>We propose a new type of IMSI Catcher, named IMSI Extractor. Our IMSI Extractor does not rely on fake base stations but instead uses a combination of low-power surgical message overshadowing and uplink/downlink sniffing. Even if our catcher injects a message, it does so in line with LTE protocol specification, making it hard to detect with existing IMSI Catcher detection techniques. We discuss the techniques that would be needed to detect this attack. We successfully tested our IMSI Extractor on 17 smartphones connecting to an industry-grade eNodeB.
Do they need the keys to the LTE network to perform this attack or is the encryption / protocol vulnerable to attackers without this info?
It doesn‘t need any keys, since the protocol itself is vulnerable to this. The Identity Request message that is sent is unauthenticated, but the phone replies with the IMSI nonetheless.
Note that this is just one part of the attack, the attack also includes fully passive localization of phones.
From LTrack:
>We propose a new type of IMSI Catcher, named IMSI Extractor. Our IMSI Extractor does not rely on fake base stations but instead uses a combination of low-power surgical message overshadowing and uplink/downlink sniffing. Even if our catcher injects a message, it does so in line with LTE protocol specification, making it hard to detect with existing IMSI Catcher detection techniques. We discuss the techniques that would be needed to detect this attack. We successfully tested our IMSI Extractor on 17 smartphones connecting to an industry-grade eNodeB.
Do they need the keys to the LTE network to perform this attack or is the encryption / protocol vulnerable to attackers without this info?