LTE IMSI Catcher

GSM IMSI catchers preyed on a cryptographic misstep in the GSM protocol. But we have LTE now, why worry? No one has an LTE IMSI catcher, right? Wrong. [Domi] is here with a software-defined base transceiver station that will catch your IMSI faster than you can say “stingray” (YouTube video, embedded below).

First of all, what is an IMSI? IMSI stands for International Mobile Subscriber Identity. If an IMEI (International Mobile Equipment Identity) is your license plate, your IMSI would be your driver’s license. The IMEI is specific to the phone. Your IMSI is used to identify you, allowing phone companies to verify your origin country and mobile network subscription.

Now, with terminology in tow, how does [Domi] steal your IMSI? Four words: Tracking Area Update Request. When a phone on an LTE network received a tracking area request, the LTE protocol mandates that the phone deletes all of its authentication information before it can reconnect to a base station. With authentication out of the way [Domi] spoofs a tower, waits for phones to connect, requests the phone’s IMSI and then rejects the phones authentication request, all under the nose of the phone’s user.

Now, before you don your tinfoil hat, allow us to suggest something more effective. Need more cell phone related hacks? We’ve got your back.

18 thoughts on “LTE IMSI Catcher

    1. Yes, exactly. That’s what he meant with the car analogy — you can drive any car, but only with your driver’s license (IMSI, stored on a SIM). And each car has its own license plate (IMEI). One identifies you (or the person paying the phone bill) and the other identifies the phone.

  1. IMO, you still can’t clone someone this way. There is IMSI and the Ki private key. Back in the day to clone sim cards you needed both. Ki was the hardest part. All of this required physical access to the sim.

      1. keywords: COMP128 simscan Dejan Kaljevic(rip 2015)
        KI extraction finally became impossible around ~2005(in europe), thats when most providers swapped all sim cards for V2. V2 cards employ either read limit (64K reads = blocked card) or throttle valid responses (more than x reads per second = returns garbage).
        There is a hoax about magical methods to extract KI from V2 using side channel power analysis …. by using ordinary sim reader and a “special” program :), said program is a repackaged Dejans simscan +trojan sending all extracted V1 KI + IMSI to the author of the scam.

        Maaaaybe something like ChipWhisperer could work on later cards.

  2. Knowing where an IMSI device is, is essential to being able to receive calls. So of necessity it must be possible for a switch to ask other networks if they can contact an IMSI. The handoff from one cell to the next requires that phones respond to queries from other cells. To avoid dropped calls, cells must maintain state on active calls and recently active calls as the unit may move between cells or propagation may cause a handoff.

    Asking for a system that can’t track you is like asking for dry water.

    FWIW I saw an HP communications monitors with the cellular base simulation option at a “buy it now” of $499. Which is a “stingray” without the marketing hype. Whatever the mobile communications system, it always needs a communications monitor for testing and servicing the equipment.

    1. A system which can’t track can exist but it would have to work by network flooding paradigm – i.e. no addressing exists on network layer and each communication is a broadcast of “to whom it may concern” encrypted packets. Each station checks if it can decrypt any received packet (and that means, if all functions as planned, all packets generated anywhere in the network!) and if it can recognize the packet as deemed for the receiving station.

      It commands huge bandwidth for even modest traffic, and for modest network sizes. It also makes snooping inexpensive, provided the eavesdropper can solve the encryption.

  3. This is rather sweet. If you are wondering how could this be used:

    -work on the range to achieve at least >100m
    -deploy at the entrance of every Police station
    -deploy around your stash/crack houses

    You just became Batman.

    1. and if you think this is nothing special check out older Defcon (or maybe blackhat?) presentation where someone demonstrated this and secret service detail
      (accompanying lying sack of shit NSA director) shat their pants

    2. I dont Understand much technical vocabulary of this guy because I am not familiar with terms, do you know other tutorial to investigate more because I am a victim of this type of machines? I cant see if you can see the same screem of the victim. you can?


      1. It looks like this is for tracking targets, not eavesdropping. But it’s probably an important component of a system that can do the latter (under lte).

        but yeah, most of us would benefit from a “for dummies” version of this article.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.