LTE Catcher & Stingrays 2.0

IMSI-Catcher of the new generation:
Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha”  
They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features

I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.

Short conclusion:

1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.

2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.

3. The possibilities of manipulating the firmware are more advanced than in 2G.

Details about SS7 requests and messages.

TS 29.338 Section 6.3.2
TS 29.305 Section A2.5.2.3

Papers about LTE & SS7 Security

Easy 4G/LTE IMSI Catchers for Non-Programmers:

Privacy Attacks to the 4G and 5G Cellular PagingProtocols Using Side Channel Information

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer)

Stingray Manuals

SS7 Exploid Kit

[2] Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems

…work in process

Other sources of information about IMSI Catcher 2.0 and LTE fake base stations:
– Hackday: lte-imsi-catcher

– zdnet: Stingray-security-flaw-cell-networks-phone-tracking-surveillance