LTE Catcher & Stingrays 2.0

IMSI-Catcher of the new generation:
Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha”  
They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features  

I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.

 

 

 

 


Short conclusion:

1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.

2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.

3. The possibilities of manipulating the firmware are more advanced than in 2G.



Details about SS7 requests and messages.

TS 29.338 Section 6.3.2
TS 29.305 Section A2.5.2.3

Papers about LTE & SS7 Security
[1] http://arxiv.org/pdf/1510.07563v2.pdf
http://dl.ifip.org/db/conf/networking/networking2016/1570236202.pdf

Easy 4G/LTE IMSI Catchers for Non-Programmers: https://arxiv.org/pdf/1702.04434.pdf

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer) 
 http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02A-3_Hussain_paper.pdf

Stingray Manuals 
 https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/

SS7 Exploid Kit
http://www.forbes.com/sites/thomasbrewster/2016/05/31/ability-unlimited-spy-system-ulin-ss7/#2e1591887595

[2] Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

 

…work in process

Other sources of information about IMSI Catcher 2.0 and LTE fake base stations:
– Hackday: lte-imsi-catcher

– zdnet: Stingray-security-flaw-cell-networks-phone-tracking-surveillance

–