
Build a do-it-yourself IMSI Catcher for about $20 - mises
https://motherboard.vice.com/en_us/article/gy7qm9/how-i-made-imsi-catcher-cheap-amazon-github
======
jstanley
Here are the limitations:

1.) It seems to listen to messages from the cell towers rather than listening
directly to phones. This means you are likely to catch IMSIs from a very wide
area (i.e., every phone that connects to the cell tower you're listening to),
which means you don't get much information about "who was in the local
vicinity". This probably also means you can't tell the phone's signal
strength, as the received signal strength is that of the tower not the phone
(unless the tower modulates its transmit power based on how poor the phone's
signal is?).

2.) It can only listen to one frequency at a time. This means you need N RTL-
SDRs if you want to listen to phones connecting to N cell towers. (But the
RTL-SDR does have about 3MHz bandwidth, so in theory it should be possible to
listen to multiple cell towers simultaneously).

3.) It can only see IMSIs when a phone first connects. I don't think the IMSI
is sent when making a call or transferring data.

4.) It only works on GSM, i.e 2G. Hardly anyone uses that these days. (I don't
know if a similar passive approach would work on 3G and 4G, it may be that
only software is required in order to support more than 2G).

The benefits of this approach compared to other things I've seen are that it
is totally passive, so even a savvy target is unlikely to be able to detect
that his IMSI has been caught, and it is extremely cheap to carry out.

~~~
droopybuns
>> 4.) It only works on GSM, i.e 2G. Hardly anyone uses that these days. (I
don't know if a similar passive approach would work on 3G and 4G, it may be
that only software is required in order to support more than 2G).

Do you have some data that supports this claim? I haven't gone sniffing
recently- but I believe T-mobile is still wed to 2G for the foreseeable
future, and internationally, 2G is still in a lot of countries. I believe one
northern european telco is going to decommission their UMTS network and
support both LTE & GPRS.

~~~
conradev
AT&T discontinued GSM nationwide:
[https://about.att.com/innovationblog/2g_sunset](https://about.att.com/innovationblog/2g_sunset)

T-Mobile is keeping it running until at least 2020:
[https://www.t-mobile.com/news/att-2g-iot-
lifeline](https://www.t-mobile.com/news/att-2g-iot-lifeline)

edit: Wikipedia has a pretty solid list:
[https://en.wikipedia.org/wiki/2G#Past_2G_networks](https://en.wikipedia.org/wiki/2G#Past_2G_networks)

------
rusk
I’m pretty sure modern networks allocate temporary anonymised IMSIs (TIMSI) to
eschew just this kind of attack ...

EDIT yes [http://www.gsm-security.net/faq/timsi-temporary-imsi-
gsm.sht...](http://www.gsm-security.net/faq/timsi-temporary-imsi-gsm.shtml)

~~~
syn0byte
Just slightly complicates it. All you need is for them to be in range of your
catcher when they renegotiate a new TIMSI, which is done periodically. If your
targeting a specific person that's as simple as deploying a catcher within
range of their home and/or office and chances are good you will get most if
not all TIMSI negotiations.

Like trying to stop MITM attacks on the internet by randomizing MAC addresses
between sessions. IMSI are printed on a sticker stuck to the phone. How secret
can it really be?

Even if TIMSI worked well, there are other techniques:
[https://arxiv.org/pdf/1607.05171.pdf](https://arxiv.org/pdf/1607.05171.pdf)

~~~
self
> IMSI are printed on a sticker stuck to the phone.

My phones have the IMEI number written on them, not the IMSI numbers. I'll
have to take the SIM out to see if it has the IMSI written on it somewhere.

~~~
omribahumi
What’s written on the SIM card is called ICCID. For some carriers, you can
convert from IMSI to ICCID and vice versa, because they chose this convention.

------
blacksmith_tb
Odd that they say "Note that the IMSI-catcher would still need to have Ubuntu
on the Pi, which it is not traditionally designed for" \- I mean, I see the
README wants you to add a PPA for gr-gsm[1], but that shouldn't be a problem
on stock Raspbian (or another Debian-based distro).

1: [https://github.com/Oros42/IMSI-
catcher#setup](https://github.com/Oros42/IMSI-catcher#setup)

~~~
applecrazy
I don’t think many people outside of the tech industry know that Ubuntu is a
Debian-based operating system.

Edit: Changed Debian-based to Debian-derived

------
gabrielblack
Tested now. It works just fine, with the proper antenna. RTL-SDR is a
_receiver_ , with this toy you can only sniff some non-encrypted data exchange
between the phones and the cell towers, for example IMSI numbers (as its name
explains ). You can't do MITM attacks or intercept anything.

~~~
rsync
"Tested now. It works just fine, with the proper antenna."

Yes, but this is a GSM only implementation, using gr-gsm, correct ? They
aren't doing anything like Tracking Area Update Request for LTE[1], correct ?

[1] [https://hackaday.com/2017/05/30/lte-imsi-
catcher/](https://hackaday.com/2017/05/30/lte-imsi-catcher/)

~~~
gbon
Besides the software compatibility with protocols different from GSM (2G)
there is serious hardware problem: RLT-SDR dongles can't operate above 1.4
GHz. This limit is for the better models (i.e. those with a better shielding
). In my experience the cheap models as the one mentioned in the article have
problems above 1 GHz. I'm telling you because GSM support ~900 Mhz and ~1800
Mhz frequencies and, as I tested, only the traffic around 900Mhz is visible.
So, even in the 2G domain, you can't see everything.

~~~
squarefoot
Some SDR devices can go higher than 1800MHz, the HackRF One for example
receives and transmits from 1 MHz to 6GHz and has been used to decode some GSM
and LTE traffic.

[https://sdr-x.github.io/Whole-20MHz-config-LTE-signal-is-
dec...](https://sdr-x.github.io/Whole-20MHz-config-LTE-signal-is-decoded-by-
HACKRF-19.2Msps-with-ASN1-SIB-parsed/)

[https://greatscottgadgets.com/hackrf/](https://greatscottgadgets.com/hackrf/)

Way different price though still interesting.

------
tgsovlerkhgsel
This is a "device to catch IMSIs", but the thing commonly called an IMSI
catcher is much more than that - those are entire fake cells that MitM the
traffic and can actually intercept calls. This device can't do that, making
the title highly misleading.

------
zebrafish
I'm not super familiar with how cellular networks operate, but isn't there a
way to authenticate the session with the tower so that the IMSI doesn't get
transmitted to a snooping party? If we do it with laptops and wifi APs, can't
we also do it with phones?

Finger print scanners and facial recognition are prevalent on phones these
days, would that be a solution to circumvent this vulnerability?

~~~
Nokinside
* GSM (2g) does not have authentication at all.

* 3G has no integrity protection. Downgrade attacks from 3G->2G work. Also, it's the base station who decides if authentication and encryption is done. Fake base stations can still be used to track location, intercept calls and data.

* LTE/4G has mutual authentication and mandatory integrity protection. In theory you can't get IMEI if the message has no integrity but the protocols are not perfect.

LTE/4G can still be intercepted by using jammers, DoS attacks or exploiting
weaknesses in the protocols and implementations to force a downgrade. Some
messages in the protocols still go unencrypted and without authentication.
It's for example possible to edit voice domain preference or send "LTE
services not allowed" messages or edit the list of supported protocols to
force downgrade.

Practical attacks against privacy and availability in 4G/LTE mobile
communication systems
[https://arxiv.org/pdf/1510.07563v1.pdf](https://arxiv.org/pdf/1510.07563v1.pdf)

~~~
droopybuns
GSM does not have _meaningful_ tower auth. It does have UE authentication.

~~~
dfox
To clarify: GSM is essentially first cellular protocol that does meaningful
user authentication, on the other hand there is no way for user to explicitly
authenticate the network. In usual operating mode the session is implicitly
bidirectionally authenticated by the fact that both UE and network has to be
able to derive same Kc, but nothing prevents the network from just ignoring
the authentication response from UE and continuing in plaintext mode.

------
criddell
Other than just being a fun project, is there anything that you could do with
the data you collect?

~~~
Max-20
Can't you also track and read messages, mobile data and calls that are send
and received from the mobile device?

An IMSI catcher is nothing but a 'fake' cell phone tower for a phone.

~~~
runjake
No, because those messages are encrypted.

Likely with a semi-busted protocol, depending on whether we're talking
GSM/CDMA/LTE/etc, but a pain to attack, regardless.

~~~
welder
They are sometimes encrypted but setting up a cell tower proxy (femtocell)
let's you disable encryption to connected devices and then you can read any
texts sent/received through your femtocell. Watch the defcon/blackhat
presentations showing this. First one I remember watching was maybe 10 years
ago.

------
exabrial
Sigh, yet another reason companies should stop doing "2FA" over text. Please
support TOTP or U2F. I cringe Apple doesn't support either.

~~~
dogma1138
1) This doesn’t allow anyone to read anything, it only allows you to inspect
phone identifiers which today are random anyhow.

2) Your security needs only to be as strong as your likely adversary OTP over
SMS is fine for most use cases in any case this isn’t an argument against it
networks with piss poor controls over SS7 which could allow you to reroute
calls and texts to another number or networks that allow you to access
voicemail without password if you spoof the origin number are.

Yes SMS based 2FA isn’t going to be reselient against a state actor but that
shouldn’t be the adversary you protect yourself against if it is you’ve
already lost.

In nearly all other cases it’s fine, attacks against it aren’t scalable and
extremely hard to pull off outside of purely academic exercises and the
benefits from the added security are considerable when compared to the use of
only passwords or pre-generated auth codes.

~~~
jwr
SMS-based 2FA is a joke not just because of SS7 attacks, but mostly because
most (if not all) phones are set to display SMS messages on the lock screen.

So go grab somebody's phone and enjoy access to anything that uses SMS-based
2FA, because those messages are going to be shown even if you are unable to
unlock the phone. Far from "academic exercices" or "state-level actors", I'd
say.

~~~
tgsovlerkhgsel
Grabbing phones off people doesn't scale, and is reasonably hard to pull off
since you need to first map from the online identity to the exact physical
location, then actually physically get there yourself.

Much easier to just social engineer the provider into giving you a replacement
SIM.

~~~
dogma1138
Grabbing phones of people also means it doesn’t matter if they display
messages or not if you have the SIM you don’t need their device.

This isn’t any different than stealing a ubikey of someone it’s game over.

Also at least in the U.K. it’s pretty hard to get a replacement SIM through
social engineering you either need an ID in store or they send it to your
billing address only with signed post.

In either case the previous SIM would be disabled on the spot which would
likely mean that the owner would notice and block it before this can be
leveraged for an attack and this is also less scalable than stealing phones
since it’s actually more involved in most cases.

------
knorker
Don't you also need to crack the encryption? Yes, it's pretty fast, but it
does drive up the cost at least 10x. I'm not saying that's a lot, but it's no
$20.

See
[https://www.youtube.com/watch?v=3dridHDUHJQ&list=PLRovDyowOn...](https://www.youtube.com/watch?v=3dridHDUHJQ&list=PLRovDyowOn5F_TFotx0n8A79ToZYD2lOv)

~~~
tonyarkles
Not to sniff the IMSI/TMSI, just to decrypt the rest of the traffic. There's
some parts of the signalling protocol that happens in the clear.

~~~
knorker
Are you sure? TMSI I agree is plaintext, but not IMSI, right?

TMSI is not as "temp" as the name implies, but that doesn't make it an _IMSI_
catcher.

------
vvanders
Doesn't this run afoul of the legal issue of monitoring the cell bands, or
does that only apply to text/voice?

------
notreally99
This isn’t actually an IMSI catcher - it is just passively looking at C0

~~~
anonu
What is C0?

