IMSI-Catcher of the new generation:
Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha”
They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features
I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.
1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.
2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.
3. The possibilities of manipulating the firmware are more advanced than in 2G.
Details about SS7 requests and messages.
TS 29.338 Section 6.3.2
TS 29.305 Section A188.8.131.52
Papers about LTE & SS7 Security
Easy 4G/LTE IMSI Catchers for Non-Programmers: https://arxiv.org/pdf/1702.04434.pdf
Privacy Attacks to the 4G and 5G Cellular PagingProtocols Using Side Channel Information https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05B-5_Hussain_paper.pdf
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer)
…work in process
Other sources of information about IMSI Catcher 2.0 and LTE fake base stations:
– Hackday: lte-imsi-catcher