A Comprehensive Guide to How IMSI Catchers Work

An IMSI Catcher is defined as phone eavesdropping device that is used for tracking the movement of cell phone users and intercepting their mobile phone traffic. It is essentially a fake base tower that acts between the service provider’s real towers and the target cell phone which, perhaps, explains why it is commonly referred to as a Man-In-The-Middle Attack.

Today, IMSI-Catchers are used in some countries by intelligence and law enforcement agencies although their use has raised significant privacy and civil liberty concerns with calls for stricter regulations.

man in the middle attacks

Background

Telephone networks are basically divided into two: mobile and the physical.

The latter is what runs on PSTN- the Public Switched Telephone Network- and which serves your home phone. Mobile networks, however, are more dominant in this communication age and are thus used to relay mobile communications to the PSTN.

The most prominent of these mobile networks are GSM (Global System for Mobile Communications) networks which are used in our every day communication.  Another system known as the Code Division Multiple Access (CDMA) operates in a similar manner and exists only in North America. The major difference between these networks exists in the realm of security. 

GSA vs CDMA phones

Additionally, there are also Next Generation Networks (NGN) which, in a nutshell, broadly consists of the more well known terms of 4G and 3G. These networks turn your cell phone into a data transmitter which smartphones then employ to deliver applications almost instantly. These are our global system of communication networks which, sadly, are also the target of multiple surveillance technologies.

As cell phone data travels over GSM networks, it may be intercepted passively anywhere between the base tower it is communicating with and the phone. Since a base tower is the cell’s first contact point with the rest of the mobile network, passive interception operates by tuning into the tower and receiving the uplink signal from the cell phone and the downlink signal from the tower.

stealing signals using IMSI catchers

The downlink signal refers to the information sent from the base tower to the phone (replies to messages and calls) while the uplink signal is the information that is sent from the cell to the base tower (the content of messages and calls).

By just tuning surveillance equipment receivers onto the correct frequencies that the downlink and uplink operate on, cell phone monitoring technology can gain access to whatever information is being transmitted between the base station and the phone under surveillance.

In fact, additional protections offered by GSM networks in the form of ciphers meant to guard against prying eyes were reverse engineered in 1999 meaning that they are now completely decipherable. In practice, all communications sent on GSM networks are prone to deciphering, interception, and storage within a matter of seconds. Let that sink in for a minute – all communication on GSM devices can be easily captured, tracked and stored permanently.  The diagram below explains how using a similar system known as a stingray

how a stingray works

Faking the Signal

An IMSI Catcher is a cell phone monitoring kit that has active intercept capabilities i.e. a phone mast that is not part of the official network but one that gathers the IMEI (handset) and IMSI (SIM) details of every cell phone that comes into range. Traditionally, these devices (or Stingrays as they are known in the U.S.) can capture various pieces of identifiable information including the IMSI and IMEI: identifiers for your SIM Card and cell phone respectively. Nowadays, IMSI Catchers are sophisticated enough to record message and voice data as they travel through cell phone networks.

As earlier intimated, an IMSI Catcher carries out interception by presenting itself as a cell tower on the mobile network (the station that your cell phone connects with when it wants to send a message or place a call).

The IMSI Catcher (now mirroring a base tower) then enters the network as the strongest tower available, meaning that all cell phones operating in the area connect to the device’s base tower. Once connected, the catcher has the cell phone provide to it its IMEI and IMSI data and once these have been gathered it becomes possible to monitor the phone’s operations- the messages being sent, the voice calls being placed, and its location.

This system is described as active due to its focus in enticing signals towards it as opposed to passive monitoring where the signal is not enticed but rather sits silently between the base tower and the phone and does not replace the tower operations like an IMSI Catcher does.

Advantages of Passive Interception

The advantage of passive interception, however, is that it is almost impossible to detect its operation whereas an IMSI Catcher can easily be detected by a network operator owing to the active enticing that it engages in.

There are numerous networks now in operation across cell phone networks all with different operating standards, features, and capabilities, which means that cell phone monitoring technology needs to adapt to interception on these networks as well. 3G networks (also referred to as UMTS) differ from 2G networks which are better known as CDMA/GSM.

Cell monitoring on 3G networks identifies handsets by grabbing the IMEI and IMSI, and depending on decryption capabilities intercept content or messages.

Further, 3G jammers are now being introduced to mobile phone monitoring systems by identifying the devices operating on 3G (UMTS) and then forcing them into GSM (2G) mode for content interception using technologies that can rapidly decrypt ciphers and thus open up the cell phone’s activities for interception over the network.

imei devices

Location tracking of cell phones in 3G can be achieved without forcing the device onto 2G- signaling an increasing ability to carry out monitoring on these networks. Interception over 3G networks of messages and call content is, therefore, not that far away. Here, tracking occurs through triangulation of the cell to the nearest base tower. Targets can be tracked extremely accurately in real time. 

aimsicd map tracking

Since mobile phones are always in constant communication with various cell towers searching for the strongest signal that will best send a message or host a call, it is this never-ending search for powerful connections that makes IMSI Catchers so effective. It is also why location tracking has proved so effective- sometimes providing accurate readings of a target’s location to within 30 meters.

Man-In-The-Middle Attacks and How They Work

MITM attacks are also known as “cell site stimulator”, “stingray”, “dirtbox” and now the more ubiquitous IMSI Catcher.  They all work by stimulating the cell phone base station and establishing a fake connection between the GSA and the station.

The IMSI represents the latest evolution in a long tradition of the same technology. While there are few countermeasures for modern IMSI units, future models promise more robust design and better software.  IMSI catchers represent one of the most potent forms of surveillance that has been worked into military units, law enforcement agencies, state organizations, spies, hackers and criminal organizations.  

how an imsi catcher works

Although this transition into civilian use only appeared recently, coinciding with Western media cover of IMSI use by local officials, this time of surreptitious usage has passed and the number of civil entities now purchasing IMSI units has skyrocketed.  

Until recently the secrecy of the technology forced manufacturers to require clients to sign non-disclosure agreements that absolutely forbid public discussion.  As more people became aware of the power of such units, hackers and tech enthusiasts started to build their own devices.  The result was a surge in the number of manufacturers causing IMSI catcher prices to drop dramatically.  

As it stands now, IMSI Catchers are 100% legal, part of a lawful interception industry that is thriving. By 2019 estimates predict the industry to be worth $1.3 billion.  This is a huge increase from the $251 million in 2014. As this industry grows and IMSI technology improves, cell phone manufacturers will be forced to respond creating an equally large anti-IMSI industry. As it currently stands IMSI catchers are available to civilians are affordably priced. 

The Game of Cat and Mouse


As the industry expands and IMSI catcher use proliferates so do the required countermeasures against it.  This is characteristic of the intelligence/counter-intelligence industry as a whole. Technology innovation will progress forward in a “Red Queen” phenomenon.  Already several countermeasures have been released that effectively locate nearby IMSI devices.  

Publicly known instruments include the IMSI Catcher Catcher, Snoop Snitch, and AIMSICD. While the last two represent software based detection, the ESD America CryptoPhone 500i is capable of IMSI detection.  

Putting It All Together

Remember, Off-the-air interception is not the only way that cell phones can be intercepted. Access can also be obtained through the placement of physical probes on mobile networks. This entails moving further past the realm of the mobile network, past the wireless base towers and into Cell switching centers that host and operate information on base tower groups.

This additional information that can be collected, besides call content, is what is commonly referred to as Call Data Records (CDR) – the metadata of phone calls which- as with metadata gleamed from internet monitoring- holds much more information that enables the easy identification and tracking of potential targets.

Ideally, the above probes ought to operate in what is known as a lawful interception framework. This does not mean that interceptions are guaranteed to be lawful, just that they should meet the technical standards set by the appropriately tasked legal bodies that require information to be handed over by mobile network providers in a specified format and with certain pieces of information attached.

The future of IMSI catchers is still unknown yet one thing is clear they work extremely effectively and the technology is open to any member of the public to use, legally.