Spying on suspected cybercriminals and terrorists by intercepting their phone calls and tracking their online activities have been the working fields of surveillance agencies such as NSA, FBI, CIA etc. These organizations have the authority to ask the cell phone carrier companies to provide their subscribers’ data and constantly spy on them. However, for an individual hacker(black hat), it is not possible. So he uses an IMSI Catcher to hack the cell phones.
What is the IMSI number?
IMSI stands for International Mobile Subscriber Identity. This number uniquely identifies any cell phone user having a SIM(Subscriber Identity Module) card. It is sent by the mobile device to the appropriate network. IMSI is usually represented as a 15 digit number but can be shorter than that. It was provisioned in the SIM card operating over GSM, UTMS or LTE network. IMSI is used to acquire details of the mobile in HLR(Home Location Register) or VLR(Visitor Location Register).
Note: IMEI number corresponds to mobile device while IMSI number corresponds to SIM card.
What is an IMSI catcher?
An IMSI catcher is a hardware device which is used to intercept cell phone traffic and helps in tracking the location of a mobile phone user. It acts as a fake mobile tower — pretending to be a real mobile phone tower, between the target user and the real service provider’s tower. So basically it performs a Man-In-The-Middle(MITM) attack. When a user connects to the fake tower(IMSI catcher), he unknowingly communicates with the hacker who now has all the information about the user and his cell phone. An IMSI Catcher looks like this…
Working mechanism of IMSI catcher
In normal cellular network communication, a mobile device connects to a cellular tower which is emitting strong strength signals and located at the least distance from the mobile device. The mobile phone request certain services and the tower receives user requests and respond to them.
But in case of cell phone hacking, an IMSI catcher is placed in between the mobile device and the cellular tower. As I said earlier, IMSI catcher acts as a fake cell phone tower and it is placed at a very short distance from the mobile phone so that the device gets connected to the fake tower(IMSI catcher) instead of the real one. This is because
1) IMSI catcher is programmed to emit high-frequency signals than the frequency of the real tower.
2) IMSI catcher is placed in the vicinity of a mobile device in between the mobile device and the real cellular tower.
As soon as the mobile phone connects to the IMSI catcher, it provides all the services which a real cell tower provides. The victim will not know about the evil thing but the hacker will have full access to cellular traffic, phone calls, text messages placed by the victim.
Who uses IMSI catcher?
Spying and surveillance agencies have an agreement with cellular network providers about disclosing the cellular information of a criminal. However, police departments can also take advantage of IMSI catchers to keep an eye on suspicious activities. Unauthorized people(mainly black hat hackers) use these devices to evade the privacy of users.
Are IMSI catchers legal?
Different countries are having different laws and rules and regulations for using IMSI catchers. Using or trading an IMSI catcher is certainly illegal unless you are law enforcement. Whatever may be your reason for using IMSI catchers, invasion of someone’s privacy is unethical and illegal in any case.
Feasibility & Limitations of IMSI catchers
The good thing for you is that IMS catchers can only be successful on GSM network i.e. 2G standards. It does not work on UMTS(3G) and LTE(4G) networks. And nowadays, the majority of people have switched from the 2G network to 3G and 4G network.
The 2G network does not implement mutual authentication during communication between the mobile device and the cellular tower which makes it easy for IMSI catchers to exploit. To overcome this weakness, 3G and 4G networks require mutual authentication before communication.
However, some attacks can downgrade 3G and 4G or LTE network to non-LTE i.e. 2G network to perform the attack. This can be true but it must have some active support from the network operator. The hacker must know some internal parameters of the operator company to downgrade the network to 2G, which is nearly impossible for a hacker to gain. Also, modern network standards are developed not to downgrade, meaning they have a feature to “use LTE only“.
How can I detect an IMSI catcher?
Many applications claim to alert users when a possible IMSI catcher is detected in the surroundings. I have listed below some popular ones:
These applications have their limitations and may not provide complete protection.
How can I protect myself from these attacks?
If you are using a 2G device, upgrade it to 3G or preferably 4G. This decreases the possibility of getting hacked to a significant amount. Other than that, there are no confirmed ways to protect from these attacks because these attacks are carried out on a cellular network. There are no settings to adjust in your phone to stop these attacks. However, you can use the apps mentioned above to detect one.