- IMSI-catcher
An IMSI-catcher is a device for forcing the transmission of the
International Mobile Subscriber Identity (IMSI) and intercepting GSMmobile phone calls.The GSM specification requires the handset to authenticate to the network, but does NOT require the network to authenticate to the handset. This well-known security hole can be exploited by an IMSI-catcher.
The IMSI-catcher masquerades as a
base station and logs the IMSI numbers of all themobile station s in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption (i.e., it is forced into A5/0 mode), making the call data easy to intercept and convert to audio.IMSI-catchers are used by law enforcement and intelligence agencies.
Functionalities
Identifying an IMSI
Every mobile phone has the requirement to optimize the reception. If there are more than one base station of the subscribed network operator accessible, it will always choose the one, with the strongest signal. An IMSI-catcher masquerades as a base station and causes every mobile phone of the simulated network operator within a defined radius to log in. With the help of a special identity request, it is able to force the transmission of the IMSI.
Tapping a Mobile Phone
The IMSI-catcher subjects the phones in its vicinity to a
man in the middle attack , acting to them as a preferred base station in terms of signal strength. With the help of a SIM, it simultaneously logs into the GSM network as a mobile station. Since the encryption mode is chosen by the base station, the IMSI-catcher can induce the mobile station to use no encryption at all. Hence, it can encrypt the plain text traffic from the mobile station and pass it to the base station.There is only an indirect connection from mobile station via IMSI-catcher to the GSM network. For this reason, incoming phone calls cannot be patched through to the mobile station by the GSM network.
UMTS
Since UMTS considers
mutual authentication , a man-in-the-middle attack as on GSM is not successful. But, to provide a high network coverage, the UMTS standard allows for inter-operation with GSM. Therefore, not only UMTS, but also GSM base stations are connected to the UMTS service network. This fallback is a disadvantage concerning the security and allows a new possibility of a man-in-the-middle attack. For further information see [ [http://www.cs.stevens.edu/~swetzel/publications/mim.pdf Ulrike Meyer and Susanne Wetzel: A Man-in-the-Middle Attack on UMTS. ACM workshop on Wireless security, 2004] ] .Disclosing Facts and Difficulties
The assignment of an IMSI-catcher has a number of difficulties:
# It must be ensured, that the mobile phone of the observed person is in standby mode and the correct network operator is found out. Otherwise, for the mobile station, there is no need to log into the simulated base station.
# Depending on the signal strength of the IMSI-catcher, numerous IMSIs can be located. The problem is to find out the right one.
# All mobile phones in the catchment area have no access to the network. Incoming and outgoing calls cannot be patched through for these subscribers. Only the observed person has an indirect connection.
# There are some disclosing factors. In most cases, the operation cannot be recognized immediately by the subscriber. But there are a few mobile phones that show a small symbol on the display, e.g. an exclamation point, if encryption is not used. Another point is the calling number. Since the network access is handled with the SIM/USIM of the IMSI-catcher, the receiver cannot see the number of the calling party. Of course, this also implicates that the tapped calls are not listed in the itemized bill.
# The assignment near the base station can be difficult, due to the high signal level of the original base station.See also
* Telephone tapping, cellphone location data
References
External links
* [http://www.crypto.rub.de/imperia/md/content/seminare/itsss07/imsi_catcher.pdf Seminar IMSI Catcher]
Wikimedia Foundation. 2010.
