LTE Catcher & Stingrays 2.0
IMSI-Catcher of the new generation:
Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha” They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features
I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.
|Mode of operation||Catcher 1.0 (Caused by the missing authentication of the BTS)||Catcher 2.0 (Caused by security flaws in the SS7 network and the smartphone)|
|1. Identifying the target You know the person and need to find the IMSI stored on the SIM-Card. (catching-mode)||Solutions: 1. IMSI-Catching Record IMSIs in 2 different places. Than search for the IMSI that was present in both places. 2. Listen to calls to find the person.||Solution: The fake cell (eNodeB) sends a request “Failure Report” to the phone. The IMSI will be returned. No “changing LAC” needed to receive the IMSI. (If the telephone number is known, you can try to get the IMSI over SS7 Request)|
|2. Locating the target You know the IMSI but need to find the location of the phone (person).||Solutions (many possible): 1. Scan the BTS paging signals for the IMSI. (you will know the local area) 2. When the target phone is connected to the fake BTS – send Paging messages to the phone (like a incoming call) – the phone will answer and send a acknowledge message. These messages can be located with triangulation. This can also to be used to keep the phone connected with the fake BTS, see no. 3||Solutions: 1. Get the current CellID (or LAC) over SS7. LTE uses Smart Paging in a certain cell rather than a location area (in GSM). 2. LTE Location Leaks: – according to specifications (passive) – Application Level (triggered by social media) Details: location leaks ss7, arxiv.org (pdf) |
|3. Intercepting calls The target phone is already connected (camping-mode) to the fake BTS.||Solution: Disables Encryption A5/3 and A5/1 to A5/0 Conditions: Keep the phone connected, so it doesn’t switch to another Base Station. -Empty Neighboring Cells List (NCL) -Send paging signals||Solution: The call can be decoded in real-time, if the ^Kc (temporary key) is known.|
|4. Manipulating Firmware / Using 0-Day Exploits||Known as “Roving Bug”, more details see: roving-bug||Device dependent – but a few baseband bugs of Android phones are well documented. With the information of software version and IMEI (from the “Failure Report” the attacker can choose the right 0-day-exploid to manipulate the phone. Samsung backdoor: fsf.org/replicant-developers-find-and-close-samsung-galaxy-backdoor other backdoors: https://wikileaks.org/ciav7p1/Vault7|
|5. side effects||– the other phones that are no targets will be “banned” from the fake BTS – the fake BTS will not page the other phones in that area. But a real BTS would do. (compare the paged IMSIs with another BTS of the same LAC) Add parameters of UMTS and LTE base stations||– the other phones that are no targets will be “banned” from the fake BTS|
|6. MITM||Rogue Basestation send with a higher signal strength than the original station. aLTEr Attack , sends modified packets to the mobile network and to the mobile device. (Meta Data, DNS Spoofing) Additional: “priority-based reselection” – if the mobile is to close to a eNodeB, it will stop with scanning for other eNodeB in the area.
1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.
2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.
3. The possibilities of manipulating the firmware are more advanced than in 2G.
Sources and Papers about the topic 5G / LTE /
UMTS surveillance and security:
 LTE & SS7 Security  http://arxiv.org/pdf/1510.07563v2.pdf
 Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information https://www.ndss-symposium.org/wp-content/uploads/2018/03/NDSS2018_02A-3_Hussain_Slides.pdf
Practical Attacks against Privacy and Availability in 4G/LTE Mobile Communication Systems http://arxiv.org/pdf/1510.07563v2.pdf
 aLTEr Attack (MITM, DNS Spoofing on LTE): imsi-catcher is also transmitting a signal to the phone. It tries to manipulate the DNS to redirect all data that is send from/to the mobile device. It uses 2 attack vectors Paper: breaking_lte_on_layer_two.pdf (pre-paper 7-2019) https://alter-attack.net/#paper
Details about SS7 requests and messages. TS 29.338 Section 6.3.2 TS 29.305 Section A18.104.22.168
LTE vulnerability allows impersonation of other mobile devices: IMPersonation Attacks in 4G NeTworks https://imp4gt-attacks.net/
Other papers and projects about next generation surveillance:
5G Is Here—and Still Vulnerable to Stingray Surveillance
Touching the Untouchables: Dynamic SecurityAnalysis of the LTE Control Plane https://syssec.kaist.ac.kr/pub/2019/kim_sp_2019.pdf
New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols
Easy 4G/LTE IMSI Catchers for Non-Programmers: https://arxiv.org/pdf/1702.04434.pdf
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer) http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02A-3_Hussain_paper.pdf
IMSI Catcher 2.0 and LTE fake base stations: – Hackday: lte-imsi-catcher
Blackhat 2021 5G IMSI Catchers Mirage