The IMSI is a unique number assigned to every mobile subscriber, which is stored on the SIM card and used by mobile networks to identify and authenticate users.
An IMSI Catcher is a device that pretends to be a commercial Base Station (BS), tracks devices and violates subscriber privacy. Criminals or hackers may use IMSI Catchers to eavesdrop, steal identities, or commit other crimes.
Why do criminals target IMSI?
The IMSI uniquely identifies a user on the network, making it a key piece of data for tracking or monitoring. Once the IMSI is captured, the person’s mobile activities, such as location, calls, and messages, can be tracked. While IMSI Catchers primarily collect IMSIs, depending on the network and device vulnerabilities, they may also facilitate eavesdropping on calls or intercepting messages.
How does an IMSI catcher capture IMSIs?
The IMSI Catcher operates as a Fake base station that mimics a legitimate cell tower and broadcasts a strong signal. Mobile devices prefer this because they prioritize the tower with the strongest signal to maintain connectivity. Then, UEs will connect without verifying the authenticity of the base station (especially in older protocols like 2G).
The Evolution of Security from 2G to 5G
2G had only one-sided authentication in which the network authenticated the mobile phone. However, mobile phones did not have the means to authenticate the network, which made it easier for IMSICatchers to trick mobile phones.
This was fixed in 3G by introducing mutual authentication between the mobile phone and the home network. Still, session keys generated for one roaming network might have been valid for another, meaning there was no cryptographic separation of security keys between roaming networks.
In 4G, this was fixed by cryptographically binding the roaming network identifier with session keys. However, the authentication is still terminated in the roaming network, which informs the home network that a certain mobile phone is in its network. The home network does not guarantee the mobile phone is presence in that roaming network.
To fix this, authentication in 5G is terminated in the home network.