How Cell Site Stimulators Work

Commonly known as Stingrays or IMSI catchers, cell-site stimulators are devices that masquerade as legitimate base stations or cell phone towers, tricking nearby phones into connecting to the device in order to capture the content of communications or log the International Mobile Subscriber Identity (IMSI) numbers of cell phones in the area. IMSI is an identifying number that is unique to each mobile phone.

How It Works

A cell-site stimulator works by exploiting a mobile phone’s behavior of always seeking out the strongest base station or tower signal in the vicinity in order to minimize its own power consumption and maximize the signal quality.

It actively interferes in communications between base stations and mobile phones by acting as a transceiver (simultaneously receiving and transmitting).

Typically, cell-site stimulators receive signals from phone users and then pass these to base stations, but not before skimming off various types of data in the process.

They can be used to determine the type of phone that an individual is using by collecting identification information for the phone in areas that the subject is expected or known to be in- a practice that inevitably results in the acquisition of information from all other cell phones in the area.

While mobile phones do use encryption for content, a cell-site stimulator can easily turn off such encryption without issuing a notification that the encryption is no longer in use.

 stingray-cell-site-simulator

Data collected by a cell-site stimulator

Generally, cell-site stimulators are used for locational information. However, in addition to locating, tracking, and identifying, they can also perform much more active operations including but not limited to:

  • Tracking location by triangulating the signal strength of other base stations visible to the device.
  • Collecting information that identifies a mobile device, such as IMSI numbers.
  • Determining a previously unknown IMSI number of a subject under investigation by collecting IMSI numbers in areas where the person is believed to be using the device.
  • Making fake calls and sending fake text messages to and from a target.
  • Collecting metadata about calls such as numbers dialed, outgoing or incoming calls’ status, the mobile phone’s Electronic Serial Number (ESN), the time, date, and duration of call, and the cell-site sector/number (the location of the mobile phone when a call was connected).
  • Sending SMS spam that is geo-targeted.
  • Intercepting data transmissions including web pages visited, numbers dialed, and other such information.
  • Recording communications and eavesdropping on content such as text messages and voice calls by carrying out man-in-the-middle attacks.
  • Conducting denial of service attacks that prevent phone users from accessing data services or even placing calls.
  • Potentially delivering ‘flash’ (rewrite) firmware or malware, the former being a permanent software that is programmed into a read-only memory which governs essential processes.

Rangehow a cell site simulator works

While it may be hard to get exact details, cell-site stimulators can cover a range of a mile for low grade

IMSI catchers and as much as 100 miles for passive interception devices with very large antenna.

Networks

Although there are cell-site stimulators that only function with GSM (Global System for Mobiles) networks, there are those that work with CDMA (Code Division Multiple Access), with some working only on 2G or 3G networks. Advances in technology now ensure that cell-site stimulators can also operate on 4G networks and whether a phone is on 3G or 4G, it can be forced to downgrade so as to facilitate the use of this device.