IMSI-Catch Me If You Can: IMSI-Catcher-Catchers
Adrian DabrowskiSBA ResearchVienna, Austria
Nicola PiantaUniversit di Cagliari
Thomas KleppVienna University of Technology
Martin MulazzaniSBA ResearchVienna, Austria
Edgar WeipplSBA ResearchVienna, Austria
ABSTRACTIMSI Catchers are used in mobile networks to identify andeavesdrop on phones. When, the number of vendors in-creased and prices dropped, the device became available tomuch larger audiences. Self-made devices based on opensource software are available for about US$ 1,500.
In this paper, we identify and describe multiple methods ofdetecting artifacts in the mobile network produced by suchdevices. We present two independent novel implementationsof an IMSI Catcher Catcher (ICC) to detect this threatagainst everyones privacy. The first one employs a networkof stationary (sICC) measurement units installed in a geo-graphical area and constantly scanning all frequency bandsfor cell announcements and fingerprinting the cell networkparameters. These rooftop-mounted devices can cover largeareas. The second implementation is an app for standardconsumer grade mobile phones (mICC), without the needto root or jailbreak them. Its core principle is based upongeographical network topology correlation, facilitating theubiquitous built-in GPS receiver in todays phones and anetwork cell capabilities fingerprinting technique. The latterworks for the vicinity of the phone by first learning the celllandscape and than matching it against the learned data.We implemented and evaluated both solutions for digitalself-defense and deployed several of the stationary units fora long term field-test. Finally, we describe how to detectrecently published denial of service attacks.
1. INTRODUCTIONIMSI Catchers are MITM (man in the middle) devices
for cellular networks . Originally developed to stealIMSI (International Mobile Subscriber Identity) numbersfrom nearby phones (hence the name), later versions offeredcall- and message interception. Today, IMSI Catchersare used to track handsets, deliver geo-target spam ,send operator messages that reconfigure the phone (e.g.
Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies are notmade or distributed for profit or commercial advantage and that copies bearthis notice and the full citation on the first page. Copyrights for componentsof this work owned by others than ACM must be honored. Abstracting withcredit is permitted. To copy otherwise, or republish, to post on servers or toredistribute to lists, requires prior specific permission and/or a fee. Requestpermissions from Permissions@acm.org.ACSAC14, December 08 - 12 2014, New Orleans, LA, USACopyright is held by the authors. Publication rights licensed to ACM.ACM 978-1-4503-3005-3/14/12 ...$15.00.http://dx.doi.org/10.1145/2664243.2664272.
installing a permanent MITM by setting a new APN, http-proxy, or attack the management interface ), directlyattack SIM cards with encrypted SMS  that are filteredby most operators by now, and can potentially interceptmobile two-factor authentication schemes (mTAN). Pelland Soghoian  argue, that we are currently on the brinkof age where almost everyone could eavesdrop phone calls,similar to the 1990es where cheap analog scanners whereused to listen to mobile phones in the US and Europe.
In brief, these devices exploit the phones behavior toprefer the strongest cell phone tower signal in vicinity tomaximize the signal quality and minimize its own powerconsumption. Additionally, on GSM networks (2G), onlythe phone (via the SIM, Subscriber Identification Module)needs to authenticate to the network but not vice versaand therefore can easily be deluded to disable content dataencryption. This enables an attacker to answer a phones re-quests as if the phone was communicating with a legitimatecell phone network.
In contrast, the Universal Mobile Telecommunication Sys-tem (UMTS, 3G) requires mutual two-way authentication,but can be circumvented using the GSM compatibility layerpresent in most networks , or mobiles can be forced todowngrade to a 2G connection by other means. Additionally,network operators use GSM as a fallback network whereUMTS is not available. This makes GSM security still rele-vant and important in todays mobile network world.
The main contributions are structured as follows. A sur-vey of network level artifacts caused by an IMSI Catcher aredescribed in Section 4. In Section 5 we present a conceptof a usable and customer grade warning system. Therefore,we determination which detection methods are available andimplementable with what consumer grade hardware in Sec-tion 6. We present our implementation and the evaluationof these methods in Section 7. Finally, we describe andevaluate the detectability of large scale denial of serviceattacks such as  in Section 9.1 before we summarize ourfindings in Section 10.
2. MOTIVATIONThe first IMSI Catchers date back as early as 1993  and
were big, heavy, and expensive. Only a few manufacturersexisted and the economic barrier limited the devices usemostly to governmental agencies. However, in recent years,a number of smaller and cheaper as well as self-built projectsappeared making cellular network snooping attacks feasible
to much larger audiences.Chris Paget built an IMSI Catcher for about US$1,500 
and presented it at DEFCON 2010. His setup consists of aSoftware Defined Radio  and free open source softwaresuch as GNU Radio, OpenBTS, and Asterisk. Several other(academic) projects also built such devices [32, 39] basedon similar setups. Appropriate patches and configurationguides are publicly available.
In 2010, Nohl and Manaut [27, 29] presented practicalsnooping attacks on GSMs main cipher suite using customfirmware on modified mobile phones. However, such a solu-tion can only monitor a very small number of frequencies atonce and is likely to lose the intercepted phone on handoversto other cells. Therefore, a professional attacker will still useIMSI Catcher-like functionality to lock the radio channel.
As IMSI Catchers perform an active radio attack, we putforward multiple passive ways to detect such an attack,both stationary and mobile. We facilitated ordinary mobilephones or easily acquirable hardware. This allows for easydeployment of the described techniques for end users orinterested hobbyists. We therefore intentionally chose toexclude expensive protocol analyzers or complex self-builtsolutions.
3. BACKGROUNDIn general a mobile network consists of base stations (BS)
that use one or more radio interfaces to create geographicallylimited radio cells. Multiple cells of an operator are groupedto Location Areas. After power-up or when a mobile station(MS, e.g. phone, data modem) lost connection to its network,it will perform a full scan to find the frequencies of nearbycells based on beacon signals sent out by every cell on aregular basis. The MS registers into the operators networkusing its worldwide unique International Mobile EquipmentIdentity (IMEI), its International Mobile Subscriber Identity(IMSI) number and a secret key stored on the SubscriberIdentity Module (SIM). The network (in this example GSM)will assign a Temporarily Mobile Subscriber Identity (TMSI)number for addressing purposes. TMSIs are volatile andtherefore reduce the risk of tracking individual subscribers.The more often a network changes the TMSI, the harder itis to passively track a specific user. Regardless, the networkneeds to know where its subscribers are at any given time tobe able to communicate with them, e.g. forward incomingcalls. In order to reduce position updates (saves networktraffic and battery power on the mobile phone), updates areonly performed when a phone moves from one group of cells(Location) to another, i.e. not on every individual cell. Incase of an incoming message, the phone is paged in all cellsof a Location Area (LA) and then assigned a specific logicalchannel of a cell. Based on the networks generation, this iseither a frequency and a time slot (2G GSM) or an encodingscheme (3G UMTS).
To help the phone keep track of nearby cells, the networkadvertises them to the phone. Therefore, the scan overheadis reduced compared to full scans, saving time and battery.The phone maintains a short neighbor list based on signalstrength and reports them back to the network on request.This data is the primary decision source for handovers, whenthe phone needs to change to another cell during an activecall.
In GSM, a cell is uniquely identified by the mobile coun-try code (MCC), network code (MNC), location area code
(LAC) and the cell ID (CI). The neighbor list typically in-cludes additional per cell attributes like the frequency (AR-FCN) and channel quality metrics. Given that UMTS net-works are organized differently, LAC and CI are replaced byPSC (primary scrambling code) and CPI (Cell ParameterID). For the sake of simplicity, we will call any tuple thatuniquely identifies a network cell a Global Cell ID or CellID for short.
IMSI Catchers blend into the mobile network operatorsinfrastructure impersonating a valid cell tower and there-fore attracting nearby phones to register to it. Two mainoperating modes can be distinguished.
Identification Mode.As a phone is lured into the fake cell, the worldwide unique
identifiers such as IMSI and IMEI are retrieved and thephone is sent back to its original network via denying itsoriginal Location Update Request with an Location UpdateReject-Message. This procedure typically takes less thentwo s