1.) It seems to listen to messages from the cell towers rather than listening directly to phones. This means you are likely to catch IMSIs from a very wide area (i.e., every phone that connects to the cell tower you're listening to), which means you don't get much information about "who was in the local vicinity". This probably also means you can't tell the phone's signal strength, as the received signal strength is that of the tower not the phone (unless the tower modulates its transmit power based on how poor the phone's signal is?).
2.) It can only listen to one frequency at a time. This means you need N RTL-SDRs if you want to listen to phones connecting to N cell towers. (But the RTL-SDR does have about 3MHz bandwidth, so in theory it should be possible to listen to multiple cell towers simultaneously).
3.) It can only see IMSIs when a phone first connects. I don't think the IMSI is sent when making a call or transferring data.
4.) It only works on GSM, i.e 2G. Hardly anyone uses that these days. (I don't know if a similar passive approach would work on 3G and 4G, it may be that only software is required in order to support more than 2G).
The benefits of this approach compared to other things I've seen are that it is totally passive, so even a savvy target is unlikely to be able to detect that his IMSI has been caught, and it is extremely cheap to carry out.
>> 4.) It only works on GSM, i.e 2G. Hardly anyone uses that these days. (I don't know if a similar passive approach would work on 3G and 4G, it may be that only software is required in order to support more than 2G).
Do you have some data that supports this claim? I haven't gone sniffing recently- but I believe T-mobile is still wed to 2G for the foreseeable future, and internationally, 2G is still in a lot of countries. I believe one northern european telco is going to decommission their UMTS network and support both LTE & GPRS.
Only that I don't know anyone who is happy if their phone ever connects over 2G.
By "hardly anyone uses that", I meant end users, not phone companies. I am happy to agree that 2G infrastructure still exists, it's just that most phones aren't using it.
> 3.) It can only see IMSIs when a phone first connects. I don't think the IMSI is sent when making a call or transferring data.
I believe this is correct, in fact (someone please correct me if I've got this wrong?) it looks as if this open source tool being cited is incorrectly labelling TMSIs as IMSIs.
Just slightly complicates it. All you need is for them to be in range of your catcher when they renegotiate a new TIMSI, which is done periodically. If your targeting a specific person that's as simple as deploying a catcher within range of their home and/or office and chances are good you will get most if not all TIMSI negotiations.
Like trying to stop MITM attacks on the internet by randomizing MAC addresses between sessions. IMSI are printed on a sticker stuck to the phone. How secret can it really be?
What’s written on the SIM card is called ICCID.
For some carriers, you can convert from IMSI to ICCID and vice versa, because they chose this convention.
Strictly speaking, IMSI identifies the SIM. A subscriber may have multiple SIMs and many SIMs throughout their lifetime. The IMSI is never ever transferable. The IMSI/SIM represents a unique network identity and links to items such as individualised cryptographic keys; session state, etc. the counterparts to which are baked into the SIM itself.
Yes but ... you have to track the target by other means then. There’s not much beyond tracking this particular attack is useful for so if you have to track them anyway what’s the point!
All UMTS networks or newer use TMSI the actual IMSI is only sent once per baseband reset as long as there wasn’t a period where a hand off between VLRs didn’t occur and you didn’t roam to another network without direct peering.
That said there is a trick to bypass TMSI for tracking as you can trigger an IMSI re-registration by interrupting mobile data or by forcing the mobile phone to downgrade through jamming.
Also TMSI only prevents tracking not eavesdropping, it makes targeted eavesdropping harder but not impossible if you can track the target through other means.
I'm not positive on this, but I'm pretty sure it's mandatory in LTE. When you first register you send your IMSI (in the clear...) and they return a TMSI for you.
My quick skim through the code looks like it'll track that too though:
# Register IMSI as seen if a TMSI believed to
# belong to the IMSI is seen.
Odd that they say "Note that the IMSI-catcher would still need to have Ubuntu on the Pi, which it is not traditionally designed for" - I mean, I see the README wants you to add a PPA for gr-gsm[1], but that shouldn't be a problem on stock Raspbian (or another Debian-based distro).
Tested now. It works just fine, with the proper antenna. RTL-SDR is a receiver, with this toy you can only sniff some non-encrypted data exchange between the phones and the cell towers, for example IMSI numbers (as its name explains ). You can't do MITM attacks or intercept anything.
Besides the software compatibility with protocols different from GSM (2G) there is serious hardware problem: RLT-SDR dongles can't operate above 1.4 GHz. This limit is for the better models (i.e. those with a better shielding ). In my experience the cheap models as the one mentioned in the article have problems above 1 GHz. I'm telling you because GSM support ~900 Mhz and ~1800 Mhz frequencies and, as I tested, only the traffic around 900Mhz is visible. So, even in the 2G domain, you can't see everything.
Some SDR devices can go higher than 1800MHz, the HackRF One for example receives and transmits from 1 MHz to 6GHz and has been used to decode some GSM and LTE traffic.
Exactly, I've a "premium" RTL-SDR and I se only the traffic on 900 MHz band. A more expensive SDR is required to sniff seriously. This is amateur hardware, professional hardware ( as the models described in the Snowden's documents ) can reach 100k E or more. That hardware can elaborate every frequency, more frequency in parallel with maximum reliability, a 20$ hardware simply can't. A good compromise can be one of the commercial SDR like Lime, etc.
I've been working in this space for the last few months. While you are correct, you can buy and easily modify a cheap downconverter to receive frequencies quite a lot higher than the plain old rtl-sdr by itself. [0]
Technically you could use one of the older (or custom ~$40) rtlsdr dongles with the Elonics E4000 tuner which goes all the way up to 2200 MHz (I have a couple). They're what I use for doing any >1400 MHz work with dongles. They'd work just fine with this toolset.
This is a "device to catch IMSIs", but the thing commonly called an IMSI catcher is much more than that - those are entire fake cells that MitM the traffic and can actually intercept calls. This device can't do that, making the title highly misleading.
I'm not super familiar with how cellular networks operate, but isn't there a way to authenticate the session with the tower so that the IMSI doesn't get transmitted to a snooping party? If we do it with laptops and wifi APs, can't we also do it with phones?
Finger print scanners and facial recognition are prevalent on phones these days, would that be a solution to circumvent this vulnerability?
* 3G has no integrity protection. Downgrade attacks from 3G->2G work.
Also, it's the base station who decides if authentication and encryption is done. Fake base stations can still be used to track location, intercept calls and data.
* LTE/4G has mutual authentication and mandatory integrity protection. In theory you can't get IMEI if the message has no integrity but the protocols are not perfect.
LTE/4G can still be intercepted by using jammers, DoS attacks or exploiting weaknesses in the protocols and implementations to force a downgrade. Some messages in the protocols still go unencrypted and without authentication. It's for example possible to edit voice domain preference or send "LTE services not allowed" messages or edit the list of supported protocols to force downgrade.
To clarify: GSM is essentially first cellular protocol that does meaningful user authentication, on the other hand there is no way for user to explicitly authenticate the network. In usual operating mode the session is implicitly bidirectionally authenticated by the fact that both UE and network has to be able to derive same Kc, but nothing prevents the network from just ignoring the authentication response from UE and continuing in plaintext mode.
You could encrypt the (T)IMSI somehow, but using what? You could use a pre-shared key but then to support roaming this would have to be shared among operators but that’s trivial to defeat for state actors. You could go for an asymmetric scheme like HTTPS but there has to be some way for the network to “get back to you” much as you have to reveal your IP Address to kick off a TLS handshake. You can’t rely on alternative addressing schemes because then how do you allocate these? You have to stick your head over the parapet at some stage.
This is the nature of the zero-trust peer-to-peer nature of the global telephony system.
I wonder if there’s an application for some kind of a blockchain here ..
EDIT just to note, your example of laptops and wireless APs, you must reveal at the very least your MAC address which is if anything less secure because it doesn’t change - at least not trivially.
An IMSI catcher is not a hacked femtocell. It basically just tracks nearby cell phones. A hacked femtocell, which is what you're thinking of, could do this.
They are sometimes encrypted but setting up a cell tower proxy (femtocell) let's you disable encryption to connected devices and then you can read any texts sent/received through your femtocell. Watch the defcon/blackhat presentations showing this. First one I remember watching was maybe 10 years ago.
This particular implementation cannot read SMS data, so it's not really 'yet another reason'. There are ways to MITM the connections between cell phones and towers (e.g. Stingray), but this is not one of them.
1) This doesn’t allow anyone to read anything, it only allows you to inspect phone identifiers which today are random anyhow.
2) Your security needs only to be as strong as your likely adversary OTP over SMS is fine for most use cases in any case this isn’t an argument against it networks with piss poor controls over SS7 which could allow you to reroute calls and texts to another number or networks that allow you to access voicemail without password if you spoof the origin number are.
Yes SMS based 2FA isn’t going to be reselient against a state actor but that shouldn’t be the adversary you protect yourself against if it is you’ve already lost.
In nearly all other cases it’s fine, attacks against it aren’t scalable and extremely hard to pull off outside of purely academic exercises and the benefits from the added security are considerable when compared to the use of only passwords or pre-generated auth codes.
SMS-based 2FA is a joke not just because of SS7 attacks, but mostly because most (if not all) phones are set to display SMS messages on the lock screen.
So go grab somebody's phone and enjoy access to anything that uses SMS-based 2FA, because those messages are going to be shown even if you are unable to unlock the phone. Far from "academic exercices" or "state-level actors", I'd say.
If you can grab a phone from someone you can execute a much simpler physical attack called rubber hose cryptanalysis :)
So yes what you are describing is nonsensical you need to know the target, be able to steal their device and use it within a time frame before it would be disabled.
And this is if they don’t use say an iPhone or an Android phone with biometric login which often hides the notifications.
Also the biggest hole in this premise is that you wouldn’t even care if the device displays texts when locked or not since if you have the device you can take out the SIM and put it into your own phone.
So based on this any TOTP or U2F token is useless since they can be stolen and used.
Seriously if this is your threat model I don’t think you should leave the house since you are clearly in a lot of danger.
Grabbing phones off people doesn't scale, and is reasonably hard to pull off since you need to first map from the online identity to the exact physical location, then actually physically get there yourself.
Much easier to just social engineer the provider into giving you a replacement SIM.
Grabbing phones of people also means it doesn’t matter if they display messages or not if you have the SIM you don’t need their device.
This isn’t any different than stealing a ubikey of someone it’s game over.
Also at least in the U.K. it’s pretty hard to get a replacement SIM through social engineering you either need an ID in store or they send it to your billing address only with signed post.
In either case the previous SIM would be disabled on the spot which would likely mean that the owner would notice and block it before this can be leveraged for an attack and this is also less scalable than stealing phones since it’s actually more involved in most cases.
Don't you also need to crack the encryption? Yes, it's pretty fast, but it does drive up the cost at least 10x. I'm not saying that's a lot, but it's no $20.
1.) It seems to listen to messages from the cell towers rather than listening directly to phones. This means you are likely to catch IMSIs from a very wide area (i.e., every phone that connects to the cell tower you're listening to), which means you don't get much information about "who was in the local vicinity". This probably also means you can't tell the phone's signal strength, as the received signal strength is that of the tower not the phone (unless the tower modulates its transmit power based on how poor the phone's signal is?).
2.) It can only listen to one frequency at a time. This means you need N RTL-SDRs if you want to listen to phones connecting to N cell towers. (But the RTL-SDR does have about 3MHz bandwidth, so in theory it should be possible to listen to multiple cell towers simultaneously).
3.) It can only see IMSIs when a phone first connects. I don't think the IMSI is sent when making a call or transferring data.
4.) It only works on GSM, i.e 2G. Hardly anyone uses that these days. (I don't know if a similar passive approach would work on 3G and 4G, it may be that only software is required in order to support more than 2G).
The benefits of this approach compared to other things I've seen are that it is totally passive, so even a savvy target is unlikely to be able to detect that his IMSI has been caught, and it is extremely cheap to carry out.