In 2017, Signalwing has purchased a company which specilized in developing IMSI catcher, but these devices only were only sold to Chinese police station and force department. Our management team want me to promote to overseas market and they send me the product introduction file and manual. I read it and try to translate to English version, but most of the terminlogy was translated incorrectly. I translated the device name to ” Mobile 2G+3G+4G Full-Frequency Detection Equipment System ” and “Mobile Code IMSI Detect Device Introduction”,but I don’t know there is general term called “IMSI catcher” or “Stingray Spy”. Until the day, one of the client from mid-east country visited us, and we are discussing and we demo our device to them. Then I know these terms, it is really impressive to me. I google it, and know more it from Wiki, and our this kind product was generally named IMSI Catcher, here is the defination from wiki: https://en.wikipedia.org/wiki/IMSI-catcher
An international mobile subscriber identity-catcher, or IMSI-catcher, is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking location data of mobile phone users.
In 2/3/4G network, an attacker can get the target mobile location via kinds of simple device compare to the coming 5G network. This is because every time a mobile phone needs to be connected to the Internet, it must be shouted, “Who is who?”, the attacker can determine the approximate location of the mobile phone through the information reported by the mobile phone. Professionally speaking, the “I am who is” by the mobile phone is the IMSI code of the mobile phone, the only one in the world, just like your ID number. Imagine that if you are shouting everyone’s ID number on the street, it will be easier to track someone.
Of course, IMSI is so critical that it won’t be carried in every message you send. The mobile phone will also have a temporary ID card (GUTI/TMSI), which is usually used to transmit data. The mobile phone will only send its own IMSI in a special scenario. Where will the mobile phone send its own IMSI?
0x01 Under what circumstances will the phone send an IMSI?
Scenario 1: When the mobile phone is connected to a normal network
After the mobile phone is powered on, the temporary identity information GUTI/TMSI allocated by the operator is read from the USIM, and the signaling carrying the identity information is sent to the base station to request access to the operator network. After receiving the message, the base station forwards the message to the MME of the core network. If the MME can query the real identity corresponding to the corresponding GUTI/TMSI, the mobile phone is allowed to access. If the MME does not query, the device needs to re-initiate the real identity verification request “Identity Request”, that is, the mobile phone is required to provide the real identity IMSI.
The reasonable situation that usually triggers the real authentication of the mobile phone is that after the mobile phone first enters the network or the mobile phone moves to other MME coverage, the MME cannot query the GUTI/TMSI of the mobile phone from the network, so the mobile phone needs to report its true identity.
In this scenario, the attacker can capture the IMSI of the mobile phone by simply taking passive monitoring.
Scenario 2: When the mobile phone accesses the pseudo base station network (Fake Base Station Network)
The pseudo base station suppresses the real base station to suck in the mobile phone through high signal strength (the mobile phone automatically selects the base station with the strongest signal strength), and then forcibly sends an authentication request message“Identity Request”to the connected mobile phone, and the mobile phone will be paralyzed. Report your true identity.
In this scenario, the attacker takes an active attack, needs to open the pseudo base station, and continuously sends the “Identity Request” to obtain the real identity of the surrounding mobile phones.
This tool for obtaining IMSI is called IMSI Catcher, and one of the more famous tools is Stingray (salmon), which is currently used by some law enforcement agencies. Stingray is an IMSI Catcher with both passive monitoring (listening + data analysis) and active attack (forged base stations). By acquiring IMSI, TMSI, IMEI can better obtain data information of the mobile terminal. And the equipment is very portable, can be installed in aircraft, cars, drones and other vehicles for the above two scenarios, and the device can also map the distribution of base stations, carry out data analysis, track the location of the target mobile phone, monitor the communication content, carry out DDoS attacks, etc.
If your side have some interests in purchasing IMSI catcher, please let me know and write email to me： email@example.com