Anatomy of Commercial IMSI Catchers and Detectors

IMSI catchers threaten the privacy of mobile phone users by identifying and tracking them. Commercial IMSI catcher products exploit vulnerabilities in cellular network security standards to lure nearby mobile devices. Commercial IMSI catcher's technical capabilities and operational details are still kept as a secret and unclearly presented due to the lack of access to these products from the research perspective. On the other hand, there are several solutions to detect such IMSI catchers to protect the privacy of mobile subscribers. However, detecting IMSI catchers effectively on commercial smartphones is still a challenge. In this paper, we present a systematic study of IMSI catchers, especially commercially available ones. Starting from publicly available product brochures, we analyze information from the international patent databases, attacking techniques used by them and vulnerabilities exploited in cellular networks (2G, 3G, and 4G). To this end, we survey IMSI catcher detection techniques and their limitations. Finally, we provide insights that we believe help guide the development of more effective and efficient IMSI catcher detection techniques.

[1]  Kenneth van Rijsbergen The effectiveness of a homemade IMSI catcher build with YateBTS and a BladeRF , 2016 .

[2]  Ravishankar Borgaonkar,et al.  Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunications , 2012, NDSS.

[3]  Alex Biryukov,et al.  Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[4]  Dirk Fox Der IMSI-Catcher , 2002, Datenschutz und Datensicherheit.

[5]  Jovan Dj. Golic,et al.  Cryptanalysis of Alleged A5 Stream Cipher , 1997, EUROCRYPT.

[6]  Cristina Cano,et al.  srsLTE: an open-source platform for LTE evolution and experimentation , 2016, WiNTECH@MobiCom.

[7]  Elena Dubrova,et al.  Protecting IMSI and User Privacy in 5G Networks , 2016, MobiMedia.

[8]  Edgar Weippl,et al.  On Security Research Towards Future Mobile Network Generations , 2017, IEEE Communications Surveys & Tutorials.

[9]  Patrick Traynor,et al.  Sonar: Detecting SS7 Redirection Attacks with Audio-Based Distance Bounding , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Benjamin Richard,et al.  Achieving Better Privacy for the 3GPP AKA Protocol , 2016, Proc. Priv. Enhancing Technol..

[11]  Yunhao Liu,et al.  FBS-Radar: Uncovering Fake Base Stations at Scale in the Wild , 2017, NDSS.

[12]  Elisa Bertino,et al.  LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE , 2018, NDSS.

[13]  Edgar R. Weippl,et al.  The Messenger Shoots Back: Network Operator Based IMSI Catcher Detection , 2016, RAID.

[14]  Muxiang Zhang,et al.  Provably-Secure Enhancement on 3GPP Authentication and Key Agreement Protocol , 2003, IACR Cryptol. ePrint Arch..

[15]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2005, CCS '05.

[16]  Hai Thanh Nguyen,et al.  A Network Based IMSI Catcher Detection , 2016, 2016 6th International Conference on IT Convergence and Security (ICITCS).

[17]  Hai Thanh Nguyen,et al.  Detecting IMSI-Catcher Using Soft Computing , 2015, SCDS.

[18]  Wenyuan Xu,et al.  FBSleuth: Fake Base Station Forensics via Radio Frequency Fingerprinting , 2018, AsiaCCS.

[19]  Chih-Ya Shen,et al.  S-AKA: A Provable and Secure Authentication Key Agreement Protocol for UMTS Networks , 2011, IEEE Transactions on Vehicular Technology.

[20]  Stig Fr. Mjølsnes,et al.  Easy 4G/LTE IMSI Catchers for Non-Programmers , 2017, MMM-ACNS.

[21]  Do Van Thanh,et al.  Strengthening Mobile Network Security Using Machine Learning , 2016, MobiWIS.

[22]  Yongdae Kim,et al.  Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[23]  Chris J. Mitchell,et al.  Trashing IMSI catchers in mobile networks , 2017, WISEC.

[24]  Thorsten Holz,et al.  Breaking LTE on Layer Two , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[25]  Edgar R. Weippl,et al.  IMSI-catch me if you can: IMSI-catcher-catchers , 2014, ACSAC.

[26]  Jean-Pierre Seifert,et al.  SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale , 2011, USENIX Security Symposium.

[27]  Valtteri Niemi,et al.  Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems , 2015, NDSS.

[28]  Jean-Pierre Seifert,et al.  White-Stingray: Evaluating IMSI Catchers Detection Applications , 2017, WOOT.

[29]  Jean-Pierre Seifert,et al.  New vulnerabilities in 4G and 5G cellular access network protocols: exposing device capabilities , 2019, WiSec.

[30]  Songwu Lu,et al.  Exposing LTE Security Weaknesses at Protocol Inter-layer, and Inter-radio Interactions , 2017, SecureComm.

[31]  Ian Smith,et al.  SeaGlass: Enabling City-Wide IMSI-Catcher Detection , 2017, Proc. Priv. Enhancing Technol..

[32]  Marc Dacier,et al.  Research in Attacks, Intrusions and Defenses , 2014, Lecture Notes in Computer Science.

[33]  Joeri de Ruiter,et al.  Defeating IMSI Catchers , 2015, CCS.

[34]  Guanhua Yan,et al.  Emulation-Instrumented Fuzz Testing of 4G/LTE Android Mobile Devices Guided by Reinforcement Learning , 2018, ESORICS.

[35]  Yongdae Kim,et al.  GUTI Reallocation Demystified: Cellular Location Tracking with Changing Temporary Identifier , 2018, NDSS.

[36]  Mark Ryan,et al.  New privacy issues in mobile telephony: fix and verification , 2012, CCS.

[37]  Michael W. Berry,et al.  Soft Computing in Data Science , 2015, Communications in Computer and Information Science.