While you rely on your phone to seamlessly connect with cell towers, what happens when the tower isn’t actually a tower? An IMSI catcher (also known as a Stingray or cell-site simulator) is a device that pretends to be a real cell tower in order to trick surrounding phones into connecting to it. When a phone connects to an IMSI catcher, the intercepting device can capture the phone’s International Mobile Subscriber Identity (IMSI) number, track the phone’s location, and potentially intercept calls and text messages.
IMSI catchers work by emitting a one-watt signal that is more powerful than the signals from the cell towers near the phones. This emission forces the phone to connect to the IMSI catcher instead of the legitimate cell tower. The IMSI catcher will act as a man in the middle between the phone and the real network, stealing information as it passes through the IMSI catcher. Most people are likely to encounter these devices through law enforcement agencies that use them clandestinely as part of their investigation. But the existence of these devices is a concern to ordinary users with an everyday phone.
If people understand how IMSI catchers work, they will understand the risks and what they can do to mitigate those risks. There are many aspects of knowledge surrounding the topic of cell-site simulators that are valuable in today’s interconnected world, from the technical aspects of how the devices operate to simply learning detection and protective measures.
Core Mechanics of IMSI Catchers
IMSI catchers work by pretending to be real cell towers and tricking phones into connecting to them. These devices can then steal phone identities, intercept calls and texts, and force phones to use weaker security settings.
Understanding IMSI Catchers and Cell-Site Simulators
An IMSI catcher is a device that imitates a legitimate cell tower in order to capture mobile communication. These devices are also called cell-site simulators, Stingrays, or fake cell towers.
The IMSI catcher has two parts. The front end is the radio, which sends and receives radio waves just like a real tower. The backend is the cellular core network that a phone would expect to connect to for an IMSI catcher to function properly.
Today, anyone can build a basic IMSI catcher. You just need a software-defined radio (SDR) and a computer running base station software such as OpenBTS. This affordable technology is available to both law enforcement and criminals alike.
The primary target of the IMSI catcher is the International Mobile Subscriber Identity (IMSI). IMSI is a unique number that identifies each SIM card on cellular networks. Once captured, attackers can monitor the selected device.
How IMSI Catchers Impersonate Base Stations
IMSI catchers fool phones by appearing as the strongest or most attractive cell tower in the area. The method depends on the cellular technology being used.
In 2G GSM networks, phones automatically connect to the tower with the strongest signal. Base stations don’t need to prove their identity to phones. This makes impersonation simple for attackers.
Modern 4G LTE networks are harder to fool. Phones try to stay connected to their current tower if the signal is strong enough. IMSI catchers overcome this by:
- Masquerading as neighboring towers that phones recognize
- Operating on higher-priority frequencies that phones prefer
- Jamming 4G and 3G signals with white noise to eliminate real towers
Once a phone connects, the IMSI catcher performs a man-in-the-middle (MITM) attack. It sits between the phone and the real cellular network.
Collecting Device Identities and Data Interception
When a phone connects to an IMSI catcher, the device immediately requests the phone’s IMSI number. This happens during the normal connection process that phones expect.
The IMSI catcher can also collect other identifiers like the Temporary Mobile Subscriber Identity (TMSI). This rotating number helps networks track phones without constantly using the permanent IMSI.
Data collection capabilities include:
- Phone numbers and contact lists
- Call metadata (duration, time, participants)
- Text message content
- Location data through GPS or cell tower triangulation
- Internet browsing activity
- Device information and settings
The device clones the phone’s identity on the real network. It uses the stolen IMSI to authenticate with legitimate cell towers. This allows the attacker to route calls and data through their equipment.
Service Downgrading and Spoofing Authentication
IMSI catchers often force phones to use older, less secure networks. They typically push devices from 4G LTE down to 2G GSM networks where security is weaker.
2G networks have major security flaws:
- Encryption is often optional or disabled
- A5/1 encryption algorithms can be broken in real-time
- Authentication is one-way (tower doesn’t prove identity to phone)
- Communication interception is much easier
The spoofing authentication procedure gets around proper authentication by stealing the phone’s credentials. The IMSI catcher collects the phones’ responses to the network challenges and uses these responses to authenticate with actual cell towers.
Many modern phones contain TMSI (Temporary Mobile Subscriber Identity) rotation for privacy concerns. However, IMSI catchers can always force the phone into providing its permanent IMSI number by sending its special identity requests.
The device can also modify or obstruct communications. Some more advanced IMSI catchers can modify text messages, direct the calls, or inject a mobile phone with malicious data from an internet connection.
Risks, Detection, and Protection
IMSI catchers pose serious threats through location tracking and data interception, while detection remains challenging due to their stealth nature. Users can protect themselves through specific security measures and awareness of surveillance techniques.
Location Tracking and Surveillance Techniques
IMSI catchers (or, more generally, rogue base stations) make tracking a person’s precise location simple. They can open GPS coordinates or the signal from multiple real (but disguised) cell towers on a target. This is called trilateration, and it is used by law enforcement investigations and intelligence agencies as part of surveillance and the collection of intelligence on targets.
IMSI catchers can force those phones to share GPS coordinates based on the triangulation of cell towers or the signal received from the active real (but disguised) cell towers.
Location tracking attacks occur when a rogue base station convinces the target phone (or the access point) to connect to it as a base station, and it can track the phone using the trilateration process and identify places that the target routinely visits.
Smart paging (paging specific phones) sends special signals to specific phones. It can wake up phones and locate them without connecting to them (but the target phone highlights itself to the rogue base station.)
Location area test can be made to update an IMSI catcher more frequently than a target phone typically would. This would send the rogue outcome location updates throughout the day and show where the target is moving.
Detection Methods and Applications
IMSI catcher detection proves difficult because these devices mimic real cell towers. Most smartphones cannot tell the difference between fake and real towers on their own.
Several IMSI catcher detection applications exist for Android phones. AIMSICD (Android IMSI Catcher Detector) and SnoopSnitch help users spot suspicious cell tower behavior.
These apps look for warning signs like:
- Sudden drops from 4G to 2G networks
- Unusual identity requests from towers
- Missing encryption on cellular connections
- Signal strength changes without moving
Cell Spy Catcher devices offer more reliable detection for businesses and government buildings. These hardware systems monitor radio signals constantly and alert users when fake towers appear.
Detection apps require rooted Android phones to access cellular diagnostic data. This creates security risks since rooting removes important safety features from phones.
Mitigating IMSI Catcher Threats
There are a few mobile security measures users can take to protect against IMSI catchers. First, they can turn off 2G support. This will help limit the likelihood of success, as most fake mobile towers would exploit outdated network protocols.
Users can also use airplane mode, which is an additional strong protection for mobile device users traveling in high-risk places like airports or borders. Users can bring RF-shielding bags (Faraday bags) as an additional option, as they block radio signals while the phones are still powered on.
Finally, end-to-end encrypted messaging applications – like Signal – provide safe communication data, because they ensure an attacker cannot intercept the data, even if the attacker can monitor users’ communications. There is no way to prevent attackers from being able to read the content of messages, but by using Signal, it encrypts anything that a surveillance device could intercept.
Key protection methods include:
- Disable 2G networks in phone settings
- Use encrypted communication apps
- Enable airplane mode in sensitive locations
- Avoid sensitive calls in crowded public spaces
Spyware delivery through IMSI catchers requires users to be extra careful about app installations. Only download apps from official stores and keep phones updated with security patches.
Denial of service attacks can happen when fake towers overload phone connections. Users may notice slower data speeds or dropped calls when these attacks occur.