Working of “IMSI Catcher” [With Conceptual and practical explaination]

As you guys know INNOVATIVE NOOB is all about conceptual and practical explanation. In this article, we will learn about IMSI, it’s working, IMSI Catcher {also known as sting ray} and its working in practical and realistic situations. 💠

IMSI CATCHER

IMEI:- International Mobile Equipment Identity (Used for identification of mobile handset) 👀

IMSI:- International Mobile Subscriber Identity { IMSI is a 15 digit number used to identify the user of a cellular network and is a unique identification associated with all cellular networks. } 👀

THE WORD “MOBILE STATION {MS} IS USED FOR THE CASE IN WHICH A SIM IS INSERTED IN A MOBILE DEVICE

 

IMSI Catcher

IMSI catcher is basically used by the police departments or agencies to keep an eye on the suspected criminals. they can trace their location, the tower they are connected to, and to whom they are communicating.

👀

 

IMSI Catcher, What is IMSI catcher

but now the problem occurs when some unauthorized people with bad intentions trying to use IMSI catcher and try to spy on people…

So this article will be focusing on the feasibility of such kind of attack, in which cases it works, in which cases it does not work, it’s concepts and working. 💠

Let’s go! 😎

Before jumping to the main topic we need to understand a few things…

Architecture of Networks

First, we need to understand a bit of architecture of different standards and protocols.

Everyone reading this article should be knowing about the basic standards like- 2G, 3G, 4G. 💠

This is to clarify that:-

2G network is mainly affected by IMSI catchers and not 3G or 4G.

now some people might say that:- “But there are IMSI Catchers for 3G and 4G networks too!”

just have a look at the video below

 

 

If I am agency and I want to spy on a suspected criminal who is using a “JIO network” [ISP] 🍃

I will directly go to JIO and ask them to grant me permission to some internal parameters of their service.

But in this article, we are focusing on how some unauthorized people make use of it. So obviously the unauthorized person will not go to JIO and directly ask for permissions! 👀

So in the practical world, unauthorized people mainly target 2G(GSM)

Now let’s understand that what was lacking in the GSM [2G] networks that it was vulnerable to IMSI catcher. 💡

In the case of GSM [2G], our mobile needs to verify itself but the tower doesn’t need to!

Means while the connection is made between our mobile and tower. Our mobile needs to authenticate itself that it is not fake but the tower, with which our mobile is trying to connect doesn’t need to authenticate itself. 🍃

But in the case of 3G:-

The mobile station as well as the tower both need to authenticate themselves!💡

Types of IMSI Catchers:- 💎

  • Passive IMSI catcher
  • Active IMSI catcher

Passive IMSI catchers:- These IMSI catchers just act like a receiver and receives all available mobile signals that it can!

Note:- A passive IMSI catcher will not try to make any communication, it will only receive the signals

For eg:- If I keep an IMSI catcher in an area it will keep on taking all the signals nearby. 👀

Active IMSI catcher:- An active IMSI catcher acts as a fake tower and tries to emit strong mobile signals!

Due to which nearby mobile devices try to connect to our active IMSI cacher as the nearby mobile devices will generally try to connect to the tower with best signals or any tower with strongest signals. 👀

Working of Active IMSI Catcher 💎

So for understanding the concept lets jump back to the 2G network

Reminder:- Tower doesn’t need to verify itself.

So the connection between the tower and the mobile is successfully established

Now the main thing to discuss is cipher mods

currently, there are 4 cipher mods

  • A5/0 (no encryption)
  • A5/1 (weak encryption)
  • A5/2 (not generally used)
  • A5/3 (in use, can be seen in many places in INDIA as well as Foreign) (can be seen much more in use as compared to other)
  • A5/4 (in use in many places)

Security wise:- A5/4 > A5/3 > A5/2 > A5/1 > A5/0

India is slowly shifting its all networks to A5/3 as per reports.

💠 Where A5/0 represents NO ENCRYPTION { In Earlier times the user was provided with a warning that there is no encryption between the tower and the mobile but now it is removed by google}

Now let’s understand everything practically

Case 1:- Country supports GSM[2G]

💎

There is a Mobile station on the 2G network

An unauthorized person has set up an Active IMSI catcher

The IMSI catcher acts as a tower and emits strong signals

The mobile wishes to connect to the IMSI catcher assuming it as a tower with good signal strength

As in GSM [2G] network, the tower needs not to authenticate itself

our mobile gets connected to the fake tower and gives it the IMSI number and while connecting the IMSI number is also give to the fake tower now the mobile requests the tower to proceed with an encrypted communication standard probably [ A5/3 ].  😀

But the fake tower [Active IMSI catcher] rejects the request and tell the mobile to continue the communication in [ A5/0 ] which means No encryption 💎

So what you saw? even if the phone is willing to communicate in the encryption A5/3, the tower is the one who decides that which encryption mod should be followed. 💠

So as the tower says the mobile station to continue the communication in A5/0, both will start communicating in A5/0 which means that now the communication between the tower and the mobile will be unencrypted!!!

The tower said to communicate in A5/0 because if the mobile would have communicated in any other encryption mod, Say A5/3 the Tower needs to decrypt the data which is just not easy. 👀

CASE 2:- Country does not support GSM[2G]

 

💠 IMSI catcher in any country where A5/0 is not recognizable or the support for A5/0 is totally removed! 💡

the mobile will get connected to it in a similar manner but

in this case, the active IMSI catcher or the fake tower will say the mobile station to communicate in A5/0, but as A5/0 is not supported in this country so the IMSI catcher will further say the mobile to communicate in the weakest possible encryption mode which can be A5/1.

and the data needs to be decrypted. or cracked. which is not easy.

So that was all for ACTIVE IMSI CATCHER. 💎

Working of Passive IMSI catcher

 

💠 NOW let’s TALK ABOUT PASSIVE IMSI CATCHER 💡

Let’s remind the definition:- these IMSI catchers just act like a receiver and receives all available mobile signals that it can!

note:- A passive IMSI catcher will not try to make any communication, it will only receive the signals.

For eg:- If I keep an IMSI catcher in an area it will keep on taking all the signals nearby. 💎

In this case, our phone is normally connected to a real tower and the passive IMSI catcher is kept between them 💠

Now what happens is that once the real tower gets the IMSI the real tower continues the communication by using a TMSI (Temporary mobile subscriber identity) 💎

the concept of using a TMSI was introduced because devices like passive IMSI catcher can catch a signal with the real IMSI number of the mobile

🙂

but in this case, as the tower is proceeding its communication using a TMSI (A TMSI keeps on changing again and again) so even if the passive IMSI catcher gets hold of the signals it will get the TMSI and not the permanent IMSI of the mobile station.💡

each time any signal is sent to the mobile station from the tower, the tower uses a different TMSI number, So that’s why the passive IMSI catcher in the between will keep on getting different TMSI numbers and not the IMSI.

💠 All this is theoretical! 💠

But things work out in a little different manner in the real world.

Let’s see what happens in the real world 💡

A REALISTIC  APPROACH:-

 

💠 In the real tower [Actually “VLR” but for easy understanding you can assume it as all these problems are occurring in the tower]:- IN the real world there can be a problem of RAM and memory {actually there can be many more factors} {as in the real world there are many users registering at the same time or already registerd} due to which a connection between the phone and the tower gets broken and they reconnect to each other and while reconnecting the actual IMSI is passed on. 💎

So in the real world, the passive IMSI catcher keeps on getting a TMSI but if it waits for a while there are high chances that the IMSI catcher will also get the IMSI due to the reconnection made between the tower and mobile.

In short, the active IMSI catcher forces the mobile to provide it with the IMSI 💡

but passive IMSI catcher will wait till it receives the IMSI of mobile.

 

One thing I would like you all to do is to visit  GSM-MAP and analyze the gsm and encryption status of different countries.

And another point. If you want to do any kind of practical, it’s better to go through all the laws of your respective countries. Because there are laws for even small steps.Thank you for reading the article. If you have any confusions or doubts do comment below and give feedback.

Author- INNOVATIVE NOOB 💡

Leave a Reply

Your email address will not be published. Required fields are marked *