Throwaway Thoughts
Published in

Throwaway Thoughts

Grabbing numbers out of thin air

Something long suspected, but very recently confirmed — someone in Sri Lanka has been granted a license to evaluate IMSI/IMEI catchers. We have yet to uncover if this was followed by a purchase from a different vendor or if the process stalled at the evaluation phase. This is something of a watershed in my personal understanding of the capabilities of local law enforcement/intelligence agencies.

That local telcos would hand over data on their subscribers on being shown a court order was, I think, a reasonable assumption to make. Introducing IMSI catchers into the mix adds a new range of risks in using mobile devices, as IMSI catchers currently operate in many countries with very little oversight or transparency. Because of the widespread laxity and even nonchalance I’ve seen regarding mobile communication hygiene in Sri Lanka, this has to be a wakeup call for focus on better practices in the use of mobile devices in future.

What is an IMSI catcher? In short, as the Wikipedia link describes:,

The IMSI catcher masquerades as a base station and logs the IMSI numbers of all the mobile stations in the area, as they attempt to attach to the IMSI-catcher. It allows forcing the mobile phone connected to it to use no call encryption (A5/0 mode) or to use easily breakable encryption (A5/1 or A5/2 mode), making the call data easy to intercept and convert to audio

Again in the interests of clarity, an informal explanation of base station and other cellular network terminology and processes is relevant here: A base station provides the connection between mobile phones in the area and the wider telephony network run by a telecom operator. A base station divides a geographical area into a “cell”, an area that can usually be thought of as a hexagonal grid.

An IMSI (International Mobile Subscriber Identity) is a series of digits that is used to uniquely identify a user of a cellular network. This is usually contained in the SIM card; and thanks to existing Sri Lankan requirements on providing identity at point of purchase — can be associated with a specific personal identity.

How cell phones work, in a simplified manner — periodically, each mobile handset will scan for eligible base stations that broadcast their availability (slightly more technically: a handset listens on the control channel for a system identification number [SID] provided by the SIM. The SID corresponds to a node on the telco’s home network — the network of cell towers used by the telco to provide service). On identifying base station(s) eligible to connect (each telco will have their own set of base stations), a handset will typically select the base station with the strongest signal and send a registration request which includes the IMSI (note that at this point, the IMEI can be requested by the telco network — the IMEI uniquely identifies the device being used to connect). There’s more to this (obviously) but this is the bare, relevant essentials of how cellular telephony works.

Enter IMSI catchers.

Assume a large group of people are gathered at a particular location. Social media is abuzz with updates from people on the scene. Mobile phones in hand, the group sends tweets and Facebook updates, calsl on more people to join them and uses both internet and mobile telephony to increase awareness of whatever is happening at that site. No matter whom their service provider/telco, each handset connects to a base station broadcasting the relevant SID. Suddenly, a high power base station comes online near the group and broadcasts the SID(s) that corresponds to one or more telcos. Within the space of minutes, most cell phones will attempt to “pair” with the higher strength proximal signal; providing their IMSI for authentication purposes. This process is transparent to the end user (unless diagnostic software is running on the handset).

The details of your mobile subscription has now leaked to someone running an IMSI catcher. For more active interference in mobile activity (as opposed to mere passive monitoring), IMSI catchers may perform a man-in-the-middle function and force a downgrade of encryption security on GSM voice calls, or even perform jamming, locate a user precisely, or force a handset to give up some of its encryption keys.

Why are IMSI catchers useful?

For law enforcement purposes, running IMSI catchers offer significant advantages over a request for information from cooperating telcos. For one, information is captured in real-time close to source and is not susceptible to errors or tampering by telco operators. IMSI catchers can operate in “camping mode”, where legitimate requests are forwarded transparently to the nearest base station. In this mode, all communications is intercepted by the IMSI catcher but detection can be quite difficult as the IMSI catcher operates in MITM (Man-In-The-Middle) mode. Once the IMEI has been extracted, the device can be followed around any network even if a different SIM is used. Tagging an IMEI in this way has legitimate uses in cases of theft, which is why it is supported by telecom regulatory bodies; but can be repurposed for surveillance as well. IMSI catchers also have an advantage of being relatively localised in effect, there is no need to analyse all the traffic through multiple cell towers and narrow down persons/devices of interest.

Why is this a change?

The working assumption always has been that most if not all telcos would hand over VLR (location register) and other information about their subscribers when compelled to do so. Even assuming optimal efficiency, this process is difficult (but not impossible) to complete in real-time. There is also the ability of more sophisticated IMSI catchers to provide active monitoring — disrupt cellular activity or make it easier to use secondary network monitoring to leak information. Active interference in cellular communications also now renders useless the precaution of using a new, previously unused mobile device/connection. Everything within a geographical area can be scooped up automatically and tracked at any point thereafter.

I’ve previously written [somewhat tongue in cheek, I might add] that merely jamming signals or blocking access is the most elementary of all disruptions for network communications. IMSI catchers allow the next level of network monitoring — real time access to cellphone communications and user locations that might have previously been considered privileged information. While it’s almost certain that offline analysis of network traffic is being used already by intelligence and law enforcement agencies, it is now a mistake to consider this to be the only vector by which communication can be monitored.

This presumption can be mirrored towards internet access — although telcos routinely block websites for various reasons, these blocks are trivially circumvented by off the shelf tooling or moderately savvy end users. However, the reality is that even low-end network monitoring solutions available to corporates have long possessed the ability to detect evasions of network policy (via tunnelling, VPNs etc) and deploy counter measures. It seems imprudent to assume this technology is not available to ISPs in Sri Lanka (as it already has been used elsewhere).

IMSI catchers as a law enforcement tool are unfortunately here to stay due to their increasing deployment in other countries, and more importantly their rapidly dropping costs of purchase and licensing. Although licensed off the shelf IMSI catchers are still expensive (and are restricted purchases, even to government agencies); someone with sufficient capability and a few grey-market imports could easily build their own. The most coherent arguments against their deployment have come from the potential for wide scale abuse of privacy, rarely a consideration that has political interest in Sri Lanka. Even so, reports indicate that obfuscation of IMSI catcher use is routine in many countries, and the time to push for transparency and control of their use might actually be upon Sri Lankan civil liberties activists.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store