LTE Catcher & Stingrays 2.0

Smartphone Security

 

IMSI-Catcher of the new generation:

Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha”   They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features

I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.

 

 


Short conclusion:
1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.
2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.
3. The possibilities of manipulating the firmware are more advanced than in 2G.

 

 

Sources and Papers about the topic 5G / LTE / UMTS surveillance and security:

 

[1] LTE & SS7 Security [1] http://arxiv.org/pdf/1510.07563v2.pdf

[2] Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_05B-5_Hussain_paper.pdf

Practical Attacks against Privacy and Availability in 4G/LTE Mobile Communication Systems http://arxiv.org/pdf/1510.07563v2.pdf

[3]  aLTEr Attack (MITM, DNS Spoofing on LTE): imsi-catcher is also transmitting a signal to the phone. It tries to manipulate the DNS to redirect all data that is send from/to the mobile device. It uses 2 attack vectors Paper: breaking_lte_on_layer_two.pdf (pre-paper 7-2019) https://alter-attack.net/#paper

 

http://dl.ifip.org/db/conf/networking/networking2016/1570236202.pdf

Details about SS7 requests and messages. TS 29.338 Section 6.3.2 TS 29.305 Section A2.5.2.3

 

 

Other Papers and Projects:

Easy 4G/LTE IMSI Catchers for Non-Programmers: https://arxiv.org/pdf/1702.04434.pdf

LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer) http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02A-3_Hussain_paper.pdf

Stingray Manuals https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/

SS7 Exploid Kit http://www.forbes.com/sites/thomasbrewster/2016/05/31/ability-unlimited-spy-system-ulin-ss7/#2e1591887595

IMSI Catcher 2.0 and LTE fake base stations: – Hackday: lte-imsi-catcher

– zdnet: Stingray-security-flaw-cell-networks-phone-tracking-surveillance