What’s an IMSI-Catcher?

A DRT-Box by any other name…

David Allen Burgess
Telecom Experts
Published in
4 min readApr 19, 2021

--

“The IED you have called is not in service.” (from www.army.mil)

A security hole in 2G protocols opens the way for a lot of mischief. But it can also be used for good.

A hole big enough to drive a basestation through

When a cellphone comes to a cellular network, it must be authenticated for service. Starting with 3G technology, the phone and network use mutual authentication, where each party authenticates the other. However, in 2G this authentication was one-way: the network authenticated the phone but the phone had no way to authenticate the network. This makes it possible to to set up a “false basestation”, a cellular basestation which claims to be some legitimate mobile operator, but is in reality a hacking tool. The false basestation falsely authenticates the phone (“Sure, whatever, you look legit to me…”) and then takes control of it.

In the US, in recent years, this technology has made a transition from military intelligence units to domestic law enforcement. In the press, IMSI-catchers are often referred to as “Stingrays” or “DRT-boxes”, based on the brand names of some of the products. As someone personally involved in the development of those military systems, I find that trend disturbing.

In the US, in recent years, this technology has made a transition from military intelligence units to domestic law enforcement. As someone personally involved in the development of those military systems, I find that trend disturbing.

The ACLU of Northern California publishes a good white paper about some of the legal implications of using these tools against civilians, but even they have missed important questions, like who gave local law enforcement the right to interfere with AT&T’s federally-licensed radio network, or what IMSI-catcher operators do with the “sidecatch”, all the phones that just happen to be in area when the system is running.

Law enforcement often make desperate efforts to hide this technology, but the European Patent Office has been publishing a how-to guide on IMSI-catching for nearly 20 years. That’s because the German test equipment company

--

--

David Allen Burgess
Telecom Experts

I have worked in telecom since 1998, in both SIGINT and in commercial equipment. I also do expert work in legal cases, see http://telecom-expert.com.