In recent years the Mobile Telecommunication networks gained attention from the media due to signaling security attacks, one of the critical components of these attacks became the most important security information to be concealed and it is called the IMSI.

A warning was issued by the Department of Homeland Security regarding the exploitation of SS7 vulnerabilities by IMSI catchers.

SO, WHAT IS AN IMSI?

The international mobile subscriber identity (IMSI) is a number that uniquely identifies every user of a cellular network. It is stored as a 64-bit field and is sent by the mobile device to the network. It is also used for acquiring other details of the mobile in the home location register (HLR) or as locally copied in the visitor location register.

Source:wikipedia.org


WHY DO HACKERS WANT YOUR IMSI?

Hackers need your IMSI to conduct all sorts of attacks. The common types of attacks that can be conducted once getting the IMSI of a mobile are mostly for the purpose of:

  • Account take over
  • Financial fraud
  • Espionage such as location extraction, interception of calls and all texts messages towards the device
  • Telecommunications fraud
  • Selling Information of users in the Darkweb or Marketing companies
  • Botnets

HOW CAN THE HACKERS GET YOUR IMSI?

The three most commonly used methods to harvest or extract IMSIs from one or multiple device:

  • The IMSI catchers
  • Mobile malware
  • Signaling attacks

Let's focus on the first method. To catch IMSI you will need a computer running one of the following distribution:

System

  • Debian 10
  • Ubuntu 20.04
  • LinuxMint 20+
  • Kali 2020+

Software Defined Radio

  • USB DVB-T key RTL2832U
  • OsmocomBB phone
  • HackRF
  • BladeRF

Regarding the USB Key, you can find many models on Amazon website with price range from 15$ to 150$.

image-1


INSTALL IMSI CATCHER

Before to be able to install IMSI Catcher, we will need to prepare our system by installing few additional things.

Install System Libraries

sudo apt -y install libcppunit-dev liblog4cpp5-dev liborc-0.4-dev libosmocore-dev libtool

Install Python Requirements

sudo apt -y install python3-numpy python3-scipy python3-scapy

Install Utilities

sudo apt -y install autoconf build-essential cmake doxygen gnuradio-dev gr-osmosdr pkg-config python-docutils swig wireshark

Enable Root Privileges

When Wireshark installs on your system, you will be prompted by the following window. As Wireshark requires superuser/root privileges to operate, this option asks to enable or disable permissions for all every user on the system. Press the “Yes” button to allow other users, or press the “No” button to restrict other users from using Wireshark.

image-2

Reconfigure Permission Settings (Optional)

If you have selected "No" in the above scenario, then you can change this selection again by executing the following command, which will reconfigure the Wireshark permission settings.

sudo dpkg-reconfigure wireshark-common

Select the "Yes" button to change the configuration settings to allow other users access to Wireshark.

Add your username to Wireshark group

You must add a username to the Wireshark group so that this user can use Wireshark. To do this, execute the following command, adding your required username after “wireshark” in the command.

sudo usermod -aG wireshark $USER

Check GNU Radio Version

gnuradio-config-info -v

Clone GR-GSM

If your gnuradio version is 3.8+ you must install GR-GSM using the below repository.

cd /tmp/
git clone -b maint-3.8 https://github.com/velichkov/gr-gsm

If your gnuradio version is 3.7 you can install GR-GSM using the below repository.

cd /tmp/
git clone https://git.osmocom.org/gr-gsm

Build GR-GSM

cd gr-gsm
mkdir build
cd build
cmake ..
make -j 4
sudo make install
sudo ldconfig
echo '' >> ~/.bashrc
echo '# Python Export' >> ~/.bashrc
echo 'export PYTHONPATH=/usr/local/lib/python3/dist-packages/:$PYTHONPATH' >> ~/.bashrc

Clone IMSI-Catcher

cd /opt/
sudo git clone https://github.com/Oros42/IMSI-catcher imsi-catcher
sudo chown -R $USER:$USER imsi-catcher

HOW TO USE IMSI-CATCHER?

Run the following commands in three separate terminal windows.

In terminal 1 running the IMSI catcher code in python

cd /opt/imsi-catcher/
sudo python3 simple_IMSI-catcher.py -h
sudo python3 simple_IMSI-catcher.py --sniff

**In terminal 2 search a frequency to listen by running the two commands below.

grgsm_scanner

Next, ask grgsm_livemon to use one of these frequencies.

grgsm_livemon -f <your_frequency>M

In terminal 3 one can also capture the traffic by running Wireshark

sudo wireshark -k -Y '!icmp && gsmtap' -i lo

image-3


HOW CRIMINALS ARE USING IMSI CATCHERS?

From there, an IMSI catcher gives threat actors several options, depending on the capabilities of the device and the cellular protocol being used.

  • Location tracking: An IMSI catcher can force a targeted smartphone to respond either with its precise location via GPS or with the signal strengths of the phone’s neighboring cell towers, enabling trilateration based on the known locations of these towers. With a target’s location known, a threat actor can figure out specifics about them – their exact location within a large office complex or places they frequent, for example – or simply just track them throughout the coverage area.
  • Data extraction: An IMSI catcher can also capture metadata, including information about calls made (phone numbers, caller identities, call durations, etc.), as well as the content of unencrypted phone calls and text messages and certain types of data usage (like websites visited).
  • Data interception: Certain IMSI catchers even allow operators to divert calls and text messages, edit messages and spoof a user’s identity in calls and texts.
  • Spyware delivery: Some higher-end IMSI catchers advertise the ability deliver spyware to the target device. Such spyware can be used to ping the target’s location without the need for an IMSI catcher and also secretly capture images and audio through the device’s cameras and microphones.