Probably even housewives know that public Wi-Fi hotspots are insecure. What does not prevent ordinary users with might and main to use them - because if it is impossible, but it’s boring and very desirable, then you can! And without any VPN - although the VPN function is now being implemented even in complex anti-virus products. A healthy alternative to Wi-Fi has always been considered the usual mobile connection, especially since every year it becomes cheaper and faster and faster. But is it as safe as it seems to us?

- What is IMSI interceptor?
- When did the first IMSI interceptors appear?
- How do IMSI interceptors monopolize access to a mobile phone?
- Are there any handicraft crafts?
- Can I become a victim of "random interception"?
- How can the IMSI interceptor track my movements?
- Can they listen to my calls?
- Can they install software on my mobile phone?
- We all know about the danger of open (and not only) Wi-Fi points. Can I become a victim of interception if I sit everywhere strictly through LTE?
- And if I am a cool banker and they may very, very much want to snort?
- What data can I lose, given the fact that I have HTTPS everywhere and two-factor authentication?
- How are they protected from interception?
- Can ESD Overwatch provide 100% protection?
- Will IMSI interceptors continue to listen to me if I change the SIM card?
“And if I'm on CDMA, will I be safe from an IMSI interceptor?”
“Why do the bad guys use IMSI interceptors?”
- How common are IMSI interceptors today?
- In general, how promising is the IMSI interception technique? Maybe there are some more effective alternatives?
- What is the attitude to the special services interceptor pirates? What will happen if I pass with IMSI-suitcase past Lubyanka?

Note: Please note that among the hyperlinks listed in the article are references to US Department of Defense materials. It’s impossible to navigate through them from a regular browser — use a TOR browser, or its equivalent.

We are now on the eve of an era where almost everyone will be able to listen in on telephone conversations. Our time is similar to the dashing 90s, when with the help of cheap Soviet analog scanners it was possible to listen to mobile conversations in the US and Europe. Only today analog analog scanners rule the ball, but digital IMSI interceptors.

What is an IMSI interceptor?

This is such a device (the size of a suitcase or even just a mobile phone), which uses the design feature of mobile phones - to give preference to the cellular tower whose signal is strongest (to maximize signal quality and minimize its own power consumption). In addition, in GSM (2G) networks, only the mobile phone must be authenticated. From the cell tower is not required. Therefore, a mobile phone is easy to be mislead - including to disable data encryption on it. On the other hand, the universal UMTS (3G) mobile communication system requires two-way authentication; however, it can be circumvented using the GSM compatibility mode present in most networks. 2G networks are still widespread - network operators use GSM as a backup network in places where UMTS is not available. So, this is introductory information about IMSI interceptors. Deeper technical details of IMSI interception are available in the SBA Research research report . Another descriptive description, which is a desktop document of modern cybercontractors, is the article “Your Secret Skat is no longer a secret at all,” published in the fall of 2014 in the Harvard Journal of Law & Technology.

When did the first IMSI interceptors appear?

The first IMSI interceptors appeared in 1993, and were large, heavy, expensive. "Long live domestic chips - with fourteen legs ... and four handles." Manufacturers of such interceptors could be counted on the fingers, and their high cost limited the circle of users to exclusively state institutions. However, now they are becoming cheaper and less cumbersome. For example, Chris Page built his IMSI interceptor for only $ 1500, and presented it at the DEFCON conference, back in 2010. Its version consists of a programmable radio and free open source software: GNU Radio, OpenBTS, Asterisk. All the information the developer needs is publicly available. And in mid-2016, the hacker Evilsocket offered its version of the portable IMSI interceptor for only $ 600.

The heart of the modern IMSI interceptor

How do IMSI interceptors monopolize mobile phone access?

• Deceive your mobile phone, forcing him to think that this is the only available connection.
• They are configured in such a way that without the mediation of an IMSI interceptor, you could not make a call.
• Read more about monopolization in the SBA Research publication: IMSI-Catch Me If You Can: IMSI-Catcher-Catchers .

Are there any handicraft crafts?

• Since 2017, enterprising technical specialists have been manufacturing IMSI interceptors, using high-tech box-based components and powerful radio antennas available for sale, spending no more than $ 600 (see the Evilsocket version of the IMSI interceptor ). This is for stable IMSI interceptors. But there are also experimental, cheaper, which work unstable. For example, in 2013, the version of the unstable IMSI interceptor was presented at the Black Hat conference, the total cost of which hardware components was $ 250. Today, such a implementation would have cost even less.
• If in addition we take into account that modern Western high-tech military equipment has an open hardware architecture and open source software (this is now a prerequisite for compatibility of hardware and software systems developed for military needs), - developers interested in making IMSI interceptors have everything necessary trumps for this. You can read about this modern trend of military high-tech in the magazine “Leading Edge” (see the article “The Benefits of SoS-Integration,” published in the February 2013 issue of the magazine). Not to mention the fact that a couple of years ago, the US Department of Defense expressed its willingness to pay $ 25 million to a contractor who would develop an effective system for radio identification (see the April issue of the monthly Military Aerospace magazine, 2017). One of the basic requirements for this system is the openness of its architecture; and the openness of the components of which it will consist. So open architecture is today a prerequisite for the compatibility of software and hardware systems developed for military needs.
• Therefore, manufacturers of IMSI interceptors do not even need to possess high technical qualifications - you only need to be able to select a combination of already existing solutions and place them in one box.
• In addition, modern - cheaply priced at exorbitant rates - microelectronics allows you to place your artisan crafts not only in one box, but even (!) In one chip (see the description of the SoC concept ) and even more, configure the intrachip wireless network (see the concept description NoC for the same link), which replaces the traditional data transmission buses. What to say about IMSI interceptors, when in open access today you can even find technical details about the hardware and software components of the latest American F-35 fighter.

Can I fall prey to “accidental interception”?

Without a doubt! Imitating a cell tower, IMSI interceptors listen to all local traffic — to which, among other things, conversations of innocent bystanders also fall (read “revelations of Big Brother's elder sister” ). And this fact is a favorite argument of “privacy lawyers” who oppose the use of IMSI interceptors by security forces who use this high-tech equipment to track down criminals.

How can an IMSI interceptor track my movements?

• Most often, IMSI interceptors used by local security forces are used for tracing.
• Knowing the IMSI of the target cell phone, the operator can program the IMSI interceptor to contact the target cell phone when it is within reach.
• Once connected, the operator uses the radio frequency mapping process to determine the direction of the target.

Can they listen to my calls?

• It depends on the IMSI interceptor used. Interceptors with basic functionality simply fix: “such a cell phone is in such and such a place”.
• To listen to conversations IMSI-interceptor requires an additional set of functions that manufacturers build for an additional fee.
• 2G calls are heard easily. IMSI interceptors are available to them for over 10 years.
• The cost of an IMSI interceptor depends on the number of channels, the working range, the type of encryption, the signal coding / decoding rate, and which radio interfaces should be covered.

Can they install software on my mobile phone?

• IMSI Interceptor collects IMSI and IMEI from your device. So his operator knows which model of cell phone you use, and sometimes he knows where you bought it. Knowing the model number, it is easier for him to promote the firmware update, - specially designed for this mobile phone.
• In addition, your SIM card is itself a computer. It is able to perform simple programs, even without interacting with your mobile phone. At the same time, without even knowing what model of your mobile phone and what operating system is on it.
• Cellular operators can update the SIM-card software remotely, and moreover - “in silent mode”. Accordingly, if the IMSI interceptor is pretending to be a cellular operator, he can do the same. A SIM card computer can do the following: receive and send data, navigate to URLs, send SMS, answer and receive calls, connect and use information services, receive and process events such as “connection established”, “connection disconnected” etc.; run AT-team mobile phone.
• At the same time, the computer of a SIM card can do all this “in silent mode” - so that the phone will not give a single sign of life. You can learn more about the privacy of your SIM card from the presentation of Eric Butler, told at the DEFCON21 conference (in 2013).

Technical specifications of your SIM card

We all know about the danger of open (and not only) Wi-Fi points. Can I become a victim of interception if I sit everywhere strictly through LTE?

• Firstly, even if your mobile phone is configured for LTE, and shows that it works in LTE mode - it’s far from a fact that it works in this mode. With the skillful setting up of an IMSI interceptor, your mobile phone will show the usual cellular connection - 3G or 4G, and at the same time it has to return to weaker 2G encryption.
• Some mobile phones even in LTE mode perform commands without prior authentication, although the LTE standard obliges this (see the report already mentioned at the beginning of the article from SBA Research).
• In addition, since the LTE interface was not developed “from scratch”, but as a modernization of the UMTS interface (which in turn is a modernized GSM interface), its structure is not as perfect as we would like. In addition, despite the widespread use of 3G and 4G networks, 2G networks still provide backup access if 3G and 4G become unavailable.
• Of course, you can set up your mobile phone so that it connects only to the 4G network, but this network is not available anywhere, and therefore the coverage area for your mobile phone will significantly narrow.

And if I am a cool banker and they may very, very much want to snort?

• The universal mobile communications system (UMTS, 3G) and the “long-term cellular development” (LTE, 4G) standard require mutual two-way authentication, but even they are not protected from IMSI interceptors. Although of course, devices for intercepting them are much more expensive. Among others, this role is claimed by “VME Dominator” from the American manufacturer “Meganet Corporation”.
• At the DEFCON 22 conference (in 2014), hacker Justin Case conducted a demonstrative hacking of the world's most secure smartphone, the Blackphone. It took him only five minutes ( see the slides of his speech).
• In addition, there is a system for intercepting LTE traffic, which “does not look for workarounds,” but deals with a full-fledged LTE connection. In 2014, Tobias Engel introduced this system at the annual congress of the IT-club “Chaos”, which was held under the heading “New Dawn”.
• Finally, if “a very, very strong desire to snipe” is supported by a budget of $ 100,000, then you will definitely not be able to defend yourself. Because all the most advanced technological components are available on the open market. This situation is also facilitated by the fact that the US Department of Defense even stimulates such openness - so that technology manufacturers can compete with each other for quality.

What data can I lose if you consider the fact that I have HTTPS everywhere and two-factor authentication?

• HTTPS is not a panacea. From the special services just can not hide. It’s enough for them to request SSL keys from the service provider so that they can get access to all your data transmitted over the network. Therefore, if you are a bad guy, then you certainly won't be able to hide.
• In 2017, WikiLeaks published 6 documents of the “Hive” project - gadgets for unauthorized access to encrypted HTTPS traffic, which until recently was used only by CIA employees. So Today, these gadgets are available to the general public.
• Considering the scale of ambitions of international intelligence services (google information about Snowden’s revelations), and the fact that the CIA’s high-tech treasury is wide open today at the suggestion of Snowden and WikiLeaks, you can expect that anyone could be interested in your data: government special services, commercial corporations, mischievous youth. In addition, since the average age of the cybercriminals is gradually decreasing (in 2015, the middle-aged level has gone down to 17 years), we can expect that this hooligan youth will become increasingly unpredictable and desperate behind the hacks.

How are they protected from interception?

• As the availability of IMSI interceptors increases, there is also a demand for protection from them. There are both exclusively software and software-hardware solutions.
• As for software solutions, there are a lot of Android applications on the market: AIMSICD (interacts with the radio subsystem of a mobile phone, trying to track down anomalies there), Femto Catcher (has similar functionality to AIMSICD, but is optimized for Verizon femtocell). You can also note: "GSM Spy Finder" , "SnoopSnitch" , "Net Change Detector" , "Android IMSI-Catcher Detector" , etc. Most of them are poor-quality. In addition, a number of applications available on the market lead to a lot of false positives due to the lack of technical expertise of their developers.
• In order to work effectively, the application must have access to the base frequency range of the mobile phone and the radio communication stack; and also to have a first-class heuristics, - to be able to distinguish the IMSI interceptor from a poorly tuned cell tower.
• As for software and hardware solutions, four devices can be noted: 1) Cryptophone CP500 . Sold at a price of $ 3,500 apiece. At the time of 2014, over 30,000 cryptophones were sold in the United States; and over 300,000 more were sold in other parts of the world. 2) ESD Overwatch . The device with a three-component analyzer (see the description below). 3) Pwn Pro . The device with the built-in 4G-module, announced at the RSA conference in 2015; Its price is $ 2675. 4) Bastille Networks . A device that displays a list of wireless devices operating in the vicinity that interact with the radio (in the range from 100 kHz to 6 GHz).

What interceptors are available?

Can ESD Overwatch provide 100% protection?

• ESD Overwatch in its basic functionality is equipped with a three-component analyzer that tracks the following three “bells”. 1) The first call is when the phone moves from a more secure 3G and 4G to a less secure 2G. 2) The second bell is when the phone connection cuts off encryption, which makes interception much easier. 3) When a cell tower does not provide a list of other cell towers available nearby (such a list allows the phone to easily switch between adjacent towers); IMSI interceptors usually leave no alternatives, as they seek exclusive access to a mobile phone.
• However, it should be understood that even such a three-component approach does not provide 100 percent protection. By the way, there is a free application (available on Google Play) that claims the same role as the Cryptophone with ESD Overwatch: “Darshak” . In addition, although rarely, there are cases when even with all the three “calls” listed above, there is no actual IMSI interception. And naturally, the developers of IMSI interceptors, having heard about this three-component system of counter-interception, will not slow down with the retaliatory step in this “arms race”.
• Even the military cannot provide 100% self-defense, although they use the most advanced (at the time of 2016) software system IQ-Software , from PacStar. "IQ-Software" is a promising wireless tactical system for sharing secret information with smartphones and laptops via Wi-Fi and cellular radio stations. I hope it’s not a secret to you that in modern military operations - and not only as a means of communication - the same smartphone is used, which is in your pocket (for more details, see the article “Secure smartphones are preparing for deployment” ).
• For example, in the summer of 2013, the United States Air Force published the announcement “B-52 CONECT: Transition to the digital age” . “Combat Network Communications Technology” or CONECT will help the strategic ultra-long-range B-52 bomber to integrate modern cyber infrastructure by converting this analog airplane into a digital platform that can be commanded from an ordinary smartphone.
• It is for such purposes that the military is very interested in secure communications, but even they cannot provide absolute protection for themselves.

Can IMSI interceptors continue to listen to me if I change the SIM card?

• IMSI interceptor captures your IMSI from your SIM card and your IMEI from your mobile phone. Then both of these parameters are stored in a centralized database. Thus, a change of SIM-cards and a change of mobile phones will not help.
• Of course, if you take a new mobile phone and a new SIM card, then in the centralized database of the IMSI interceptor there will be no record of them. However, the people with whom you contact, will also need to purchase new mobile phones, and new SIM-cards. Otherwise, thanks to the cross-referencing of the centralized database, you will again appear in the list of IMSI-interceptor.
• In addition, the IMSI interceptor can track mobile devices that are located in a specific geolocation.

And if I'm on CDMA, will I be safe from an IMSI interceptor?

No, because the same manufacturers that manufacture GSM IMSI interceptors also make CDMA versions; and some even make versions for Iridium (a global satellite communications operator) and Thuraya (a regional satellite telephony operator that operates in Europe, Central Asia, Australia and Africa). Among them: the Israeli laboratory "Ability" and the Thai "Jackson Electronics" .

Why do bad guys use IMSI interceptors?

• To terrorize others with threatening text messaging.
• Monitor the conduct of law enforcement investigations.
• Government, commercial and consumer espionage.
• Steal personal information transmitted by mobile phone.
• To deprive the mobile phone user of the possibility to contact emergency services.

How common are IMSI interceptors today?

• Aaron Turner, head of the Integricell research and development center specializing in mobile device security, conducted his independent investigation. Two days away with a cryptophone (which tracks suspicious mobile activity), he stumbled across 18 IMSI interceptors. Basically, near specialized government agencies and military bases.
• At the same time, Turner does not undertake to assert whose IMSI interceptors are: the special services are watching this, or someone is following the special services. This was reported back in 2014 by The Washington Post.
• In the same year, on the Popular Science news site, the results of another sensational investigation were published, during which another 17 IMSI interceptors were discovered during the month traveling across the US.
• In addition, if we recall that already at the time of 2014, more than 300,000 cryptophones were sold around the world, which solve the opposite task to IMSI interceptors, we can also get some idea about the prevalence of the latter. After all, it would be reasonable to assume that a significant portion of these buyers also use IMSI interceptors. So your chances of encountering an IMSI interceptor are very real.

In general, how promising is the IMSI interception technique? Maybe there are some more effective alternatives?

Well, once you asked ... There is Wi-Fi radio mapping, which combines the old analogue school with modern digital power. This approach works at a lower level and is therefore more flexible. After all, with its help you can even monitor people who do not carry any equipment with them. Take for example WiSee , which recognizes human gestures; WiVe , which sees moving objects behind the wall; WiTrack , which tracks the three-dimensional movement of a person; and finally WiHear , which is able to read lips. But since these are already fundamentally different technologies - more about them another time.

What is the attitude to the special services interceptor pirates? What will happen if I pass with IMSI-suitcase past Lubyanka?

• If you are under the impression of the film “Who Am I” and want to play with the special services, then good advice to you: refrain. Especially when it comes to Russian special services, and especially the FSB. There are serious people working, you can’t beat them. Do not flatter yourself.
• In addition, our security forces deserve respect. It is not enough in what country you can walk along the street, especially in the dark. And here it is possible. Remember this! And on occasion, thank the security officials for that.
• As the topic of cyber security is becoming increasingly relevant, the special services (whether Russian or foreign) are interested in qualified technical specialists. So, you can be invited to a conversation - in order to understand what you are. And if you are worth something, they can even give you a job. The truth is most likely without official employment.
• For example, as I wrote this FAQ, I had to google relevant topics. And a couple of hours after this, the targeted advertising offered me to become a “liaison officer” by inviting me to the Military Training Center of the Siberian State University of Telecommunications and Informatics .
• However ... Better than a tiger for a mustache not to pull.

Tell me what targeted advertising shows you, and I'll tell you who you are!

PS Overly active radio frequency spectrum requires special authorization and licensing; ignoring this fact, you automatically fall into the category of "bad guys" details - here .