Active GSM Interception
Active GSM interception systems allow an attacker to actively interfere in communications between mobile phones and base stations by means of a so-called IMSI-catcher, in essence a transmitter and receiver that simulates the functionality of a GSM base station. Recent attack methods involve spoofing so-called femtocells to feign that you are the user’s mobile network provider, while in fact you are taking over his network traffic.
An IMSI-catcher is a device that can be used to determine the electronic identities of all phones in its vicinity. Most IMSI-Catchers also come with the ability to listen into calls directly. The electronic identity consists of the so called International Mobile Subscriber Identity (IMSI), which is associated with your SIM card and the International Mobile Equipment Identifier (IMEI), which is the serial number of your phone. With the IMSI your calls can be easily identified at any point in the telephone network and targeted for interception and traffic analysis. A IMSI-catcher is frequently used if the attacker does not know the telephone number of the victim or wants to illegally intercept calls.
The IMSI-catcher performs a so called man-in-the-middle-attack, putting itself between you and the network. It is essentially a small GSM base station that forces your phone to use it instead of the real network, determines your IMSI, and can then be used to disable or degrade the GSM encryption mode while transmitting your call on to the legitimate network. This mode of operation allows the attacker to directly listen into your calls. He can also disable your phone service and intercept or fake SMS messages to and from your phone.
At this moment we know of at least six different companies producing IMSI-catcher devices, and the list is growing rapidly. For a company manufacturing GSM test equipment, developing IMSI-catchers is a trivial task. See our link section for examples of publicly available IMSI-catcher equipment.