Israel was attributed for the IMSI catchers discovered in Washington, D.C. three years prior in September 2019, demonstrating the frequency of these types of eavesdropping equipment. Previously used only by law enforcement to locate the international mobile subscriber identity (IMSI) associated with a criminal suspect’s SIM card for investigation purposes, an IMSI catcher may now be purchased or built by almost anyone to intercept a target’s communications. With such low barriers to entry, these devices are no longer simply for the bad people to be concerned about.
This paper will look into certain aspects to unfold the true dangers of ISMI/stringays, etc.
What is IMSI and how does it work?
Cracking GSM encryption, passive GSM interception, and aggressive GSM interception are all examples of GSM attacks. IMSI catchers come under the last type, serving as a transceiver and actively interfering with communications between mobile phones and base stations (simultaneously transmitting and receiving).
IMSI catchers deploy a “man-in-the-middle” [MITM] attack, presenting the fake mobile phone to the genuine base station and the fake base station to the real mobile phone at the same time. IMSI catchers can determine the IMSI numbers of nearby mobile phones, which is the trademark capability from which they get their name. They can then identify mobile traffic on the network and target it for interception and analysis using the IMSI.
Stingrays have become commonly known as IMSI catchers. Particularly among law enforcement agencies, they’ve been dubbed “cell site simulators” or “cell site emulators”, fake cell tower, rogue base station, StingRay or dirtbox. Because the 2G protocol has a lot of security flaws that make spying easier, IMSI catchers will frequently try to force communication over 2G. For one thing, encryption isn’t always necessary. Many of the underlying cryptographic methods (such as A5/1) can be broken in real time if this is the case.
IMSI catchers with more advanced capabilities can intercept texts and listen in on phone calls. They may also be able to intercept data transmissions, such as phone numbers dialled, web pages browsed, and other data. IMSI catchers are frequently equipped with jamming technology (to cause 3G and 4G phones to connect at 2G speeds) and other denial-of-service features. Some IMSI catchers may be able to retrieve things such as images and SMS from the target phone.
IMSI Catchers: How Do Criminals Use Them?
An IMSI catcher thus provides threat actors with a number of alternatives, based on the device’s capabilities and the cellular protocol in use.
- Location Tracking: An IMSI catcher can force a targeted smartphone to respond with its specific location using GPS or the signal intensities of the phone’s adjacent cell towers, allowing trilateration based on these towers’ known locations. When a threat actor knows where a target is, he or she can learn more about them, such as their exact location within a large office complex or the sites they frequent, or just track them across the coverage area.
- Data interception: Some IMSI catchers allow operators to reroute calls and texts, alter communications, and impersonate a user’s identity in calls and texts.
- Spyware delivery: Some of the more expensive IMSI catchers claim to be able to transmit spyware to the target device. Without the use of an IMSI catcher, such spyware can ping the target’s position and discreetly gather images and sounds through the device’s cameras and microphones.
- Data extraction: An IMSI catcher may also gather metadata such as phone numbers, caller IDs, call durations, and the content of unencrypted phone conversations and text messages, as well as some forms of data consumption (like websites visited).
Options for Detection
There is no guaranteed way for a smartphone user to know if their device is linked to an IMSI catcher, much alone prohibit connections with IMSI catchers, at this time. Slow cellular connections and a change in band in the status bar (for example, from LTE to 2G) are indicators, however slow connections happen to unaffected users as well, and certain IMSI catchers can operate in 4G.
IMSI catcher detection applications are only available for Android, and they require rooting the device – which is itself a security flaw – in order to access the cellular network communications available through the smartphone baseband’s diagnostic interface. For identifying IMSI catchers, there are more reliable hardware options available, which makes sense for protecting several smartphone users in a single location, such as a business headquarters or military post.
A typical arrangement includes a fixed, embedded system with sensor hardware and a cellular modem for continually monitoring the broadcast signals of nearby base stations, as well as a database to which data can be uploaded for analysis. When an IMSI catcher is found, alarms can be sent to all smartphone users in the organisation.
Upgrade to Efani’s Black Seal Protection
While this appears to be a catastrophic situation, there is one option that can safeguard you from all of these threats: the EFANI Black Seal Protection. EFANI uses many levels of security and privacy to encrypt your voice, SMS, and text messages, as well as a cloud-based solution to detect, protect, and warn users in real time when an intrusion attempt is made.
At the network level, Efani’s Black Seal Protection delivers a unique military-grade capability for detecting IMSI Catchers and preventing Man in the Middle Attacks. The key strength of this solution is its ease of use. It is designed for cutting-edge protection on the SIM-card level and mass-deployment in large enterprises.
Installing the EFANI encrypted SIM card into your smartphone and answering a few questions to activate is all it takes. The user experience is unchanged, but security, privacy, and peace of mind have been added.
Perhaps most crucially, simply acknowledging that your cellular connections are unreliable may cause you to reconsider the information you exchange through them. Your security posture will benefit as a result.
In a nutshell
Communication interceptions, service denial, and even location monitoring are all frequent MITM threats. Symptoms of such attacks aren’t always visible, with the exception of service denial if all communications are stopped. Otherwise, if someone wasn’t actively seeking for intercepted communications or double-checking every page they visited to make sure they weren’t being sent to an attacker-controlled domain, they might not even be aware that they were being tracked.