© 2019 Aitchison Reid Consulting Pty Ltd, a company incorporated in Australia. Trading as ARC Solutions and Aitchison Reid Consulting. ACN 158 303 774. ABN 56 347 951 609.

 

Disclaimer: The commentary and information on this website is not legal advice, IT, risk, management or general advice. Seek advice on matters of interest arising from the commentary and information on this website. Any reference made on this website to law practice Aitchison Reid Pty Ltd or Aitchison Reid Consulting Pty Ltd does not imply any warranty or any guarantee from Aitchison Reid Pty Ltd or Aitchison Reid Consulting Pty Ltd for the reference made. 

 

 

Terms of Use & Privacy Policy | News & Publications | About Us | Contact

 

.

    • Twitter Clean Grey
    • Facebook Clean Grey
    • LinkedIn Clean Grey

    IMSI Catcher Mitigation

    Firstly, what's an IMSI? It is your Individual Mobile Subscriber Identity assigned to your mobile phone or other cellular connected device. At its simplest, it can be used to identify you on a cellular network.

     

     

    The IMSI Catcher Background

     

    IMSI catchers pretend to be cell base stations or towers in order to trick your mobile phone or other cellular network device into connecting to it. Mobile phones (such as Androids and iOS, but for one exception on the market) aren't designed to detect whether or not a cell base station or tower is legitimate, which means mobile phones have no way of detecting when they're connected to an IMSI catcher.

     

    Mobile phones are designed to look for base stations and towers with better reception. They will connnect to an IMSI catcher if the catcher is configured by the operator to replicate a base station or tower in the area of the target mobile phones. IMSI catchers can be or are used:
     

    • For collecting IMSIs from mobile phones from a particular area
       

    • To deny service to mobile phones that connect to them
       

    • By law enforcement agencies for tracking purposes

     

    By knowing a target mobile phone's IMSI, the IMSI catcher operator can programme the catcher to only connect with that target's phone when in range. Once connected, the operator can use radio frequency mapping to direction-find the target mobile phone.

     

    A basic IMSI catcher just captures a mobile phone's IMSI number. To intercept calls, a catcher requires a number of additional features charged for separately by manufacturers. 2G calls are easy to listen to - the systems for this have been available for over a decade and can be built for less than USD$1,500. The price of IMSI catcher call interception systems vary based on for example the number of cellular bands covered (2G, 3G, 4G), effective range, and decryption speed.

     

    Though cellular carriers generally promote strong encryption call security on 3G and 4G+, compared to 2G they're merely "kind of" safer. IMSI catchers can feature add ons that trick a 3G or 4G phone into thinking those connections are unavailable, forcing the phone down to weakly encrypted 2G. The forcing is done by either telling the phone to switch to 2G, or by jamming 3G/4G networks so only the 2G signal from the IMSI catcher is available. With SS7 access, an attacker can get the decryption key needed from your mobile phone to decrypt your 3G and 4G communications.

     

    Contemporary detection of IMSI catchers is flakey:
     

    • Carrier network operators may sometimes see anomalies in their networks, caused by IMSI catcher activity, but the operators cannot locate the catchers or verify what they are.
       

    • Centrally dedicated teams (such as the teams assigned by the FCC in the US) are fraught with knowledge and response time constraints.
       

    • Some mobile phone users have made use of applications (typically open-source) to detect IMSI catchers, but most of the applications cannot verify what signal is received.

    What Can a Large Corporate or a Government or a Government Agency Do About IMSI Catchers?

     

    By employing a real-time IMSI catcher detection system (ESD Overwatch), large corporates such as banks, insurers, miners, energy, aerospace, land and ocean transport, manufacturers and governments (covering areas such as head of state, diplomatic missions, ministries, treasury and reserve bank, military, special forces, police, customs/border protection) will be able to detect and monitor cellular attacks in real-time onshore in-country and offshore in foreign countries where the detection system is deployed and operating against:

     

    • IMSI catchers
       

    • Baseband processor attacks
       

    • Rogue base stations
       

    • Cellular jamming

     

    ESD Overwatch Sensors can be placed onshore and offshore for IMSI catcher detection, managed centrally on an Overwatch server back in your corporate headquarters or secure datacentre, or in your responsible government agency or agencies. Sensors can be deployed in and on fixed and moving environments, such as:

     

    • Military assets (land vehicles, aircraft and ocean vessels, military bases)
       

    • Embassies and high commissions
       

    • Airports and seaports
       

    • Utilities facilities
       

    • Vehicle fleets
       

    • People (by specially configured ESD/GSMK Cryptophones,
      currently the CP500i, carrying the ESD Overwatch Sensor App).

    For large corporates and the governments of NZ, Fiji and Solomon Islands and elsewhere across Polynesia and Melanesia, ARC Solutions can help you mitigate your IMSI catcher vulnerabilities through our partnership with ESD America/GSMK Cryptophone.

     

    The benefits for large corporates and governments using our partners' ESD Overwatch solution includes the ability to detect and locate surveillance and attempted interception of your cellular communications by corporate and criminal actors and foreign states. Your corporate and government onshore and offshore operations can deploy ESD Overwatch Sensors and ESD Overwatch Sensor Apps on ESD/GMSK Cryptophones to proactively detect and locate IMSI catcher attacks.

     

    ARC Solutions is ESD America's authorised reseller of ESD Oversight (SS7 vulnerability mitigation), ESD Overwatch and ESD/GSMK Cryptophone (encrypted phones).

     

    Contact ARC Solutions anytime to arrange a private, confidential, encrypted and secure conversation about your corporate's or government's requirements.