Just $1400 to build an IMSI catcher like device to track phones

A group of researchers demonstrated that it is possible to build a Low-cost IMSI catcher for 4G/LTE networks to track phone locations.

IMSI catcher for 4G/LTE networks are very expensive devices that allow tracking phone locations. Now a group of researchers has found a way to track devices using the latest LTE standard for mobile networks, but with a very cheap process and a hardware expense of just $1,400.

They equipment designed by the researchers runs freely available open-source software to cause all LTE-compliant phones to leak their location to within a 32- to 64-foot (about 10 to 20 meters) radius and in some cases their GPS coordinates.

The researchers have elaborated a number of attacks that causes phones to lose connections to LTE networks, then the device downgrade to the less secure 2G and 3G mobile specifications.

The 2G, or GSM, protocols are notoriously vulnerable to man-in-the-middle attacks, IMSI catcher act as a bogus station in the classic attack scenario.  The 2G networks are also vulnerable to attacks that could allow to discover the location of a mobile device within about 0.6 square miles.

3G networks are not immune, and now users are aware of a similar problem for LTE networks. The experts explained that the LTE protocol attempts to conceal the user location by assigning it a dynamic TMSI rather than any other permanent identifier.

“The LTE access network security protocols promise several layers of protection techniques to prevent tracking of subscribers and ensure availability of network services at all times. We have shown that the vulnerabilities we discovered in LTE access network security protocols lead to new privacy and availability threats to LTE subscribers.” wrote the researchers in the paper titled ‘Practical attacks against privacy and availability in 4G/LTE mobile communication systems.’ “We demonstrated that our attacks can be mounted using open source LTE software stack and readily available hardware at low cost. We tested several handsets with LTE support of major baseband vendors and demonstrated that all of them are vulnerable to our attacks”.

The attacks against the 2G networks rely on invisible text messages or imperceptibly brief calls that allow the attackers to discover the location of the mobile phone.

The experts also discovered that paging requests could also be triggered by social messaging apps (i.e. Facebook and WhatsApp), in this way the attacker can link the receiver’s Facebook profile to the TMSI and in this way locate the phone.

“But messages from people who are not in the friend list may be directed to the ‘Other’ folder. Further, the user is not notified upon the reception of the message into the ‘Other’ folder. In fact, the user himself has to manually check ‘Other’ folder to even notice that there are waiting messages.” states the paper. “When an LTE subscriber has the Facebook application installed on his LTE device, all incoming Facebook messages, including those that end up in the ‘Other’ folder, trigger a paging request by the network. Other Facebook features, such as repeated friend requests or poking (depending on the user’s profile settings) also trigger paging requests”

The researchers defined the technique as “semi-passive” because it relies on passive monitoring of network traffic instead run MITM attacks on the target by using a bogus base station (eNodeB or evolved NodeB).

The experts have built the eNodeB node using a computer-controlled radio known as a Universal Software Radio Peripheral that ran an open-source implementation of the LTE specification dubbed OpenLTE. The cost of the hardware is about €1,250 (about $1,400), well below the tens of thousands of dollars of a “IMSI catcher.”

The researchers also detailed the attacks against 4G (LTE) access network protocols in this blog post.

The researchers will present findings of their study at the upcoming conferences, including the  Blackhat Security conference in Amsterdam, the T2 Security conference 2015, and the Internet Society NDSS conference.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – IMSI catcher, LTE)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

8 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

14 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.