your handset and the service provider’s real towers. There are several different reasons this type of attack works. Primarily because of the way GSM and other standards like it work, your handset will always camp over to the tower that has the strongest signal therefore an attacker who has an IMSI catcher about 100 feet away from you is going to get priority over your provider’s cell tower which is about 2 miles away. Secondly because GSM lacks tower authentication therefore your handset authenticates to your provider’s cell tower (or in this case an attacker with an IMSI catcher) and nothing else happens, the cell tower does not have to authenticate back. IMSI catchers also take advantage of other security holes in GSM, such as the fact that the base station is the one who gets to choose all of the settings, which creates many different problems for the end user if they are targeted by an attacker. One of the worse things an attacker can define at their base station (IMSI catcher) is they can set your handset to A5/0 mode (plain text) which is essentially forcing your handset to use no encryption. This makes it extremely easy for not only the attacker who is operating the IMSI catcher but anyone within range to capture your phone calls, read SMS text messages, and monitor IP traffic. An attacker could also define at their IMSI catcher whether or not to use frequency-hopping or do something malicious like updating the Subscriber Identity Module (SIM) card in your handset. There are a lot of other things an attacker could do to your handset when you connect to their IMSI catcher. There needs to be a point of exit for the IMSI catcher so when a target phone connects to the IMSI catcher it can route out all of the phone calls, SMS text messages, and IP traffic. This is done with the use of a backhaul which can be just about any type of connection to the internet. Once the backhaul connection is established there are still configurations that need to be done to allow inbound traffic such as inbound calls and SMS text messages. If the backhaul connects directly to the internet (this is usually referred to as an IP backhaul) the IMSI catcher will need to use Voice over IP (VoIP) to allow inbound and outbound calls to be made through the internet. IMSI catchers only work on 2G digital cellular networks because the newer standards like 3G UMTS standards and 4G LTE Advanced standards implement the use of stronger authentication and cryptography. However there are still many tactics that an attacker can do like jamming all of the bands your handset supports and therefore forcing your handset to connect using 2G to their IMSI catcher. There is also the issue with NSA’s CANDYGRAM, which might work on newer standards. IMSI catchers have been around almost as long as GSM has been. Just about anyone can setup an IMSI catcher because all you really need is a laptop running Debian Linux, OpenBTS, and Asterisk and an RF antenna. You can usually find all of the equipment required for $1000 or less although you won’t get some of the other more “advanced” features you would with a professional grade one.
Then vs now
Since GSM is about 30 years old there have been some improvements. With regards to this article and GSM, IMSI catchers only work on 2G digital cellular networks. 2G is the replacement for the old analog network 1G. There have been several improvements in 2G such as 2.5G (General Packet Radio Service or GPRS) and 2.75G (Enhanced Data Rates for GSM Evolution or EDGE); these were mainly introduced for enhanced speeds. When people talk about GSM they are a lot of times referring to 2G, this is mainly because GSM was originally developed by the European Telecommunications Standards Institute (ETSI) to describe protocols for 2G digital cellular networks. Today 2G networks are still used in many parts of the world ;however, providers such as AT&T have made announcements that 2G GSM technology in the United States is in the process of being shut down. This process will be complete by the end of 2016. The shutdown is having a big impact on the electronic security industry. This is because there are a lot of 2G GSM radios which are being used for alarm signal communication to Central Station dispatch centers. GSM has evolved a lot over the years, primarily because organizational partners like 3rd Generation Partnership Project (3GPP) came in and developed third generation (3G) Universal Mobile Telecommunications System (UMTS) standards and fourth generation (4G) LTE Advanced standards. Unlike 2G, the new standards are not a part of the ETSI GSM standard (which I think is where some confusion about GSM comes in).
IMSI Catchers in Today’s World
In today’s world I don’t think that IMSI catchers are nearly as popular as they were years ago. This is mainly because today law enforcement and government agencies can just go to the service providers and from there they can reveal any information they need. With that said it does not mean that they are not used by third party hackers. I am sure that third party hackers would much rather use their own IMSI catcher to get access to your phone calls, SMS text messages, and IP data than hack into your provider’s base station.
Thank you all for taking the time to read this post and as always God bless!