
Building a Passive IMSI Catcher - signa11
https://harrisonsand.com/imsi-catcher/
======
crankylinuxuser
This is one facet of what my talk is going to be about:
[https://ccc2019cfp.busyconf.com/activities/5c3a57314808fac10...](https://ccc2019cfp.busyconf.com/activities/5c3a57314808fac1050000b2)

I was accepted for a presentation "SigInt for the Masses;Building and Using a
Signals Intelligence Platform for Less than $150"

I already have the device built, and so does someone else on the west coast!

My repo is here, which includes 3d printables (that I designed and printed),
Bill of Materials, and bash standup scripts from current Raspbian.
[https://gitlab.com/crankylinuxuser/siginttablet](https://gitlab.com/crankylinuxuser/siginttablet)

What does it look like?
[https://imgur.com/a/rImW7av](https://imgur.com/a/rImW7av)

With the nrf mousejack / gr-nordic:
[https://twitter.com/CrankyLinuxUser/status/11188788307463086...](https://twitter.com/CrankyLinuxUser/status/1118878830746308609)

If you look through my scripts, I compile both gr-gsm and gr-lte, along with
[https://github.com/Oros42/IMSI-catcher.git](https://github.com/Oros42/IMSI-
catcher.git) as referenced in the project. The signals I can work
with/attack/listen are as follows:

    
    
         tx: 100KHz-1.5GHz
         rx: 20MHz-1.7GHz
         duplex: 802.11abgn
         duplex: nRF24LU1 (nearly all non-BT wireless keyboards and mice)

------
gregsadetsky
LinkNYC [0] kiosks have two security cameras (one above each ad display on
both sides). Would it be somehow, or very, paranoid to imagine that these
kiosks are also capturing IMSIs using a method similar to the one described
above?

If you join the wi-fi network that any kiosk advertises, you will definitely
“re-attach” when you encounter a new kiosk (so some MAC related tracking is
possible).

But... do municipal CCTV setups usually go beyond video only and attempt to
track people using various methods around bluetooth/MAC/IMSI?

Is it probable? Improbable? We’ll only know in N years when someone leaks
about it..? Has it already been done?

[0] -
[https://en.m.wikipedia.org/wiki/LinkNYC](https://en.m.wikipedia.org/wiki/LinkNYC)

~~~
StudentStuff
Sounds quite regressive, some states like Oregon have made such setups
(filming public rights of way with a fixed camera) illegal.

~~~
voxadam
Interesting, does that mean outward facing security cameras with a view of
public roads or sidewalks are prohibited in Oregon?

~~~
StudentStuff
Yes, filming the public right of way is illegal.

------
saagarjha
If the author lurks here: you’ve blacked out the IMSI number in the
screenshots but left the ASCII in the clear.

------
punnerud
Anyone got this to work on 4G? This example only work for 2G last time I did
the same. 3G will be turned off during 2019 to make room for 5G, thats why I
only ask for 4G.

~~~
g_p
Just as a point of interest around 4G/LTE, it's worth noting that (many/most)
LTE networks don't support calling natively over LTE. At least not for a lot
of the handsets in the hands of their customers. Unless your handset
implements the all-IP Voice-over-LTE spec (which was an after-thought to
original 4G), all calls are handled by the circuit-switched fallback (CSFB)
process, where calls go over the legacy 2G or 3G networks.

Since many networks don't actually have VoLTE fully implemented and working
yet (and many popular Android handsets have quirks/bugs/issues around it,
coupled with MNOs trying to "pitch" VoLTE as an exclusive feature when you buy
the handset direct on their own MNO-modified firmware), a 2G catcher should
still work in many scenarios. If 3G is switched off, that (ironically) means
that many people's calls will end up going over original 2G networks, where
the handset doesn't authenticate the network at all! 3G handsets at least do a
mutual authentication of the network.

If you want to look at a real LTE catcher, take a look at this paper [1].
Worth noting this is not passive however, and requires transmitting in
licensed spectrum, which defeats the point of this passive one.

[1]
[https://arxiv.org/pdf/1702.04434.pdf](https://arxiv.org/pdf/1702.04434.pdf)

~~~
viraptor
2G is being turned off though. For example Australia killed it in 2018
[https://www.vodafone.com.au/red-wire/goodbye-
to-2g](https://www.vodafone.com.au/red-wire/goodbye-to-2g) so it's only 3g/4g
availability.

~~~
keithnz
3G is going to turned off very soon in Australia also

------
orev
I’ve always thought about, to the point of almost trying to make one myself,
is that this kind of thing would be a great addition to home security systems.
If you ever had an incident, you’d be able to see what devices were around at
the time, giving you a solid list of leads on who to investigate from there.

------
anfractuosity
Very interesting. I didn't realise the IMSI number was ever sent in the clear.

------
pibefision
How do you associate the imsi with any other type of data?

~~~
jstanley
The same way you associate any data point with any other.

For example, set up your IMSI catcher next to a numberplate reader. If you
repeatedly see a particular IMSI at the same time as a particular numberplate,
then there's a fair chance that that phone travels with that car, and
therefore that it likely belongs to the driver of the car.

This is easily automated on a large scale, and if anything gets easier as the
scale gets larger as you get more data points.

~~~
firethief
Numberplates are the tip of the constantly-broadcast data iceberg. Most phones
are constantly announcing the ESSIDs of their known WiFi hotspots, and WiFi
hotspot map data is readily available. It's like shouting out a map of home,
workplace, favorite cafes...

~~~
londons_explore
I don't think any modern phones do this for anything but 'hidden' networks.

Am I wrong?

~~~
borumpilot
Yes, you are wrong, unfortunately.

