Piers O'Hanlon and Ravishankar Borgaojkar demonstrating their proof-of-concept
Piers O'Hanlon and Ravishankar Borgaojkar demonstrating their proof-of-concept

Two researchers from Oxford University reminded an audience at BlackHat Europe 2016 in London why IMSI-based catchers are still a credible attack vector which allows for both tracking and interception of data from most major smartphones through both mobile data and wifi.

Piers O'Hanlon and Ravishankar Borgaojkar, both researchers at University of Oxford, focus much of their research on security and privacy for Internet and mobile communication protocols and related systems.

The IMSI catcher has been around since the 1990s but today, being around since the 1990s, the researchers introduced a new type of IMSI catcher which operates over WiFi.

IMSI - international mobile subscriber identity - is a 15 digit number used for authentication of a person when moving network to network or roaming. It's stored in two places: in the read-only section of a SIM card, and with the mobile operator.

It is essentially an identifier used for tracking which is tied to a user, unlike an IMEI number which is tied to a device.

O'Hanlon recognised this as a risk and highlighted that some work is being done to randomise identifiers of this type, he said “Apple is leading the way currently, in iOS10 they introduced random MAC addresses.”

While existing Stingray type IMSI catchers exploit 2-4G radio protocols to track movements of mobile subscribers, the researchers introduced two new approaches to track mobile devices which exploit authentication protocols operating  over WiFi.

The device itself acts as a base station to lure nearby devices, operates over unlicensed ISM bands, creates fake access points and operates in two modes: passive, which is mainly used for tracking, and active which is used for the interception of data.

Previously, carrying out this attack was expensive, Borgaojkar said It was possible to buy an IMSI catcher from online marketplaces like Alibaba, however it is now possible to emulate IMSI catcher with a laptop and SDR board.

Over 2G  the catcher exploits protocol flaws as it provides no mutual authentication, this allows for tracking and interception. This can be performed silently and automatically without any interaction from the tracked user. Over 3G/4G, the researcher said it is possible to exploit architecture issues, likewise, this  allows for tracking, but interception of data is slightly more difficult.

There are two protocols which are widely implemented in most modern mobile OSes, allowing for the creation of a low cost IMSI catcher. These are the EAP and AKA protocols which allow iOS phones, for example, to auto-connect to public wifi spots. It is when you connect to these spots that the IMSI is shared.

The researchers highlighted how much an issue these hotspots really are - the average user they spoke to as part of their research had over 50 profiles which allow for quick and automatic connection to public wifi spots. These connect based on identities found on the SIM which is where the IMSI number is stored.

O'Hanlon tried to present guidelines for users to protect/mitigate the user privacy issues that arise from this and said, “there is currently no way to protect against IMSI catchers, wifi use is recommended.”

Apple, Google, Microsoft and Blackberry have all been contacted are aware of the issues. The researchers commented on the companies' speed of response, but they recognised that this will affect most smartphones in the world, saying, “this isn't a simple case of telling users patch.”

Concluding, the researchers showed a proof of concept system that demonstrated their IMSI catcher employing passive and active techniques. It was as simple as a mobile phone connecting to a wifi network, and the phone would connect showing its IMSI identifier.