Open in app

Sign in

Write

Sign in

IMSI Catcher Attack and Threat Model on 2G network.

KanakSasak
5 min readAug 11, 2024

--

This is an implementation of the OsmocomBB project designed for conducting IMSI catcher research on 2G networks. The project is intended solely for research purposes and not for any malicious activities.

Disclaimer : this is for educational and research purposes, do with your own risk.

Imsi Catcher

IMSI Catcher

An IMSI catcher is a type of surveillance tool used to intercept and track mobile phone communications. The term “IMSI” stands for International Mobile Subscriber Identity, a unique identifier assigned to each mobile phone user in a GSM (2G) network. IMSI catchers are commonly used by law enforcement agencies, intelligence services, and sometimes by malicious actors to gather information on mobile phone users within a certain area.

Passive IMSI Catchers operate by passively monitoring the paging signals of mobile devices as they move and connect to legitimate cell towers in the area to capture their IMSI numbers. While they are less accurate and cannot perform advanced types of interception, they do not require any direct interaction with the mobile devices.

What is GSM?

GSM stands for Global System for Mobile Communication. It is a digital cellular technology used for transmitting mobile voice and data services.

GSM digitizes and compresses data, then sends it down through a channel with two other streams of user data, each in its own timeslot.

Prepare the environment

follow this article to setup the osmocom BB link

OsmocomBB is an open-source software project developed to provide a deeper understanding of GSM cellular communications systems. This project is specifically designed to enable research, testing and analysis of GSM systems at a more detailed level. OsmocomBB operates by using special hardware, usually a mobile phone powered by a compatible chipset, to interact directly with a GSM network.

ARFCN

ARFCN stands for Absolute Radio Frequency Channel Number. It’s a unique identifier used in mobile communication systems to specify a particular radio channel in the frequency spectrum. ARFCNs are essential in cellular networks such as GSM (Global System for Mobile Communications), UMTS (Universal Mobile Telecommunications System), and LTE (Long-Term Evolution).

ARFCN Scanner

Run the cell_log tool from the ~/osmocom-bb/src/host/layer23/src/misc directory to determine the ARFCNs used by the nearby base stations.

Use the following command:

sudo ./cell_log -f /dev/rfcomm0
ARFCN Scanner Result

Run the Layer 1

The layer1.compalram.bin in OsmocomBB refers to a binary firmware file that implements the Layer 1 (physical layer) of the GSM protocol stack. OsmocomBB is an open-source project that provides a GSM baseband software implementation, allowing users to experiment with GSM protocols on compatible hardware.

Key Points:

  1. Layer 1 (Physical Layer):
  • In the GSM protocol stack, Layer 1 is responsible for the physical transmission of data over the air interface between the mobile station (phone) and the base station.
  • It handles tasks such as modulation, demodulation, encoding, decoding, time slot management, and power control.
  • The layer1.compalram.bin firmware is responsible for controlling the hardware (like the radio transceiver) to perform these functions.
cd ~/osmocom-bb/src/host/osmocon
sudo ./osmocon -s /tmp/osmocom_l2 -m c123xor -p /dev/ttyUSB0 ../../target/firmware/board/compal_e88/layer1.compalram.bin
Install the Osmocom BB L1 firmware to Calypso phone

Run the Layer 2 and 3

The ccch_scan program (formerly layer23) is the playground use for developing the GSM Protocol layers 2 and 3 (GSM TS 04.05, 04.06, 04.08)

Using the ccch_scan program, you can:

  • Connect to /tmp/osmocom_l2 socket created by osmocon to exchange data from L1A_L23_Interface.
  • Receive GSM Layer1 frames.
  • Dump received GSM Layer1 frames and print some analysis.
  • Send the Layer1 frames as GSMTAP packets to wireshark (see WiresharkIntegration)
  • forward the Layer1 frames to the Layer2 / LAPDm implementation inside ccch_scan
  • forward them from Layer2 into Layer3 code inside ccch_scan.
  • receive outgoing frames from Layer3
  • process them through layer2
  • send them as uplink frames to GSMTAP
  • send them to the Layer1 on the phone

The ccch_scan program is used in combination with the layer1bin firmware.

cd ~/osmocom-bb/src/host/layer23/src/misc
sudo ./ccch_scan -i 127.0.0.1 -s /tmp/osmocom_l2 -a <ARFCN>
CCCH Scan Result

GSMEVIL

GSMEVIL 2 is python web based tool which use for capturing imsi numbers and sms and also you able to see sms and imsi on any device using your favorite browser and it’s make easy to capture sms and imsi numbers for those who not have much knowledge about gsm packets capturing.

cd gsmevil
python3 GsmEvil.py
GsmEvil Localhost Dashboard.

IMSI Catcher Threat Modeling

Passive IMSI Catcher Diagram

1. Actors Involved

  • Attacker (using IMSI Catcher)
  • Mobile User (Target)
  • Legitimate Mobile Network Operator (MNO)
  • Law Enforcement Agencies (optional)

2. Assets at Risk

  • User’s IMSI (International Mobile Subscriber Identity)
  • User’s Location Information
  • Confidentiality of User Communications
  • Mobile Network Security
  • User’s Personal Data

3. Attack Surface

  • 2G GSM Network: The vulnerability is primarily in 2G networks due to weaker encryption and lack of mutual authentication.
  • Mobile Devices: Devices in range that are susceptible to connecting to fake base stations.
  • Network Signaling: Communication between mobile devices and legitimate base stations.

4. Attack Vectors

  • Fake Base Station (IMSI Catcher): The attacker sets up a fake base station that mimics a legitimate GSM tower, forcing nearby mobile devices to connect to it.
  • Man-in-the-Middle (MitM): Once connected, the attacker can intercept and potentially alter communications between the mobile device and the legitimate network.
  • IMSI Disclosure: The attacker captures the IMSI numbers of connected devices to identify and track specific users.
  • Location Tracking: By forcing the device to connect, the attacker can determine the rough location of the target.

5. Threats

  • Privacy Invasion: The attacker can identify and track individuals based on their IMSI, compromising their privacy.
  • Eavesdropping: The attacker might intercept voice calls and SMS, leading to a breach of confidentiality.
  • Denial of Service (DoS): The attacker could block legitimate network access by forcing devices to stay connected to the fake base station.
  • Impersonation: The attacker could impersonate a mobile user or network to conduct further attacks.

6. Mitigations

  • Use of 3G/4G Networks: These networks offer better security features, including mutual authentication.
  • Mobile Device Security Updates: Ensure devices have up-to-date security patches to resist forced downgrades to 2G.
  • Network-Based Detection: MNOs can implement mechanisms to detect and mitigate fake base stations.
  • End-to-End Encryption: Encourage the use of secure messaging and VoIP apps that provide encryption independent of the underlying network.
Imsi Catcher
Gsm Network
Telecommunication
Cybersecurity
Privacy

--

--

KanakSasak

Written by KanakSasak

69 Followers

Blockchain | Cyber Security & Forensics | https://github.com/KanakSasak

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams