IMSI Catching
IMSI catchers are rogue base stations that trick mobile devices into connecting to them, allowing attackers to capture International Mobile Subscriber Identity (IMSI) numbers and intercept communications.
Technical Overview
IMSI catchers exploit the trust model in 2G and 3G networks where devices automatically connect to the strongest signal without proper authentication. The device broadcasts as a legitimate cell tower with higher signal strength, forcing nearby devices to connect and reveal their IMSI during the authentication process.
- •Subscriber identification and tracking
- •Call and SMS interception
- •Location tracking in real-time
- •Man-in-the-middle attacks
- •Denial of service to targeted devices
- •Passive IMSI collection without user awareness
- •Active call/SMS interception through rogue base station
- •Continuous location tracking via cell tower triangulation
- •Forced downgrade to 2G for easier exploitation
- •Silent SMS for location queries
- 1Deploy software-defined radio (SDR) or commercial IMSI catcher
- 2Configure device to broadcast as legitimate cell tower
- 3Set higher signal strength than legitimate towers
- 4Wait for devices to connect automatically
- 5Capture IMSI during authentication handshake
- 6Optionally relay traffic to legitimate network for stealth
- Use IMSI catcher detection apps (SnoopSnitch, Android IMSI-Catcher Detector)
- Enable LTE-only mode to prevent 2G downgrade
- Monitor for unusual network behavior and signal anomalies
- Use encrypted communication apps (Signal, WhatsApp)
- Implement network-level IMSI catcher detection systems
- Deploy SUPI/SUCI protection in 5G networks
- →Law enforcement use of Stingray devices for surveillance
- →Journalist tracking during political events
- →Corporate espionage at trade shows and conferences
- →Border surveillance and immigration enforcement
- →Protest monitoring by government agencies
Related Attacks
A5/1 is the encryption algorithm used in 2G GSM networks. Due to its weak 64-bit key and known vulnerabilities, it can be broken in real-time to decrypt voice calls and SMS messages.
Fake Base Transceiver Station (BTS) attacks involve deploying rogue cell towers that impersonate legitimate network infrastructure to intercept communications and perform man-in-the-middle attacks.
SMS interception attacks allow attackers to capture, read, and potentially modify text messages sent between mobile devices, compromising the confidentiality and integrity of SMS communications.