IMSI Catcher
What is IMSI Catcher?
IMSI CatcherA fake cell-site that tricks nearby phones into revealing their IMSI/IMEI and, on weak networks, intercepting calls and SMS.
An IMSI catcher is a portable cell-site simulator that exploits the asymmetric trust model of 2G/3G mobile networks: handsets authenticate to the network but the network does not authenticate to the handset. By broadcasting a stronger signal with a familiar PLMN/MCC-MNC, the catcher forces nearby phones to camp on it and to send their IMSI in plain text during attach. Many catchers force a downgrade from 4G/5G to GSM (no mutual authentication), enabling silent SMS, geolocation and call interception. Open-source variants were demonstrated by Chris Paget (DEF CON 2010) and the YateBTS / OpenBTS projects. Defences include 5G subscription concealed identifier (SUCI), stingray-detection apps, mandatory mutual authentication and disabling 2G.
● Examples
- 01
A protest where attendees' IMSIs are quietly collected by a nearby cell-site simulator.
- 02
A criminal renting an IMSI catcher to send spoofed SMS through downgraded GSM devices.
● Frequently asked questions
What is IMSI Catcher?
A fake cell-site that tricks nearby phones into revealing their IMSI/IMEI and, on weak networks, intercepting calls and SMS. It belongs to the Attacks & Threats category of cybersecurity.
What does IMSI Catcher mean?
A fake cell-site that tricks nearby phones into revealing their IMSI/IMEI and, on weak networks, intercepting calls and SMS.
How does IMSI Catcher work?
An IMSI catcher is a portable cell-site simulator that exploits the asymmetric trust model of 2G/3G mobile networks: handsets authenticate to the network but the network does not authenticate to the handset. By broadcasting a stronger signal with a familiar PLMN/MCC-MNC, the catcher forces nearby phones to camp on it and to send their IMSI in plain text during attach. Many catchers force a downgrade from 4G/5G to GSM (no mutual authentication), enabling silent SMS, geolocation and call interception. Open-source variants were demonstrated by Chris Paget (DEF CON 2010) and the YateBTS / OpenBTS projects. Defences include 5G subscription concealed identifier (SUCI), stingray-detection apps, mandatory mutual authentication and disabling 2G.
How do you defend against IMSI Catcher?
Defences for IMSI Catcher typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for IMSI Catcher?
Common alternative names include: Cell-site simulator, Fake BTS, Stingray-class device.
● Related terms
- attacks№ 1104
Stingray
A commercial cell-site simulator originally made by Harris Corporation that mimics a base station to collect IMSIs and track or intercept mobile devices.
- attacks№ 1085
SS7 Attack
Abuse of Signalling System No. 7 inter-carrier messages to locate subscribers, intercept SMS or divert calls anywhere in the world.
- attacks№ 1046
SIM Cloning
Copying the secret key Ki from a SIM card so that a second card can impersonate the original on the mobile network.
- attacks№ 1059
Smishing
Phishing delivered via SMS or other mobile-messaging channels to trick victims into clicking malicious links, calling fraudulent numbers, or revealing data.
● See also
- № 0045G Security
- № 635LTE Security
- № 314Diameter Protocol