While reading some security articles, one headline in particular stood out and piqued my interest – Do you use burner phones during business travel? Here’s how you can be targeted. Personally, I am super into mobile and wireless security in general. This includes cellular/mobile networks and even just standard IP-based networking. The events going on behind the scenes with wireless radio waves being transmitted between your devices and a base station/access points is simply amazing to me. For cellular devices, there are base stations spread throughout the world that allow voice communications but are also connected to the Internet allowing IP-based networking. IP-based networking uses access points (APs) to allow these wireless communications.
There is much more to this simple abstraction, too much to write and ingest in a single blog post. But the point of this blog is the article’s inclusion of “IMSI catcher”. If that specific term doesn’t sound familiar, allow me to break it down. An IMSI is an international mobile subscriber identity (IMSI) number used to uniquely identify every user of a cellular network. The word “catcher” should be obvious here, and the two combined indicate a mechanism of capturing IMSI numbers. Cellular service providers must uniquely identify their subscribers to allow communications amongst various subscribers; that’s simply just how call routing has to work. However, there is concern when other, non-service provider actors discover a way of doing this for whatever purpose – be it nefarious or not.
Most Internet users, hopefully all, are aware of the cyber threats that exist today. Maybe you are aware of the threats but not by name or what they actually mean or entail. One in particular, a man-in-the-middle (MitM) attack, is the highlight of this post. A MitM attack consists of an actor intercepting communication between one device to another, for example an endpoint device (cell phone or tablet) communicating with a base station or AP. In IP-based networking, we have rogue APs or evil twins. With mobile networks, there are IMSI catchers. Threats that MitM attacks introduce are communication interceptions and eavesdropping, and can also cause denial of service to a desired destination. However, IMSI-catchers can also be used to narrow down your location.
The way voice networks (GSM, 3G, LTE, etc.) work differs and those differences change the way IMSI information is handled. From my understanding as of now, more modern specifications ensure users are authenticated to a base station prior to exchanging information. This somewhat holds true for the 3G and 4G protocols, but that’s not the case for GSM networks. There are, however, threats where actors can leverage vulnerabilities to force mobile devices into a less-secure network; these are known as downgrade attacks. For instance, if you’re operating on a 3G network, exploits exist that can force a device into connecting via GSM. In addition, many unknown threats currently exist in 3G and 4G, and even 5G. It can seem fairly overwhelming, and it is, but it’s important to be aware that such threats exist.
There are many resources online for further reading if you’re interested. The Electronic Frontier Foundation wrote a piece on how IMSI-catcher’s exploit cell networks, and there are open source projects dedicated to detecting IMSI-catchers as well. One additional interesting piece of information is this link where the author details their experience in building a passive IMSI-catcher.
Summary and Conclusion
In summary, I talked about real threats to cellular communications in the form of IMSI-catchers and the threats they pose. Threats include common MitM threats such as communication interceptions, service denial, and even location tracking. Symptoms of such attacks aren’t always obvious, except for service denial if communications are being blocked all together. Otherwise, if someone wasn’t actively looking out for intercepted communications or verifying every site they visit to ensure they weren’t sent to an attacker-controlled website, it is entirely possible that they would have no idea that they’ve been targeted and their session hijacked.
In conclusion, this post was more for awareness that IMSI-catchers are a thing and to start the path down the rabbit hole of mobile security, which is riddled with security implications, as is really anything digital. All in all, with so much information being wirelessly communicated unbeknownst to us, this information is a prime target for threat actors and can be leveraged in various ways. Law enforcement agencies around the world have been known to use these security flaws in catching bad guys, which isn’t necessarily bad, but these technologies have also been used to spy on a nation’s citizens, which isn’t necessarily a good thing either.