• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Mobile Security and IMSI-Catchers

January 13, 2020 By Emil Hozan

While reading some security articles, one headline in particular stood out and piqued my interest – Do you use burner phones during business travel? Here’s how you can be targeted. Personally, I am super into mobile and wireless security in general. This includes cellular/mobile networks and even just standard IP-based networking. The events going on behind the scenes with wireless radio waves being transmitted between your devices and a base station/access points is simply amazing to me. For cellular devices, there are base stations spread throughout the world that allow voice communications but are also connected to the Internet allowing IP-based networking. IP-based networking uses access points (APs) to allow these wireless communications.

There is much more to this simple abstraction, too much to write and ingest in a single blog post. But the point of this blog is the article’s inclusion of “IMSI catcher”. If that specific term doesn’t sound familiar, allow me to break it down. An IMSI is an international mobile subscriber identity (IMSI) number used to uniquely identify every user of a cellular network. The word “catcher” should be obvious here, and the two combined indicate a mechanism of capturing IMSI numbers. Cellular service providers must uniquely identify their subscribers to allow communications amongst various subscribers; that’s simply just how call routing has to work. However, there is concern when other, non-service provider actors discover a way of doing this for whatever purpose – be it nefarious or not.

Most Internet users, hopefully all, are aware of the cyber threats that exist today. Maybe you are aware of the threats but not by name or what they actually mean or entail. One in particular, a man-in-the-middle (MitM) attack, is the highlight of this post. A MitM attack consists of an actor intercepting communication between one device to another, for example an endpoint device (cell phone or tablet) communicating with a base station or AP. In IP-based networking, we have rogue APs or evil twins. With mobile networks, there are IMSI catchers. Threats that MitM attacks introduce are communication interceptions and eavesdropping, and can also cause denial of service to a desired destination. However, IMSI-catchers can also be used to narrow down your location.

The way voice networks (GSM, 3G, LTE, etc.) work differs and those differences change the way IMSI information is handled. From my understanding as of now, more modern specifications ensure users are authenticated to a base station prior to exchanging information. This somewhat holds true for the 3G and 4G protocols, but that’s not the case for GSM networks. There are, however, threats where actors can leverage vulnerabilities to force mobile devices into a less-secure network; these are known as downgrade attacks. For instance, if you’re operating on a 3G network, exploits exist that can force a device into connecting via GSM. In addition, many unknown threats currently exist in 3G and 4G, and even 5G. It can seem fairly overwhelming, and it is, but it’s important to be aware that such threats exist.

There are many resources online for further reading if you’re interested. The Electronic Frontier Foundation wrote a piece on how IMSI-catcher’s exploit cell networks, and there are open source projects dedicated to detecting IMSI-catchers as well. One additional interesting piece of information is this link where the author details their experience in building a passive IMSI-catcher.

 

Summary and Conclusion

In summary, I talked about real threats to cellular communications in the form of IMSI-catchers and the threats they pose. Threats include common MitM threats such as communication interceptions, service denial, and even location tracking. Symptoms of such attacks aren’t always obvious, except for service denial if communications are being blocked all together. Otherwise, if someone wasn’t actively looking out for intercepted communications or verifying every site they visit to ensure they weren’t sent to an attacker-controlled website, it is entirely possible that they would have no idea that they’ve been targeted and their session hijacked.

In conclusion, this post was more for awareness that IMSI-catchers are a thing and to start the path down the rabbit hole of mobile security, which is riddled with security implications, as is really anything digital. All in all, with so much information being wirelessly communicated unbeknownst to us, this information is a prime target for threat actors and can be leveraged in various ways. Law enforcement agencies around the world have been known to use these security flaws in catching bad guys, which isn’t necessarily bad, but these technologies have also been used to spy on a nation’s citizens, which isn’t necessarily a good thing either.

Share This:

Related

Filed Under: Editorial Articles Tagged With: cellular security, wireless security

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • 3CX Supply Chain Attack
  • Here Come The Regulations

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use