IMSI Catchers

What are the 3 techniques that will allow an attacker to identify a user? (catching his IMSI) on a 4G cellular network (LTE)?

Introduction

IMSI catching was one of the first practical attacks on GSM, leading to the development of devices called IMSI catchers, which gather all IMSIs that are active in a geographic area. An IMSI catcher can achieve this in two different ways: passive and active.

Fake Cell Towers

International Mobile Subscriber Identity (IMSI) catchers are used in mobile networks to identify and eavesdrop on mobile devices, namely, the cell phones. These catchers lightly emulate fake cell towers, forcing these mobile devices to connect with them, even when they are not engaged in a telephone call.

What are the 3 techniques that will allow an attacker to identify a user? (catching his IMSI) on a 4G cellular network (LTE)?

IMSI Catchers used for

Tracking Users

Eavesdropping cells, data, texts

Man-in-the-Middle

Attack phone using operator system messages (e.g. Management interface, reprogram APN, HTTP-Proxy, SMS/WAP-Server...)

Attach SIM (SIM card rooting, otherwise filtered by most mobile carriers), Attack Baseband

Geo-targeting ads (e.g. SMS)

Intercept TAN, mobile phone authentication,...

Catchers Availability

IMSI catchers are commercially available, though they are expensive and usually sold restrictively to government officials.

Location Privacy

IMSI catching attacks mostly relate to the issue of location privacy, as the transmission of your IMSI reveals your approximate location.

Retrieving identities at a location (monitoring)

Retrieving a person’s location (tracking)