How can an IMSI Catcher Capture IMSI Numbers in GSM Networks?

 

An IMSI catcher is a device used to capture the International Mobile Subscriber Identity (IMSI) of mobile devices by simulating a legitimate base station and forcing nearby devices to connect to it. To quickly and easily obtain the IMSIs of different mobile devices, the IMSI catcher must be properly configured to ensure that mobile devices prioritize connecting to it over legitimate base stations. The following are key parameters and configurations that need to be optimized to achieve this:

1. ARFCN (Absolute Radio Frequency Channel Number)

  • ARFCN determines the frequency on which the IMSI catcher operates. To capture mobile devices effectively, the IMSI catcher should operate on an ARFCN that is commonly used in the area and matches the frequency bands of nearby legitimate BTSs.
  • Best Practices:
    • Select ARFCNs corresponding to common GSM, 3G, or 4G bands (e.g., GSM-900, GSM-1800, UMTS-2100, or LTE bands like 1800 MHz, 900 MHz).
    • Avoid overlap with high-power or heavily loaded ARFCNs in the area to prevent interference.

2. Transmit Power

  • Transmit power is critical for making the IMSI catcher appear more attractive than nearby legitimate BTSs.
  • Best Practices:
    • Set the transmit power higher than nearby legitimate base stations to ensure mobile devices prioritize the IMSI catcher.
    • Adjust power according to the desired coverage area (higher power for larger areas, lower power for more precise targeting).

3. MCC/MNC (Mobile Country Code / Mobile Network Code)

  • The MCC and MNC identify the network operator. For mobile devices to connect, the IMSI catcher should simulate the correct network by using the MCC/MNC of the target network (e.g., the local carrier in the area).
  • Best Practices:
    • Configure the IMSI catcher to mimic the local carrier’s MCC/MNC to make mobile devices believe they are connecting to a legitimate network.

4. LAC (Location Area Code)

  • LAC is used to identify a specific geographic region within the network. Configuring the LAC to match nearby cells will make the IMSI catcher appear as part of the local network.
  • Best Practices:
    • Set the LAC to match the nearby base stations for seamless interaction with mobile devices.

5. TMSI Reallocation/Encryption

  • In GSM, once a mobile device connects, its IMSI is typically encrypted by replacing it with a TMSI (Temporary Mobile Subscriber Identity) to protect privacy.
  • Best Practices:
    • Disable encryption by preventing TMSI reallocation on the IMSI catcher. This ensures that the mobile device sends its IMSI directly when connecting to the IMSI catcher.
    • Configure the IMSI catcher to keep requesting the IMSI instead of allowing the use of TMSI.

6. BCCH (Broadcast Control Channel) Configuration

  • BCCH broadcasts important system information, including network identity and available channels, to mobile devices. The parameters in the BCCH configuration are essential for attracting mobile devices.
  • Best Practices:
    • Configure the BCCH with clear and strong broadcast information to ensure that mobile devices can easily detect and connect to the IMSI catcher.
    • Adjust the RXLEV_MIN parameter in the BCCH to ensure that the signal strength requirement is low enough for all nearby mobile devices to connect.

7. Cell Reselection Parameters (C1/C2)

  • C1 and C2 are cell selection and reselection parameters that influence how a mobile device chooses which base station to camp on in idle mode.
  • Best Practices:
    • Configure a high C2 offset for the IMSI catcher. This makes the IMSI catcher more attractive for mobile devices when they are idle, leading them to reselect the IMSI catcher over legitimate base stations.
    • Ensure that C1 values make the IMSI catcher appear to have the strongest signal in the area.

8. Timing Advance (TA) and Neighbor List

  • Timing Advance (TA) helps the network determine the distance between the mobile device and the base station. By configuring this appropriately, the IMSI catcher can handle mobile devices at various distances.
  • Best Practices:
    • Set the Timing Advance range to cover the intended capture area, ensuring devices at different distances can still connect.
    • Exclude other base stations from the Neighbor List to avoid mobile devices handovers to legitimate networks.

9. Paging Configuration

  • The Paging mechanism is used to alert a mobile device when there is incoming communication. An IMSI catcher can use paging messages to lure mobile devices into connecting.
  • Best Practices:
    • Configure frequent paging attempts to increase the chances of mobile devices responding and sending their IMSI.

10. Ciphering and Encryption Settings

  • In real GSM networks, encryption may be used to secure communication. However, to capture the IMSI, the IMSI catcher needs to disable encryption.
  • Best Practices:
    • Configure the IMSI catcher to disable ciphering. Without encryption, the IMSI will be sent in plain text, making it easier to capture.

11. Network Technology (2G/3G/4G/5G)

  • Mobile devices support different network standards, so the IMSI catcher should be configured to work on multiple technologies (GSM, UMTS, LTE) if necessary.
  • Best Practices:
    • Configure the IMSI catcher to operate on both 2G (GSM) and 4G (LTE), as these technologies are commonly used for IMSI capture.
    • In some regions, forcing the mobile device to downgrade to 2G from 4G or 5G can help capture the IMSI, since older generations may have weaker encryption or security.

12. System Information Messages

  • The System Information (SI) Messages are transmitted by the IMSI catcher to provide network parameters to mobile devices. Properly configuring these messages can enhance the likelihood of devices connecting.
  • Best Practices:
    • Configure SI messages to mimic those of legitimate BTSs, but with parameters that prioritize the IMSI catcher for mobile devices.

13. Handover Triggers

  • Handover allows an IMSI catcher to force a mobile device to switch from a legitimate network to the IMSI catcher.
  • Best Practices:
    • Configure the IMSI catcher to force handovers by simulating a stronger signal than nearby BTSs, thereby luring active devices into connecting.

Summary:

To quickly and easily capture IMSIs from mobile devices, an IMSI catcher needs to:

  • Operate on appropriate frequencies (ARFCNs) matching the local network.
  • Transmit at higher power than nearby legitimate BTSs.
  • Mimic the local MCC/MNC and LAC.
  • Disable encryption to capture IMSIs instead of TMSIs.
  • Optimize BCCH, C1/C2 parameters, and Paging to make the IMSI catcher attractive to mobile devices.
  • Disable ciphering and ensure frequent paging and handover mechanisms are in place.

 

By configuring these parameters correctly, the IMSI catcher can capture IMSIs efficiently across a variety of mobile devices and network technologies.

 

HOME    Blog    How can an IMSI Catcher Capture IMSI Numbers in GSM Networks?
Prev: Nothing
Next: Nothing