06 May 2009

Some Comments on IMSI-Catchers

Update 30 Jan 2012: Since originally writing this post in mid-2009, there have been some noteworthy developments in this area, the biggest of which is that UK patent case MMI & CellXion, referenced below, went to appeal with the result that the IMSI-catcher was deemed too obvious to patent in light of known prior art. For anyone to claim secrecy here is, I think, becoming something of an intelligence test. Enjoy the original post.

I'm going to comment briefly on IMSI-catchers. These are devices that perform false-basestation attacks on cellular networks, including man-in-the-middle call interception. Here's an example of one.

First, I wrote software for IMSI-catchers in the past. That is now a matter of public record.

Second, the GSM protocol operations of an IMSI-catcher are not trade secrets. The IMSI-catcher was patented by Rohde & Schwarz (R&S) in 2003 under the name "virtual basestation" and the implementation of the device is explained in this patent to a degree sufficient to allow a cellular engineer of reasonable skill to construct one, as is the standard for patent applications worldwide. Most of the patent is in German, but this recent ruling from the UK high court summarizes the R&S patent in English for a non-engineering audience. Moreover, that MMI v. CellXion ruling references an earlier published patent application from Nokia, and although I cannot find a copy of that particular document on the web, the high court clearly accepts its existence. Either way, R&S or Nokia, once something is published in a patent application, it is no longer a trade secret. So here's a quick lesson on IP law as relates to 2G-2.5G GSM IMSI-catching:
  • It's no secret. There are public documents distributed by UK & EU governments that describe how to do it.
  • Even if it were a secret, that secret would belong to Nokia or R&S, because they appear to have started working on that problem not long after the GSM standard was published.
  • If you are selling IMSI-catchers in the UK or Europe without the blessing of R&S, you are setting yourself up for a lawsuit, with MMI v. CellXion as a precedent.
Third, I cannot build IMSI-catchers for anyone outside of a verified US government contract. So the next time some unauthorized party contacts me asking for one, I will publish your contact information in this blog.

Fourth, the most common way to build an IMSI-catcher comes directly from the R&S patent itself and is based entirely on off-the-shelf commercial equipment. Nearly any BTS or BTS simulator can be used as the basis of an IMSI-catcher.

19 comments:

  1. i am interested in purchasing a device that captures the mobile tel identity of a person entering a zone

    call costas on 07831 299 288 uk

    ReplyDelete
  2. Wow. That's pretty dense. Are you going to report yourself to the Home Office or do you need me to do it for you?

    ReplyDelete
  3. hy ,
    i remember my time as a 20er , lisning to carphones using a regular scanner of that time.
    i remeber it was fun but elligal.
    but is al the talking about cellular gsm interception not blown up?
    on thousends of websites people present al kinds of goods to intercept gsm cals and even sms?
    could the gouvernment not ban al these site's,
    becouse i think that it realy makes the world unsave ,if interception by now and 10years is possible for everyone is treu !

    ReplyDelete
  4. Interception of GSM traffic in a well-managed network is still a technical challenge beyond the skills of the typical hobbyist. Despite all of the theoretical talk of A5/1 cracks, there aren't any turnkey systems our there available to the general public. To distribute such a turnkey system to the public, with the primary intention of intercepting public networks, would also be illegal in most countries. Governments will (and have) shut down such activities.

    Building an IMSI catcher is easier than cracking A5/1, but actually *running * an IMSI-catcher without getting busted is a different matter entirely. Running an IMSI-catcher effectively is an art. Building such a system is not just a matter of loading software into a computer, either. It requires a wide range of engineering skills not typically available to a hobbyist. To build a really good IMSI-catcher requires a lot of equipment that you will not find at your local radio shop. And, again, distribution of a turnkey system intended primarily for use as an IMSI-catcher would be tightly regulated in most places.

    All that said, a lot GSM networks out there are *not* properly managed, and these are easy targets for interception by private parties. This is the case in those countries where encryption has been disabled by government mandate. That is done to ease interception by law enforcement, but it eases interception by everyone else, too.

    ReplyDelete
  5. Hi David, an interesting area IMSI catchers, the link to the European patent office and the RuS patent isn't working? Any chance you have a copy of the patent which you could send to me?
    Regards, Adam

    ReplyDelete
  6. Hi. "Privacy" vs "Security" in "IT" Stadium. guess who wins???!! ....none.

    ReplyDelete
  7. Apparently it is now possible to intercept phone calls by using hardware costing $1500 only. In the news today.

    ReplyDelete
  8. Apparently no one reads all the news. Short rebuttal from Harald Welte (http://laforge.gnumonks.org/weblog/2010/08/01#20100801-on_recent_news_about_imsi_catcher)

    Long story short "NO The media as allways got it wrong. The presented idea is not new just made a little easier now"

    ReplyDelete
  9. The EU patent office keeps moving their links around. Here's a stable copy of the text of EP1051053:

    http://gauss.ffii.org/PatentView/EP1051053

    ReplyDelete
  10. thanks for your information

    ReplyDelete
  11. how can we decrease time required for phone to register to our fake BTS

    ReplyDelete
  12. Hello David, thanks for your input on this topic... and creating this page.

    I am wondering because of odd behavior on my cell phone (full 3G service randomly sometimes, though normally i can never get full 3G from my ONE local tower)

    Nobody seems to answer these questions relating to IMSI catchers....

    1) Can it capture internet data used on the mobile device? If so, does the phone have to be using 2G(EDGE) wireless in order to get captured?

    2) Is it only possible (now in late 2011) that 2G signal gets captured? I am doing some research and I am getting mixed reviews. Some say only 2G Edge networks are unsafe, while some say ALL signal, including 3G can be captured? Which is it?

    3) Are these illegal in the United States?

    I truly appreciate your time in this, thanks Mr. Burgess!

    -D Burs

    ReplyDelete
  13. To answer the questions above:

    1) Intercept of data on GRPS/EDGE connections is easy. In fact, it's easier than intercepting outbound telephone calls, since there's no caller id spoofing problem.

    2) Pre-3G systems are generally easy to spoof. 2.75G GPRS/EDGE is as easy to spoof as 2G GSM. 3G added bi-directional authentication, which makes spoofing much more difficult.

    3) Of course.

    ReplyDelete
  14. The E&W Court of Appeal has ruled that the IMSI catcher patent is invalid for obviousness.

    See
    http://www.bailii.org/ew/cases/EWCA/Civ/2012/7.html

    ReplyDelete
  15. hi david.. how to know the number from operator after catching the IMSI.. tq :)

    ReplyDelete
  16. Are these catchers reading text and internet content downloaded by the target phone?

    ReplyDelete
  17. Do these catcher have the ability to read text and internet download info on the captured IMSI?

    ReplyDelete
  18. R&S patent talks about an active base station. This has the advantage, that one can turn off the encryption. I saw some websites advertising fully passive imsi catchers. Do you think this is possible? They also say that such a passive imsi catcher can decrypt A5.1 almost in real time (within 3 sec). Does it look realistic?

    ReplyDelete