IMSI catcher
IMSI catchers are devices with which the International Mobile Subscriber Identity (IMSI) stored on the cell phone card can be read and the location of a cell phone within a cell can be limited.
functionality
The IMSI-Catcher works like a radio cell (base station) with respect to the mobile phone and like a mobile phone with respect to the network. The device simulates a cellular network; all cell phones in a certain area register with this cell based on their strongest signal.
With an IMSI catcher it is possible to listen in on cell phone calls. Data from bystanders in the radio network area of the IMSI-Catcher can also be recorded without this being recognizable by those affected. Under certain circumstances, the IMSI-Catcher disables the entire cellular traffic of the affected cellular phones so that an emergency call could also be prevented.
IMSI catchers are mainly used by law enforcement authorities and intelligence services to determine a location and to create a movement profile of people.
The catcher simulates a specific cell of the network operator . The catcher is promoted to the cell phone's channel neighborhood list as a serving cell . The IMSI-Catcher transmits a changed location area identity and thus prompts the cell phones to establish contact with the (simulated) cellular network ("location update" procedure). The catcher then requests an "Identity Request" command. The mobile phone replies with an identity response, which can contain IMSI or TMSI (temporary IMSI) and IMEI . The data obtained must then be compared with the existing databases.
The entire process is made possible by the fact that a mobile phone authenticates itself to the mobile network , but not the mobile network to the mobile phone. After the catcher has taken over the mobile phone as the base station, it switches the mobile phone to unencrypted transmission mode using a signaling path provided for this purpose in the GSM protocol. In this way, a conversation conducted via the catcher can be heard. In order to forward the tapped conversation ( man-in-the-middle attack ), the IMSI catcher has to pretend to be a mobile phone to the cellular network. He cannot forward unencrypted messages that have been tapped in unencrypted, since the base station can induce the mobile radio device to send unencrypted, but it is not allowed to choose this mode of its own accord. Therefore the IMSI-Catcher needs its own SIM card and forwards the intercepted data as a separate call. Calls made from a tapped mobile phone do not show the called party the phone number of the actual caller, but that of the IMSI-Catcher, or they are not shown.
Although the firmware of a cell phone could signal the unusual mode of non-encryption of calls to the user, this is not done. Only with some models is it possible to find out whether the mobile device is transmitting in encrypted mode. For this, an internal network monitor of the device must be activated. However, this is mostly not user-friendly and requires specialist knowledge in order to correctly interpret the displayed values. In any case, the following must be observed with cell phone calls as well as with landline calls: State wiretapping measures take place directly at the cell phone / telephone company and cannot be detected on the end device due to the systematic nature of the wiretapping method.
Example scenario
A target is in their home. Investigators approach the target person with a vehicle in which the catcher is housed and carry out one simulation for each network operator. Now, especially in a large city, a number of ID pairs “IMSI” or “TMSI”, “IMEI” should be caught per measurement and network. This fact should make it necessary to carry out several measurements.
Now the target person leaves the apartment and drives z. B. to another city. The investigators pursue the target person and possibly carry out measurements again while driving. By comparing the first series of measurements with the second or further series of measurements, it is possible to find out which identifiers are the same. The IMSI and IMEI, which are identical in the first and second series of measurements, are very likely to belong to the target person.
Even if the person changes the SIM card, the IMEI of the mobile phone remains the same. For this reason, criminals have started using another mobile phone in addition to changing the SIM card, i.e. using several different mobile phones with different SIM cards. By comparing with all the collected data, conclusions can be drawn about the exchange cycle.
With some older cell phones, special software can also be used to change the IMEI using a data cable. A change in an IMEI can be noticed if the new IMEI uses an inconsistent Type Approval Code or country code, which in practice is not assigned by manufacturers.
The BKA and the Office for the Protection of the Constitution are already using devices that can eavesdrop on calls (e.g. GA 090). At a price of € 200,000 to € 300,000, they are already considered an export hit.
Further fields of application
A problem that is often not mentioned and also underestimated is the peculiarity of IMSI catchers. They can block the mobile phones in their area of action, so that an emergency call to the police, fire brigade or rescue service is impossible during such an operation.
However, it is precisely this that can also be used to implement a deliberate suppression of communication in the context of police surveillance and access measures.
IMSI catchers can also be very useful when searching for missing people, as in 2015 when looking for a crashed wingsuit flyer in the Swiss Alps.
Limits of applicability
In large cities it will be very difficult to determine the IMSI and IMEI of a mobile phone user based on just one location in a short time. If the mobile phone is only used in a certain location (e.g. a house with many parties) and the position is not changed, the mobile phone you are looking for will be lost in the crowd and will be more difficult to identify. In addition, the simulated signal from the IMSI catcher would have to be much stronger than the network operator's radio network over a longer period of time. This would quickly reveal the IMSI catcher.
Traceability
With the help of special monitor software that continuously records all signals (e.g. cell ID, channel, location area, reception level, timing advance, minimum / maximum level), the use of an IMSI catcher can be traced under certain circumstances . Since IMSI catchers are also used by secret services, it can be assumed that they are well camouflaged. This means that a network operator cell is copied one to one.
It is noticeable, however, that "communication" takes place at the same time on all cell phones of a network operator in the vicinity of the catcher. This can be determined, for example, by monitor software. Even more noticeable: this phenomenon is repeated at short intervals for all network operators in the vicinity of the catcher. In order to determine this, at least two cell phones per network operator would be required, the data of which is continuously evaluated by software.
Example of a possible signaling profile - shown as // - and four mobile network codes (network operator). 2 cell phones are used for each MNC, hence the double bar (//). The order of the MNCs is irrelevant. A single dash (/) is e.g. B. a periodic location update.
t (Zeitachse) -------->
MNC1.......//................/...........
MNC2.........//..........................
MNC3............//.........../...........
MNC4...../.........//....................
The staircase structure indicates an external intervention by a catcher in the cellular network.
A normal profile without a change of location and personal intervention is completely unstructured:
t (Zeitachse) ----->
MNC1............................/........
MNC2...../............................./.
MNC3................../..................
MNC4........../................../.......
However, this recognizable pattern can be countered in the simplest way by the IMSI catcher, in that a script pseudo-randomly ensures activity for the individual registered participants, e.g. B. by silent SMS or RRLP inquiries. This causes the T3212 timers of the individual participants to no longer run quasi-synchronously, the activity patterns appear more random, and this simple possibility of detection is prevented.
Since the IMSI-Catcher can simulate a GSM network in relation to the mobile phone, but not a mobile phone in relation to the network, a scan process with the IMSI-Catcher can also be easily unmasked by a phone call: You call the mobile phone in question. If the doorbell does not ring, the signaling coming from the "real" network has been swallowed. A successfully terminated call can preclude the use of a "simple" IMSI catcher (e.g. R&S GA 090). In the meantime, however, there are more intelligent IMSI catchers that only work semi-actively. In this way, incoming calls can also be eavesdropped. A few mobile phones (e.g. earlier devices from SonyEricsson), however, show a deactivated encryption ("Ciphering Indication Feature"), which can be due to the use of an IMSI catcher - provided that the network operator does not do this via the OFM bit in EF_AD (Operational Feature Monitor LSB in byte 3 of the Elementary File: Administrative Data "6FAD") suppressed on the SIM. This does not, however, affect monitoring functions that are controlled directly from the real network without any IMSI catchers.
National legal bases
Problem
Normally, telephone monitoring is carried out by the operator and is only carried out by them after the approval of the judge. IMSI-Catcher can be used by the police (technically speaking) at any time and thus bypass the judicial review. This procedure would then be illegal, but it is difficult to prove. At a court hearing at the latest, however, unlawfully collected data would not be admissible as evidence.
Germany
In Germany, Section 100i of the Code of Criminal Procedure, which came into force on August 14, 2002, is the legal basis for the use of an IMSI catcher by law enforcement authorities . The provision is used, among other things, for the search and the establishment of material evidence . In a decision of August 22, 2006, the Federal Constitutional Court confirmed that the use of IMSI catchers for criminal prosecution was compatible with the Basic Law. According to the judges, this operation does not violate data protection regulations or fundamental rights such as telecommunications secrecy or general personal rights .
Use is preventively regulated in the respective police laws in the section on data collection.
Austria
In Austria, an amendment to the Security Police Act (SPG) since January 1, 2008 has made it possible to use the IMSI-Catcher without a judicial permit. As this poses a huge threat to privacy, the Greens initiated a petition calling for this amendment to be reconsidered; however, this request was not followed up by the responsible ministries. A parliamentary question from the MP Alexander Zach ( Liberal Forum ) to the then Interior Minister Günther Platter showed that within the first four months, i.e. from January to April 2008, over 3800 inquiries (32 times per day) about the monitoring of mobile phones and the Internet had been made.
With the 2018 security package, the use of mobile phone location was clearly regulated by law for the first time (Section 135 Paragraph 2a and 2b StPO ). Only the determination of geographical locations and the number used for international identification of the user is permitted ( localization of a technical facility , § 134 Z. 2a StPO). With the prepaid card registration introduced at the same time (identification requirement when purchasing, abolition of anonymous SIM cards), the phone owner can be identified. The introduction of this measure was mainly criticized because the IMSI-Catcher can do a lot more than the legal basis allows. Above all, the organization epicenter.works criticized the fact that no suitable "legal, technical and organizational safeguards" were created to protect against such illegal use.
equipment
The most widespread in Germany is probably the "GA 090" from Rohde & Schwarz . Several devices from Rohde & Schwarz are already in use in Austria , and it was decided to purchase a device with UMTS capability.
It is possible to build an IMSI-Catcher yourself with a cost of approx. 1500 euros or at least 200-300 euros.
See also
- IMEI serial number for the unique identification of mobile radio devices
- IMSI for the unique identification of network subscribers in GSM and UMTS cellular networks
- SIM card to identify the user in the cellular network
- GSM tracking
- Stealth Ping - also Silent SMS or Silent SMS for locating mobile phones or for creating movement profiles
- Cell-ID is a method of mobile positioning in the GSM cellular network
Web links
- IMSI-Catcher - cell phone bugs. In: hp.kairaven.de. October 31, 2008, archived from the original on August 22, 2010 ; Retrieved August 22, 2010 .
- IMSI catcher . secorvo.de (PDF; 48 kB)
- Lecture on the 18C3, ccc.de (MP3; 10.2 MB) - with technical details
Germany:
- Federal constitutional court decision
- Criminal procedural measures with mobile radio terminals - The authorization to use the so-called IMSI-Catcher. hrr-strafrecht.de
Various articles, international:
- Per Anders Johansen: Secret surveillance of Norway's leaders detected. Aftenposten (Norway) December 13, 2014, updated December 16, 2014.
- Ashkan Soltani, Craig Timberg: Tech firm tries to pull back curtain on surveillance efforts in Washington. Washington Post, Sept. 17, 2014.
Software:
- SnoopSnitch : An Android app for analyzing cellular traffic data. Gives the user information about the encryption and authentication algorithm, SMS and SS7 attacks and IMSI catchers.
Individual evidence
- ↑ a b c Guide to data access, especially in the telecommunications sector. (PDF; 429 kB) Munich Public Prosecutor's Office, June 2011, accessed on December 5, 2011 .
- ↑ Stefan Krempl: 26C3: GSM hacking made easy . In: Heise News . Heise Zeitschriften Verlag. Retrieved July 10, 2013.
- ^ IMSI-Catcher: Silence in the Zurich surveillance state . Digital Society, March 4, 2014
- ^ Report on the measures under the Anti-Terrorism Act . (PDF; 429 kB)
- ↑ Wingsuit aviator falls to his death . July 10, 2015. Retrieved July 11, 2015.
- ↑ Cat and Mouse: The Hell's Angels and the Police . In: c't , August 11, 2009
- ↑ Decision 2 BvR 1345/03
- ↑ Cell phone and internet monitoring. Der Standard , July 3, 2008, accessed January 21, 2009 .
- ↑ RIS - BGBLA_2018_I_27 - Federal Law Gazette authentic from 2004. Accessed on January 21, 2019 .
- ↑ RIS - BGBLA_2018_I_29 - Federal Law Gazette authentic from 2004. Accessed on January 21, 2019 .
- ^ Opinion on the surveillance package 2.0 (Criminal Procedure Law Amendment Act 2018 - 17 dB XXVI. GP). March 21, 2018, accessed January 21, 2019 .
- ↑ Peter Pilz (live from the Interior Committee): Meetings after ten months ... Platter Blog, platterwatch.at, Peter Pilz, Die Grünen, January 24, 2008, accessed May 20, 2019.
- ↑ IMSI-Catcher for 1500 Euro self-made. Heise online , August 1, 2010, archived from the original on August 2, 2010 ; Retrieved August 2, 2010 .
- ↑ Communication monitoring : The enemy writes an SMS . In: Faz.net , October 24, 2013. Retrieved December 19, 2014.