Cell site simulators - ITSM.00.108

Introduction

CSSs are devices used to imitate legitimate cell towers to try and connect nearby mobile devices. CSSs are used as a surveillance technology to identify, track and locate connected mobile devices by recognizing their unique identifying information. CSS devices are used by law enforcement and government officials to conduct legal operations, for example, target identification and location.

Threat actors are using CSSs to exploit mobile devices that connect to their fake network. The CSS device uses a strong broadcasting signal to trick mobile devices into connecting to the more powerful network. Once a device is connected, threat actors can spread malicious content and track device usage and location. This is a threat to both personal and organizationally issued devices, as any device that connects to the malicious CSS can share sensitive information or spread further threats.

Identifiable data

CSS devices can be used to identify user information on a mobile device to either track, locate or exploit further sensitive information. A mobile device’s international mobile subscriber identity (IMSI) number or international mobile equipment identity (IMEI) number is used to identify the device with the user. The IMSI is the unique number stored on the subscriber identity module (SIM) card used by mobile network operators (MNOs) to identify a subscriber on cellular networks. Some CSSs are used to collect these numbers to track, locate and block lost or stolen phones. Threat actors exploit this data collection and execute further malicious attacks.

Security considerations

Mobile devices face several risks when connecting to a malicious CSS. This section outlines potential threats that you and your organization may encounter from such attacks.

The following list includes the types of content that threat actors typically target:

• collecting data contents on devices
• collecting device and user identification
• tracking location
• collecting content of text messages (SMS) and calls

The following list covers different attack methods threat actors use and how they intend to exploit the information collected through CSS:

• spreading phishing campaigns
• embedding malware on devices
• introducing SIM-based malware
• spreading malware through connected devices and networks
• sharing MDM
• stealing sensitive and financial information
• altering SIM configuration
• preventing cellular and data services by infiltrating the network with a DoS attack

The threats involved with CSS devices are extensive and continuously advancing. The following section will go into further detail on some common types of CSS threat actors use to compromise devices.

Types of cell site simulators

There are many different types of CSS that have varying purposes and uses. The following section provides details on common CSS devices and how they are used to compromise devices.

IMSI catchers

IMSI catchers are a type of CSS used to make configuration changes and gather sensitive information from mobile device users. The type of information they steal include:

• device and user identification, for example, the IMSI number
• location information
• metadata collected from voice calls, for example, contacts and duration of calls
• content of text messages (SMS) and calls
• data contents and usage, for example, websites visited

IMSI catchers are used to target high-profile individuals, for example, key personnel, executives and business operators. Threat actors use CSS devices to track location and movement, monitor business activities and coordinate organized crime. IMSI catchers are also used for targeted surveillance to correlate user identities to a device and gather information and intelligence during high-profile events.

IMSI catchers can be used in active or passive mode. Both modes have different purposes depending on the threat actor’s use-case and network involved.

Active IMSI catcher

An active IMSI catcher broadcasts network signals that are either stronger than legitimate cell towers or appear to be. This is used to make devices within range disconnect from their service provider’s legitimate network and establish a connection with the IMSI catcher. They may also attempt to downgrade the device to a 2G network, attempting to bypass network security protections to collect plaintext SMS content and audio call information.

Passive IMSI catcher

A passive IMSI catcher does not broadcast network signals as the active catcher does. It is used to try and exploit a network for their existing connections by tracing and catching cellular transmissions in transit. Threat actors use this method to silently collect identifier information without revealing their presence.

For more information on IMSI catchers, read the Cyber Centre’s publication to Protect your devices from IMSI catchers (ITSAP.00.106).

SMS blasters

SMS blasters are a type of CSS that is primarily used to carry out text message (SMS) phishing attacks, known as smishing. They are also used to perform other malicious activities to steal sensitive and financial information or spread misinformation, disinformation and malinformation (MDM).

SMS blasters broadcast 4G signals to trick nearby devices into connecting to a stronger network than their current connection. After the connection has been established, SMS blasters will attempt to downgrade the device to 2G mode. SMS blasters take advantage of inherent vulnerabilities found in older 2G network standards that are still supported by modern devices. 2G network standards have unsecure authentication and encryption methods, allowing threat actors to bypass protections and filters implemented by MNOs to protect their customers. For more details on SMS blasters, read the Cyber Centre’s publication to Protect your devices from SMS blasters (ITSAP.00.104).

SMS blasters pose many threats to connected mobile devices. The most common threats are detailed below.

Smishing and fraud

Threat actors use SMS blasters to action smishing attacks. They send fraudulent messages that look legitimate to trick victims into clicking links and attachments or sharing sensitive information. SMS blasters allow threat actors to easily send thousands of smishing messages to mobile devices within range of the device. These messages can be generic or crafted for a specific scenario (for example, a sporting event or conference) or source (for example, bank authentication request).

Smishing attacks can lead to fraud with compromised credentials, unauthorized transactions and identity theft. This can leave your personal or your organization’s sensitive information at risk of being compromised.

Misinformation, disinformation and malinformation

SMS blasters allow threat actors to spread MDM through smishing attacks effectively to any connected device. Depending on the location and situation, threat actors can target specific events to spread MDM leading to serious concern. This is a major threat for high volume areas and event spaces, where the content of the MDM message can manipulate individuals and organizations into thinking there is a conflict or urgency.

For more information on recognizing MDM, read the Cyber Centre’s publication on How to identify misinformation, disinformation, and malinformation (ITSAP.00.300).

Alternative attack techniques

Some alternative attack techniques that facilitate similar attack methods to CSS include signalling attacks and SIM farms. Your organization should be aware of the following techniques.

Signalling attacks

Although SMS blasters and IMSI catchers require physical proximity, threat actors can use a technique called signaling attacks from anywhere in the world to achieve similar results. A signalling attack exploits the interconnections between global carriers necessary for roaming, specifically targeting the control layer of mobile networks rather than the mobile device itself. A threat actor in one country can track a user’s location or intercept their network traffic from anywhere in the world.

SIM farms

A SIM farm is a collection of SIM cards connected to servers and specialized hardware to interact with mobile networks at a large scale. SIM farms are used by legitimate agencies to test networks or manage internet of things devices, but they are also used by threat actors to facilitate cyber attacks. SIM farms use local numbers to appear legitimate to bypass network protections. These devices can be used to spread mass phishing scams, MDM and be used to infiltrate networks to pursue denial of service (DoS) attacks.

Mitigation strategies for cell site simulator attacks

Threat actors use CSS devices to infiltrate networks and compromise devices without user awareness. Although it can be difficult to mitigate, there are some security measures you and your organization can implement to best protect devices and networks from malicious CSSs.

The following guidance offers mitigation strategies for product stakeholders, distributors and users of mobile devices and infrastructure.

Mobile network operators

MNOs can implement security measures at the network and supply chain level. These measures are important to consider for the security of your networks, partnered organizations, customers and reputation.

Implement security tools to detect and respond to attacks

MNOs can use security tools to recognize active malicious devices attempting to infiltrate a network. The following list includes security measures your MNO can use to detect and respond to active CSS devices:

• use specialized tracking equipment to spot fake CSS devices and monitor network logs for unusual activities
• implement standalone solutions to monitor signalling layers that identify sudden volume spikes in radio and core-networking signals or abnormal registration patterns
• use analytics to catch abnormal SMS patterns or suspicious device identifications

Enforce encryption measures

It is important to keep the information you and your users handle on devices and networks as secure as possible. Enforce the use of rich communication services (RCS) over standard SMS to offer more secure messaging. RCS is a modern communication protocol that verifies sender identities and enables end-to-end encryption for user-to-user communications. This will help end users keep the content used within the application more secure. It is important to note that RCS being used for enterprise and commercial communications do not have the same security measures (threat actors can send fake messages impersonating a service provider).

Your MNO should also consider adopting subscription concealed identifier (SUCI) encryption for 5G networks. SUCI is meant to keep the identification data from leaking. Many 5G networks support null encryption (no encryption) measures, which diminishes this protection feature. IMSI catchers attempt to downgrade devices to earlier generation network signals where SUCI doesn’t exist.

Share intelligence

As you monitor real-time network data, you should update fraud management systems, blocklists and malicious URLs with other operators and government authorities. By using specialized direction-finding equipment that pinpoints exact locations of active CSS devices, your organization can assist law enforcement track and seize malicious hardware.

It is also beneficial to collaborate with devices makers and regulators within the mobile device industry on active cyber threats and security findings. This can help improve privacy features and strengthen device mechanisms to advance with a more cyber secure infrastructure.

Device manufacturers

Security features being implemented at the manufacturing level is an important protective measure for device manufacturers to consider. This offers users more security control with their devices by restricting network connections, for example, the option to disable 2G, and defaulting applications with secure messaging. By enforcing the use of encryption with mobile networks and applications, users will be more secure from CSS attacks stealing their sensitive information.

Device manufacturers may also include warning messages that alert users when unsecured networks are detected or in use.

Implement Secure by Design principles during the manufacturing process to prioritize security. Secure by Design equips devices and software with security features through the product’s development rather than an additional technical feature. Prioritizing security with Secure by Design significantly decreases security vulnerabilities before being accessed by users and networks.

For more details on Secure by Design, see the Open Worldwide Application Security Project’s (OWASP’s) OWASP Secure by Design Framework and the Center for Internet Security’s Secure by Design.

End users

Ensure your organization is aware of the training available for CSS threats. Training pertaining to mobile device security, phishing, MDM and CSS specifically will offer your organization a more secure landscape.

Enforce the following security measures for end-users to protect organizational and personal mobile devices from malicious CSS attacks.

Implement phishing resistant measures

Implement phishing awareness and practices. Ensure your organization adheres to the following phishing resistance measures:

• exercising caution when receiving unsolicited messages requesting information or providing links or attachments
• verifying senders before responding to unsolicited messages
• contacting organizations and individuals directly, for example, using contact information provided on the organization’s website
• report suspicious text messages by forwarding them to 7 7 2 6 (“SPAM”), the messaging application’s spam reporting function and your organization’s IT team

We recommend your organization enforces the use of phishing-resistant multi-factor authentication (MFA), such as cryptographic authentication measures or hardware security keys. Avoid using SMS-based codes and one-time passwords as authentication measures. For more details on phishing-resistant MFA, read the Cyber Centre’s publication on Defending against adversary-in-the-middle threats with phishing-resistant multi-factor authentication (ITSM.30.031).

Reporting an incident

• Report cyber crime and fraud to the Canadian Anti-Fraud Centre
• Report cyber incidents to the Cyber Centre

Recommended security actions

End users should practice the following security measures to protect personal and organizational devices from being compromised by unsecure networks and malicious applications.

• Disable 2G network connection settings, if your device allows it
• Use end-to-end encryption applications to secure communications
• Ensure secure messaging and voice calling is considered when implementing end-to-end encryption methods
• Download applications solely from official app stores from widely known app developers
• Use anti-virus software to scan newly downloaded and existing apps for malware

Summary

Malicious CSS devices are another prominent threat to individual and organizational cyber security. The guidance provided in this publication is meant to offer insight on the current threat and help strengthen your mitigation strategies. Each level within the mobile device infrastructure plays an important role in securing the overall cyber security landscape.

The different types of CSS devices have varying threats to mobile devices and sensitive information. As technology advances, threat actors will continue to adapt in their techniques. Implement the best protective measures, share intelligence and collaborate within the industry to help secure the continuously growing mobile device infrastructure.

Effective date

This publication takes effect on May 19, 2026.

This is an UNCLASSIFIED publication that has been issued under the authority of the Head of the Canadian Centre for Cyber Security (Cyber Centre). For more information, email or phone our Contact Centre:

Email: contact@cyber.gc.ca |Phone: 613-949-7048 or 1‑833‑CYBER‑88

Revision history

1. First release: May 19, 2026