IMSI-Catcher of the new generation:
Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha” They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features
I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.
Short conclusion:
1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.
2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.
3. The possibilities of manipulating the firmware are more advanced than in 2G.
Sources and Papers about the topic 5G / LTE /
UMTS surveillance and security:
[1] LTE & SS7 Security [1] http://arxiv.org/pdf/1510.07563v2.pdf
[2] Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information https://www.ndss-symposium.org/wp-content/uploads/2018/03/NDSS2018_02A-3_Hussain_Slides.pdf
Practical Attacks against Privacy and Availability in 4G/LTE Mobile Communication Systems http://arxiv.org/pdf/1510.07563v2.pdf
[3] aLTEr Attack (MITM, DNS Spoofing on LTE): imsi-catcher is also transmitting a signal to the phone. It tries to manipulate the DNS to redirect all data that is send from/to the mobile device. It uses 2 attack vectors Paper: breaking_lte_on_layer_two.pdf (pre-paper 7-2019) https://alter-attack.net/#paperhttp://dl.ifip.org/db/conf/networking/networking2016/1570236202.pdf
Details about SS7 requests and messages. TS 29.338 Section 6.3.2 TS 29.305 Section A2.5.2.3
LTE vulnerability allows impersonation of other mobile devices: IMPersonation Attacks in 4G NeTworks https://imp4gt-attacks.net/
Other papers and projects about next generation surveillance:
5G Is Here—and Still Vulnerable to Stingray Surveillance
https://www-wired-com.cdn.ampproject.org/
Touching the Untouchables: Dynamic SecurityAnalysis of the LTE Control Plane https://syssec.kaist.ac.kr/pub/2019/kim_sp_2019.pdf
New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols
https://eprint.iacr.org/2018/1175.pdf
Easy 4G/LTE IMSI Catchers for Non-Programmers: https://arxiv.org/pdf/1702.04434.pdf
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer) http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02A-3_Hussain_paper.pdf
Stingray Manuals https://theintercept.com/2016/09/12/long-secret-stingray-manuals-detail-how-police-can-spy-on-phones/
SS7 Exploid Kit http://www.forbes.com/sites/thomasbrewster/2016/05/31/ability-unlimited-spy-system-ulin-ss7/#2e1591887595
IMSI Catcher 2.0 and LTE fake base stations: – Hackday: lte-imsi-catcher
zdnet Stingray-security-flaw-cell-networks-phone-tracking-surveillance
Blackhat 2021 5G IMSI Catchers Mirage
White-Stingray: Evaluating IMSI Catchers Detection Applications
Anatomy of Commercial IMSI Catchers and Detectors
Stingray Detection – Find working solutions here
CCC (37C3) 12-2023 new!
Uncovering fake base stations on iOS devices (video)
Slides of the presentation