Easy 4G/LTE IMSI Catchers for Non-Programmers

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10446)

Abstract

IMSI Catchers are tracking devices that break the privacy of the subscribers of mobile access networks, with disruptive effects to both the communication services and the trust and credibility of mobile network operators. Recently, we verified that IMSI Catcher attacks are really practical for the state-of-the-art 4G/LTE mobile systems too. Our IMSI Catcher device acquires subscription identities (IMSIs) within an area or location within a few seconds of operation and then denies access of subscribers to the commercial network. Moreover, we demonstrate that these attack devices can be easily built and operated using readily available tools and equipment, and without any programming. We describe our experiments and procedures that are based on commercially available hardware and unmodified open source software.

Keywords

4G LTE security IMSI Catcher Denial-of-Service 

References

  1. 1.
    Shaik, A., Seifert, J., Borgaonkar, R., Asokan, N., Niemi, V.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In: 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21–24, 2016 (2016)Google Scholar
  2. 2.
    Jover, R.P.: Security attacks against the availability of LTE mobility networks: overview and research directions. In: 2013 16th International Symposium on Wireless Personal Multimedia Communications (WPMC), pp. 1–9. IEEE (2013)Google Scholar
  3. 3.
    Jover, R.P.: LTE security, protocol exploits and location tracking experimentation with low-cost software radio. CoRR abs/1607.05171 (2016)Google Scholar
  4. 4.
    Lichtman, M., Jover, R.P., Labib, M., Rao, R., Marojevic, V., Reed, J.H.: LTE/LTE-a jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Commun. Mag. 54(4), 54–61 (2016)CrossRefGoogle Scholar
  5. 5.
    Rupprecht, D., Jansen, K., Pöpper, C.: Putting LTE security functions to the test: a framework to evaluate implementation correctness. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016) (2016)Google Scholar
  6. 6.
    OpenLTE: An open source 3GPP LTE implementation. https://sourceforge.net/projects/openlte/
  7. 7.
    srsLTE: Open source 3GPP LTE library. https://github.com/srsLTE/srsLTE
  8. 8.
    Gomez-Miguelez, I., Garcia-Saavedra, A., Sutton, P.D., Serrano, P., Cano, C., Leith, D.J.: srsLTE: an open-source platform for LTE evolution and experimentation. arXiv preprint arXiv:1602.04629 (2016)
  9. 9.
    gr-LTE: GNU Radio LTE receiver. https://github.com/kit-cel/gr-lte
  10. 10.
    Open Air Interface: 5G software alliance for democratising wireless innovation. http://www.openairinterface.org
  11. 11.
    SMScarrier.EU: Mobile Country Codes (MCC) and Mobile Network Codes (MNC). http://mcc-mnc.com
  12. 12.
  13. 13.
    Niviuk: LTE frequency band calculator. http://niviuk.free.fr/lte_band.php
  14. 14.
    Europen Communication Office: ECO Frequency Information System. http://www.efis.dk
  15. 15.
    ETSI TS 136 331 V13.0.0 (2016–01): LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification (3GPP TS 36.331 version 13.0.0 Release 13) (2016). http://www.etsi.org/deliver/etsi_ts/136300_136399/136331/13.00.00_60/ts_136331v130000p.pdf
  16. 16.
    ETSI TS 124 301 V12.6.0 (2014–10): Universal Mobile Telecommunications System (UMTS); LTE; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (3GPP TS 24.301 version 12.6.0 Release 12) (2014). http://www.etsi.org/deliver/etsi_ts/124300_124399/124301/12.06.00_60/ts_124301v120600p.pdf
  17. 17.
    ETSI TS 136 304 V12.2.0 (2014–09): LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) procedures in idle mode (3GPP TS 36.304 version 12.2.0 Release 12) (2014). http://www.etsi.org/deliver/etsi_ts/136300_136399/136304/12.02.00_60/ts_136304v120200p.pdf
  18. 18.
    ETSI TS 136 133 V12.7.0 (2015–06): LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Requirements for support of radio resource management (3GPP TS 36.133 version 12.7.0 Release 12) (2015). http://www.etsi.org/deliver/etsi_ts/136100_136199/136133/12.07.00_60/ts_136133v120700p.pdf
  19. 19.
    Research, E.: USRP B200mini (Board only). https://www.ettus.com/product/details/USRP-B200mini
  20. 20.
  21. 21.
    Samsung: Samsung Service Mode. http://samsungservicemode.blogspot.no
  22. 22.
  23. 23.
  24. 24.
    Nikaein, N., Knopp, R., Kaltenberger, F., Gauthier, L., Bonnet, C., Nussbaum, D., Ghaddab, R.: OpenAirInterface 4G: an open LTE network in a PC. In: International Conference on Mobile Computing and Networking (2014)Google Scholar
  25. 25.
    RangeNetworks: OpenBTS. http://openbts.org
  26. 26.
    McGuiggan, P.: GPRS in Practice: A Companion to the Specifications. Wiley, New York (2005)Google Scholar
  27. 27.
    Dabrowski, A., Petzl, G., Weippl, E.R.: The messenger shoots back: network operator based IMSI catcher detection. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 279–302. Springer, Cham (2016). doi:10.1007/978-3-319-45719-2_13 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Information Security and Communication Technology, NTNUNorwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations