IMSI catcher

[LukeW]

Let’s suppose that I want to count / track the people visiting my home and see if the same visitors return, using IMEI / IMSI intelligence.

Of course, we assume each person carries a unique cellphone with them at all times, the same one, and it is powered on and carries a SIM from a network provider. Let’s assume that buying a real Stingray is impractical, and let’s separate the technical engineering from the regulatory and ethical issues. Let’s assume that no phone calls, messages or other data will be intercepted even if the technical capability exists to do so. Let’s assume that the problem of associating a person’s identity to a IMSI/IMEI is unimportant or can be done by directly reading it from their phone.

It is technically possible to do this using something like openLTE and an Ettus Research B210.

http://rogerpiquerasjover.net/LTE_security_TakeDownCon.pdf

However, that’s a AUD$2000 hardware investment. Is there any other suitable platform to do it cheaper?

Is there any specific Australian law/laws that would regulate or prohibit such a system?

I suspect this must require an active eNodeB, therefore it requires active transmission on the licensed LTE bands, which would therefore not be legal from an RF spectrum / ACMA perspective?
Is this correct?

Is there any way to do it with passive reception without illegal transmission?
Any loophole that can make such a system possible?

[gargle]

technically, some guys did it before :
https://www.rtl-sdr.com/using-an-rtl-sdr-as-a-simple-imsi-catcher/

BUT don't know the legal of this!

[Bicurico]

The RTL solution is indeed what you are looking for. I think you can use GNURadio with a broader range of devices, but an RTL2832 is the cheapest route.

In Europe/EU it will be completely illegal to monitor and store IMSI data of people visiting you, unless you have a prior written consent of each person. Even then it probably it is illegal, anyway. My guess is that Australian law is similar to EU in terms of privacy.

The passive way used in the RTL solution just snips the relevant IMSI data that is broadcasted from the mobile phone to the operador cell. Such listening can hardly be detected.

An active way of doing it requires your solution to act as a mobile phone operator and to transmit in the respective frequencies. The advantage is you get more reliable data. This can and will be detected and is highly illegal. Most countries will sanction this with jail time.

There are mobile communication test equipment that can simulate a cell. Here you can analyse and protocol all data including IMSI. I have for instance the Agilent MD8470A. But these devices are to be used with a special test SIM that is configured for test purposes. The norms define a test operator. Even so you may not transmit outside your lab.

A test cell can be setup for HackRF, PlutoSDR and similar low cost devices with free open source software. It even works with hacked USB VGA adapters! I am on my phone so putting the link here is not easy but you will find it quickly searching Google.

Again, what you describe would be a dream come true for stores to recognize their customers for profiling. Stay away from that, it is not only illegal in most countries - it will be a huge turn off for said customers!

Regards,
Vitor

[LukeW]

The RTL2832 (RTL-SDR) obviously ticks the box for cheap hardware - but it appears to only work with 2G GSM systems.

Nobody uses GSM at all any more - it's completely shut down, in Australia at least. (Unusual that we're ahead of the rest of the world in terms of communications infrastructure!)

[Bicurico]

Good point!

I forgot to mention that 3G onwards (WCDMA, LTE, ...) uses encryption which is considered secure.

The phone will negotiate with the provider and the provider checks if the SIM is recognized. Quite complicated.

Regards,
Vitor

[madires]

Hacking a femtocell?

[CJay]

I'm lead to believe this is possible by hacking a cheap and easily avilable Femtocell (marketed as 'signal boosters' which will route calls via the 'net from a cellphone)

But, it might pay you to do a little research into shopping centre customer tracking systems, they claim to be able to legally capture unique but non identifiable ID data from cellphones to track the movement of the person carrying the phone, apparently it's analysed and used to increase sales by monitoring visitor behavioural patterns.

[coppercone2]

wont it be using the TMSI if it can? Why would it broadcast a IMSI at a random location for no reason? Chance only. To further this towers proboly communicate the TMSI between themselves in between cell's and store it in a buffer that has some PDF it follows to minimize IMSI transmission, it probably checks to make sure your phone did not go into a dead zone temporarily before it gets within the range of a bordering cell.

Thankfully unless the phone switches towers right at the proximity of your door way it wont work, or you will need to crack TMSI, or do some kind of illegal trickery to make the phone broad cast its IMSI to try to get a new TMSI.

I wonder if you can make a counter measure on your phone with an app that basically disables IMSI broadcast when you are near a certain area you don't really like. Then you can actually prove if someone is doing something shady (i.e. other people have connections but you don't, what are the odds its being caused naturally at that location?). Since there is some kind of buffer purge filter that's probably designed with some kind of human behavior in mind, if everyone starts doing it you might cause some towers to malfunction.



In my opinion this is like asking someone to take their hat off on the street so you can look at their face better. It's also degrading SNR, occupying the phone companies buffers (say you get a text in the exact instance the thing tries to dupe your phone). I would be pissed if I discovered such a device.

Could it go into jam mode so you can try to fuck up their database making it think there are hundreds of customers entering the store with fake IMSI's lol..? but unfortunately this is illegal. It would mess with the tower unless you decrease signal power enough, and you might need to spoof a plausible response from the tower. It might not have to do a decryption to get a 'plausible response flag', could be a detection of weak correlation of encryption or just based on measured timing.

I wonder if you can crash a string-ray doing this. Man this sounds fun to do. So long the timing is random you should be able to jam the fucking thing in a way that can't be filtered. They would need to tap it right at the tower so you can't easily fuck with it using signal level adjustment.

[LukeW]

I'm lead to believe this is possible by hacking a cheap and easily avilable Femtocell (marketed as 'signal boosters' which will route calls via the 'net from a cellphone)

But, it might pay you to do a little research into shopping centre customer tracking systems, they claim to be able to legally capture unique but non identifiable ID data from cellphones to track the movement of the person carrying the phone, apparently it's analysed and used to increase sales by monitoring visitor behavioural patterns.

How many people out there are selling that tech for shopping centre analysts?

Perhaps they're just looking at the Wi-Fi MAC, seems like it would be far easier and cheaper without potential legal issues.

[CJay]

I'm lead to believe this is possible by hacking a cheap and easily avilable Femtocell (marketed as 'signal boosters' which will route calls via the 'net from a cellphone)

But, it might pay you to do a little research into shopping centre customer tracking systems, they claim to be able to legally capture unique but non identifiable ID data from cellphones to track the movement of the person carrying the phone, apparently it's analysed and used to increase sales by monitoring visitor behavioural patterns.

How many people out there are selling that tech for shopping centre analysts?

Perhaps they're just looking at the Wi-Fi MAC, seems like it would be far easier and cheaper without potential legal issues.

No idea how many companies sell the tech but it's been around for quite some time, some details here:

https://www.theregister.co.uk/2008/05/20/tracking_phones/

[LukeW]

Path Intelligence claims to have a 2G GSM solution only.
https://ieeexplore.ieee.org/document/7504397/

But you can do that for 10 bucks on a RTL2832.
And Path Intelligence went bust in 2015.

[LukeW]

TMSI would be OK. It would still give you a unique tag of that person during their visit, without knowing their identity, and it won’t change during a visit as long as they don’t reboot the phone.

[janoc]

Let’s suppose that I want to count / track the people visiting my home and see if the same visitors return, using IMEI / IMSI intelligence.

A much simpler solution would be a camera at the entrance and some basic face recognition. That will work regardless of whether or not the person carries a phone with them and will actually require that they step in your door instead of e.g. passing nearby (radio waves propagate and it is quite a bit harder to restrict it to the "area of interest").

You still may have issues with privacy laws in your country (surveillance cameras tend to be tightly regulated but if the camera is watching inside of your house/lobby and not some common area/street you will likely be fine) but at least it doesn't need complicated radio/messing with encryption/illegally interfering with a cell phone service risking a prison time.

The supermarket systems rarely collect IMEIs (there has been at least one such system mentioned recently, though), most simply record radio activity on the cellphone frequencies in the various areas of interest in the store, along with doing wifi/Bluetooth fingerprinting (a lot of people walk around with that enabled) and use that to estimate how many people visit that part of the store and how long do they stay there. That is a much simpler system and can be completely passive, without having to put in place a complete pico cell.

[coppercone2]

TMSI would be OK. It would still give you a unique tag of that person during their visit, without knowing their identity, and it won’t change during a visit as long as they don’t reboot the phone.

yea but the thing is with TMSI you can have different people get the same one at different times, but its very unlikely I think, since its temporary.

also, it really depends on how it works. https://security.stackexchange.com/questions/24786/does-a-tmsi-change-often-enough-to-prevent-tracking

I don't actually know what makes it change. this guy says just entering the zone of a new tower. so your idea should only work if the visit lives real close and does not leave the area.

otherwise you would need to bug the tower and record all the TMSI assignments in the cell, something that might get you the FBI driving a van into your house. I don't know if it does TMSI reassignments either, so the phone gives old TMSI to receive new one, or if it always identifies with its IMSI.

[CJay]

Path Intelligence claims to have a 2G GSM solution only.
https://ieeexplore.ieee.org/document/7504397/

But you can do that for 10 bucks on a RTL2832.
And Path Intelligence went bust in 2015.

There's plenty more out there offering that and newer technologies, my point was only that it's easily available and that article was from 2008.

[Lord of nothing]

  In Austria the "main"/ former State own Cellphone Provider offer that movement Data for an huge amount of Money.
Sure the claim to be anonyme.

[stj]

company;s dont care about laws.

i saw a product at a trade show last year,
it scans your phone from a distance, identifies it, and sends it a pre-defined text message!!
it was marketed as a device to send product advertisements to people as they pass a shopfront or enter a building!!!

it was running, and it did work.
i dont know how, because i cant see how it could asociate the IMEI/IMSI with the phone number without acess to the network central-registry database.
i know cell towers access the database, i hope they where not imitating one to get the data from the registry!!

[CJay]

company;s dont care about laws.

i saw a product at a trade show last year,
it scans your phone from a distance, identifies it, and sends it a pre-defined text message!!
it was marketed as a device to send product advertisements to people as they pass a shopfront or enter a building!!!

it was running, and it did work.
i dont know how, because i cant see how it could asociate the IMEI/IMSI with the phone number without acess to the network central-registry database.
i know cell towers access the database, i hope they where not imitating one to get the data from the registry!!

I was asked to install something similar that used Bluetooth a few years ago, would be interested to know what this one is called so I can avoid it if asked.

[Bicurico]

https://mashable.com/2014/01/21/kiev-protesters-text-message/?europe=true#O.JVmjQ8ePq9

Cheers,
Vitor

[janoc]

https://mashable.com/2014/01/21/kiev-protesters-text-message/?europe=true#O.JVmjQ8ePq9

Cheers,
Vitor

That was most likely the government ordering the phone companies to do it (or used a government backdoor into those systems). That's pretty trivial to do and such setups are common - e.g. for natural disaster warnings in an area, amber alerts, tornado warnings, etc. Certainly nothing to do with an "IMSI catcher" (aka Stingray).

[janoc]

company;s dont care about laws.

i saw a product at a trade show last year,
it scans your phone from a distance, identifies it, and sends it a pre-defined text message!!
it was marketed as a device to send product advertisements to people as they pass a shopfront or enter a building!!!

it was running, and it did work.
i dont know how, because i cant see how it could asociate the IMEI/IMSI with the phone number without acess to the network central-registry database.
i know cell towers access the database, i hope they where not imitating one to get the data from the registry!!

Probably good old bluejacking:
https://www.techwalla.com/articles/how-to-bluejack-a-phone

Not complicated to automate, no need to license anything and nothing to do with IMEI/IMSI. Lots of people are walking around with Bluetooth enabled because of wireless headphones and headsets these days.

Or it was a picocell, which is a GSM base station. And the moment the phone connects to it because it has stronger signal than the phone's normal network the phone gets spammed. The only data such cell could capture is the IMEI identifier from the phone. It doesn't need the phone number to send a message to a phone that is directly connected to it. However, you need a license to operate (not to manufacture!) such device, so I am pretty sure the company offering it was totally in the clear. It would be your responsibility to comply with any applicable laws when operating it, not theirs - same as when buying any other radio equipment.

[Bicurico]

I think it is a bit more complicated than that. Most countries have 3 competing mobile operators.

Such a spamming device would have to:

a) Offer three different network ID's (of each local operator): this gets expensive, as you need to have a 3 in 1 device. I doubt you could simulate more than one operator with just one device.
b) Operate under 2G: the problem is that many smartphones do not connect to 2G unless specifically setup to do so.
c) Have a considerably stronger signal to lure the phone: I am not sure how the cell switching is programmed on a phone, but it probably does not just use the rule to switch over to the strongest cell. It probably only does so if the current cell as a signal below a given treshold.
d) Such a device would of course be highly illegal and easily detectable.

I can setup my Anritsu MD8470A to simulate an operator cell and my phone will connect to it, not showing the "R" symbol for roaming. I can then send whatever message I want to my phone. This can be automated (if you know how to program and purchase the Anritsu documentation, which I don't have). But: the phone only connects if I configure it for exclusive 2G mode.

I cannot repeat this for 3G/3.5G/4G, as I don't have access to the secret keys on the SIM card. If I want my phone to connect, I have to use a special TEST SIM, where these secret keys are known.

But perhaps the mobile phone standards do describe some secret protocol to multicast emergency SMS to all phones in viccinity, no matter if they signed in or not.

Regards,
Vitor

[Bicurico]

Forgot to mention that I was in Kuala Lumpur last month and I did start to receive some spam SMS.

No idea where they came from and for sure I did not hand out my number anywhere. The SMS were ads for Chinese/Malasian online games, so definitely something local.

This leads me to think that it might indeed been some IMSI spamming device?

Regards,
Vitor