The Department of Homeland Security recently warned that vulnerabilities in the Signaling System 7 (SS7) protocol...
can be exploited by malicious actors using IMSI catchers. How do IMSI catchers work and what security risks do they present to mobile communications?
An International Mobile Subscriber Identity (IMSI) catcher is an eavesdropping device used to track mobile users and intercept their communications. The device, sometimes referred to as a stingray from the brand name of a popular IMSI catcher sold by the Harris Corporation, can be used to impersonate a legitimate cell tower, giving the malicious operator access to local mobile device traffic.
The malicious operator can broadcast pilot signals -- the signals that devices interpret as coming from a legitimate cell tower -- enabling the operator to intercept all the mobile traffic from targeted devices. In this type of man-in-the-middle attack, the IMSI catcher boosts its pilot signal so targeted devices will choose it rather than the signal from the legitimate service provider's real cell tower. In this way, the legitimate cell tower is bypassed and the malicious actor can intercept -- and forward -- all texts and calls, as well as being able to track the location of devices.
The IMSI catcher is able to detect Global System for Mobile Communications (GSM) subscriber information from the SIM card inside phones, and a vulnerability in the GSM specification permits the phone to connect through the IMSI to a network without requiring the network to authenticate the device. When this occurs, mobile devices send their IMSI data to the IMSI catcher, which can then log and track devices.
SeaGlass is a system designed by researchers at the University of Washington to measure IMSI catcher use across an urban area; the pilot project used the system in Seattle and Milwaukee. The SeaGlass detection kit includes a bait phone, GSM modem, GPS unit and a Wi-Fi hotspot all loaded into a passenger car. The SeaGlass system is able to detect and differentiate between IMSI catcher signals from legitimate cell tower transmissions, and "pick out aberrations that indicate the presence of cell-site simulators," according to the SeaGlass website.
A major risk with this attack is that the catcher must emit stronger signals than those provided by the real cell tower because cell phones don't have the means to bypass towers with the strongest signals. Real cell towers have no way of knowing if the catchers have been picked up, monitored or have recorded wireless signals. As technology improves, the devices in the kit will become inconspicuously smaller, making it more difficult for victims driving by to notice.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Wireless network security
Related Q&A from Judith Myerson
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.