Protect your devices from IMSI catchers (ITSAP.00.106)

An international mobile subscriber identity (IMSI) catcher is a type of cell site simulator (CSS) that impersonates a legitimate cell tower to exploit connected mobile devices. IMSI catchers exploit the process by which mobile devices seek and connect to a strong available network signal within a physical radius. The availability of the low-cost technology used for IMSI catchers has made it easily accessible to a wide range of threat actors. It is important to understand how IMSI catchers work in order to detect them and protect your sensitive information from being compromised.

On this page

• Why threat actors use IMSI catchers
• Active and passive catchers
• The silent SMS attack
• The different mobile identifiers
• How to protect against IMSI catchers
• Learn more

Why threat actors use IMSI catchers

Threat actors use IMSI catchers to make configuration changes and gather sensitive information from mobile device users. Some of the types of data they attempt to collect include:

• device and user identification, such as the IMSI number
• metadata collected from voice calls, including contacts and call duration
• content of text messages (SMS) and calls
• data content and usage, such as websites visited

Threat actors use IMSI catchers to target high-profile individuals, including key personnel, executives or anyone handling sensitive business operations, to track their location and movements, monitor business activities and coordinate organized crime. They also use IMSI catchers for targeted surveillance to correlate real identities to a device’s IMSI and track individuals or gather intelligence during high-profile events.

Active and passive IMSI catchers

IMSI catchers can be used in an active or passive mode, depending on the threat actors’ use case and the network involved.

Active catchers

Active IMSI catchers broadcast network signals that are either stronger than the legitimate cell towers or appear to be. This causes devices to disconnect from their service provider’s legitimate network and establish a connection with the IMSI catcher. It can also attempt to downgrade the device to a second-generation network (2G) connection.

Passive catchers

Passive IMSI catchers do not broadcast network signals. Instead, they try to exploit a network for their existing connections by tracing and catching cellular transmissions in transit. Threat actors use this method to silently gather identifier information without revealing their presence.

The silent SMS attack

A key attack method threat actors use to access user identifiable information is called silent SMS. This technique involves a type of SMS that is processed by the mobile device without notifying the user or storing the message in the messaging inbox. It is typically used to pinpoint location or send configuration instructions to the mobile device.

Threat actors use silent SMS with IMSI catchers to send a message that the device acknowledges at the protocol level without alerting the user. This forces the device to transmit its current metadata and identifiers, allowing the IMSI catcher to confirm the target’s presence or location. The silent SMS can also be used to secretly carry services and send configuration messages to devices to reconfigure subscriber identity module (SIM) profiles to eavesdrop and collect information on calls and SMS.

The different mobile identifiers

Mobile networks use several identifiers to manage subscribers. Some of the identifiers are temporary, while others, like IMSI, are permanent and uniquely identify a mobile phone. These identifiers need to be protected to safeguard the privacy of subscribers.

Permanent identifier

The IMSI is the permanent, unique identifier on your SIM. In 2G, third generation (3G) and fourth generation (4G) network connections, the IMSI is frequently sent during the initial registration process, making it an easy target when your phone connects to the mobile network.

Temporary identifiers

A temporary mobile subscriber identity (TMSI) and a globally unique temporary identifier (GUTI) are temporary identifiers assigned by networks to hide the IMSI. However, if a mobile network operator (MNO) doesn’t rotate these identifiers frequently enough or if they use predictable numbering, threat actors can link them back to a single user.

5G solutions

A subscriber permanent identifier (SUPI) and a subscription concealed identifier (SUCI) are introduced as a 5G solution. SUCI is the encrypted version of SUPI, meant to keep the identifier from leaking. However, null encryption (no encryption) is a requirement standard for 5G networks, diminishing the protection features set by SUCI. IMSI catchers can attempt to downgrade the connection made with a device to a 2G or 4G signal where SUCI doesn’t exist.

How to protect against IMSI catchers

MNOs, high-profile organizations and end users should consider the following security measures to help reduce the risks associated with IMSI catchers.

Mitigation measures for mobile network operators

• Detect and report: Use specialized monitoring equipment to track CSS devices and report findings to authorities
• Upgrade networks: Configure networks to support SUPI and SUCI and enable strong encryption
• Implement rapid identifier rotation: Ensure TMSI and GUTI are changed constantly and that the numbering is not predictable
• Enforce anti-downgrade policies: Implement network-side controls that prevent devices from falling back into legacy protocols, like connecting to 2G networks
• Share intelligence:
  • Record real-time network data into fraud management systems, update blocklists or malicious Uniform Resource Locators (URLs) and share threat information with other operators and government authorities
  • Use specialized direction-finding equipment to pinpoint the exact location of active IMSI catchers to report to law enforcement
• Coordinate across the industry: Collaborate with device makers and regulators to strengthen defence mechanisms

High profile organizations

Organizations that manage highly sensitive information and services, including government buildings and critical infrastructure, can use specialized monitoring equipment to scan for unauthorized or anomalous base station signals. Implementing detection mechanisms can alert security teams and deter threat actors.

End users

End users have limited options to mitigate IMSI catching since mobile devices are inherently designed to communicate with cell towers. However, consider the following security measures to best mitigate the risk:

• Disable 2G:
  • Turn off 2G network connections in your phone’s settings, if the option is available
  • Contact your mobile provider if you don’t have the option
• Use encrypted messaging applications: Protect the contents within messaging and data transfer communications with applications that support end-to-end encryption
• Replace SIM and device: In extreme cases, if you are a high-profile individual, consider regularly replacing your SIM and device

Learn more

• Cell site simulators (ITSM.00.108)
• Protect your devices from SMS blasters (ITSAP.00.104)
• Smishing: Protect yourself from SMS attacks (ITSAP.00.103)
• Using your mobile device securely (ITSAP.00.001)
• Cyber security considerations for 5G networks (ITSAP.80.116)
• Using encryption to keep your sensitive data secure (ITSAP.40.016)