7 Dollars is all it takes to catch an IMSI
Seven U.S. dollars. That’s all it takes to intercept and monitor private mobile phone usage. Seven dollars, a Youtube video and easily accessible scripts on GitHub is all you need to make a basic international mobile subscriber identity (IMSI) Catcher. And if you’re not technically-oriented, you can simply buy a more powerful existing IMSI Catcher and set it up for no more than a couple thousand dollars- a price that is not significantly prohibitive to those that would seek it out. With a single device, a malicious actor is able to to track any LTE-compliant phone user, and access their calls and texts. Sounds like a rough blow to privacy, but it’s not exactly illegal.
This relatively simple eavesdropping device is used commonly by law enforcement agencies in the U.S., but is often appropriated by malicious users for man-in-the-middle attacks intercepting mobile phone traffic (including text and calls) and tracking location data of mobile phone users. An IMSI Catcher creates, in essence, a kind of falsified mobile tower that acts between the targeted mobile phone and a service providers real towers. Frankly, it’s a very simple attack, which is why its popularity is only rising.
The state of privacy
With General Data Protection Regulation (GDPR) compliance and data privacy currently a hot topic (and hopefully a priority) it is surprising to find that there has been little regulatory effort to curb the use of these devices.
To gauge the scope of it, last year the Department of Homeland Security found that illegitimate IMSI Catchers were in use around the White House’s vicinity, as well as other potentially sensitive facilities. There was some push for regulation at the time this information was released, but little since.
imVision's Anomaly Management Platform (AMP) for mobile networks works to address this issue through real-time monitoring of network traffic to identify anomalies from expected behavior. Specifically, by looking on the LTE S1 interface we are able to spot anomalies that are either geographically based or in violation of context that allows finding that something is wrong.
As this attack takes subscribers outside of the network, all that can be done once the attack has been identified is to notify the user. The long-term answer calls for a cultural shift- the further prioritization of mobile network security. With a cultural context that promotes mobile data security in particular, greater regulatory action is taken to meet the standards presented by organizations and civilians. As of now, the awareness exists that private data leaks have heavy and far-ranging consequences. It just needs a signal boost.