Hunting for IMSI Catchers in the Wild

ESD Overwatch detection and geolocation of IMSI catchers

Firstly, what's an IMSI? It is your Individual Mobile Subscriber Identity assigned to your mobile phone or other cellular connected device. At its simplest, it can be used to identify you on a cellular network.



The IMSI Catcher Background


IMSI catchers pretend to be cell base stations or towers in order to trick your mobile phone or other cellular network device into connecting to it. Mobile phones (such as Androids and iOS, but for one exception on the market) aren't designed to detect whether or not a cell base station or tower is legitimate, which means mobile phones have no way of detecting when they're connected to an IMSI catcher.


Mobile phones are designed to look for base stations and towers with better reception. They will connnect to an IMSI catcher if the catcher is configured by the operator to replicate a base station or tower in the area of the target mobile phones. IMSI catchers can be or are used:

  • For collecting IMSIs from mobile phones from a particular area

  • To deny service to mobile phones that connect to them

  • By law enforcement agencies for tracking purposes


By knowing a target mobile phone's IMSI, the IMSI catcher operator can programme the catcher to only connect with that target's phone when in range. Once connected, the operator can use radio frequency mapping to direction-find the target mobile phone.


A basic IMSI catcher just captures a mobile phone's IMSI number. To intercept calls, a catcher requires a number of additional features charged for separately by manufacturers. 2G calls are easy to listen to - the systems for this have been available for over a decade and can be built for less than USD$1,500. The price of IMSI catcher call interception systems vary based on for example the number of cellular bands covered (2G, 3G, 4G), effective range, and decryption speed.


Though cellular carriers generally promote strong encryption call security on 3G and 4G+, compared to 2G they're merely "kind of" safer. IMSI catchers can feature add ons that trick a 3G or 4G phone into thinking those connections are unavailable, forcing the phone down to weakly encrypted 2G. The forcing is done by either telling the phone to switch to 2G, or by jamming 3G/4G networks so only the 2G signal from the IMSI catcher is available. With SS7 access, an attacker can get the decryption key needed from your mobile phone to decrypt your 3G and 4G communications.


Contemporary detection of IMSI catchers is flakey:

  • Carrier network operators may sometimes see anomalies in their networks, caused by IMSI catcher activity, but the operators cannot locate the catchers or verify what they are.

  • Centrally dedicated teams (such as the teams assigned by the FCC in the US) are fraught with knowledge and response time constraints.

  • Some mobile phone users have made use of applications (typically open-source) to detect IMSI catchers, but most of the applications cannot verify what signal is received.

What Can a Large Corporate or a Government or a Government Agency Do About IMSI Catchers?


By employing a real-time IMSI catcher detection system (ESD Overwatch), large corporates such as banks, insurers, miners, energy, aerospace, land and ocean transport, manufacturers and governments (covering areas such as head of state, diplomatic missions, ministries, treasury and reserve bank, military, special forces, police, customs/border protection) will be able to detect and monitor cellular attacks in real-time onshore in-country and offshore in foreign countries where the detection system is deployed and operating against:


  • IMSI catchers

  • Baseband processor attacks

  • Rogue base stations

  • Cellular jamming


ESD Overwatch Sensors can be placed onshore and offshore for IMSI catcher detection, managed centrally on an Overwatch server back in your corporate headquarters or secure datacentre, or in your responsible government agency or agencies. Sensors can be deployed in and on fixed and moving environments, such as:


  • Military assets (land vehicles, aircraft and ocean vessels, military bases)

  • Embassies and high commissions

  • Airports and seaports

  • Utilities facilities

  • Vehicle fleets

  • People (by specially configured ESD/GSMK Cryptophones,
    currently the CP500i, carrying the ESD Overwatch Sensor App).

The benefits for large corporates and governments using our partners' ESD Overwatch solution includes the ability to detect and locate surveillance and attempted interception of your cellular communications by corporate and criminal actors and foreign states. Your corporate and government onshore and offshore operations can deploy ESD Overwatch Sensors and ESD Overwatch Sensor Apps on ESD/GMSK Cryptophones to proactively detect and locate IMSI catcher attacks.


Aitchison Reid Consulting Pty Ltd is ESD America's authorised reseller of ESD Overwatch and ESD/GSMK Cryptophone (encrypted phones).


Contact Aitchison Reid Consulting Pty Ltd anytime to arrange a private, confidential, encrypted and secure conversation about your corporate's or government's requirements.