IMSI Catcher

IMSI Catchers are devices used by law enforcement, intelligence agencies and criminals to intercept mobile phone traffic and track the location of mobile phones. They are often referred to as Stingrays - the most-common model of IMSI Catcher in the USA.

Overview

IMSI catchers use vulnerabilities in the physical infrastructure of the mobile telephone network. Mobile phones send out a signal 4-9 times a minute in an attempt to find the strongest connection it can to a nearby mobile phone mast. This happens regardless of whether the user of the phone is actively using it. The phone just has to be turned on. The signal that is sent out includes the phone SIM Card's IMSI - a unique 15 digit number which can often be used to identify the owner of the phone. The signal also includes the phone's IMEI number which is specific to that that phone.

IMSI catchers can collect all the IMSI and IMEIs emitted by phones in a certain area - which can be up to around 10 sq kilometers - to build a database of phones in that location.

They can also emulate a mobile phone tower, making phones in that area connect to it. This is a man-in-the-middle attack. This allows the IMSI Catcher user to intercept the mobile phone traffic, read text messages and emails, and listen to phone calls. They can also stop mobile phones from connecting to the phone network. They can also send SMS messages to specific phones and in bulk in that area[1]as happened in the protests in Ukraine in January 2014[2].

IMSI catchers can be suitcase-sized [3], hand-held or worn as a vest by a person. [4] Surveillance company GammaGroup have produced models which can be worn on a body[5]. They can be used anywhere and do not need the cooperation or knowledge of the mobile network provider to work.

Technical description of IMSI Catchers' functionality

TODO

UK use of IMSI Catchers

British police are very strongly suspected to be using IMSI Catchers. The police will not confirm or deny their use [6][7]. There is strong evidence of use of IMSI Catchers at protests in London and around Parliament.[8]

Media coverage

Because there is no official confirmation of use of IMSI Catchers in the UK, the best evidence of their use has been gathered, and reported on, by the media.

The Guardian reported in October 2011 that the Metropolitan Police Service was using an IMSI catcher system under the name of "Listed X" which had been procured from Datong plc - a company based in Leeds, West Yorkshire in the UK. Datong plc is now trading as Seven Technologies Group. The report said that the Guardian had seen a document showing that the Metropolitan police had paid Datong £143,455 for "ICT hardware" in 2008/09.

In June 2015, Sky News reported on evidence it had found of IMSI Catchers being used in London. They found over 20 uses of them in London in a three week period. Sky News made their data logs public.

A VICE News report published in January 2016 found that there was a very high likelihood of IMSI Catchers being used at an anti-austerity protest in London and at Parliament. The report included footage of an employee of a company selling IMSI Catchers saying that "Birmingham in the UK", "Thames Valley Police in Oxford", "Merseyside Police in Liverpool" and "Leicester Police" are among his clients. The journalist was also able to arrange the purchase of an IMSI Catcher from a vendor in Hong Kong despite not working for the police or the state. He did not actually follow through with the purchase.

Legal basis

According to The Guardian's report of October 2011, the use of IMSI Catchers in the UK is governed by RIPA as it is covert surveillance.


In July 2015, David Davis MP submitted a written question to the Home Office asking:

under what statute and what warranty system the use of IMSI catchers is permitted to intercept communications and communications data.

In reply, Home Office Minister Mike Penning said:

The Wireless Telegraphy Act 2006 makes it an offence for a person to interfere with wireless telegraphy or to use wireless telegraphy with intent to obtain information as to the contents, sender or addressee of a message of which neither he nor a person on whose behalf he is acting is an intended recipient, without lawful authority.

Investigative activity involving interference with property or wireless telegraphy is regulated by the Police Act 1997 and the Intelligence Services Act 1994 which sets out the high level of authorisation required before the police or security and intelligence agencies can undertake such activity. Use of these powers is overseen by the Intelligence Services Commissioner and the Office of Surveillance Commissioners.

Interception of communications in the course of their transmission is governed by the Regulation of Investigatory Powers Act 2000.


The Investigatory Powers Bill was intended to make surveillance law accessible. It is still unclear though how IMSI Catchers are covered in the Bill. The definition of Equipment Interference - commonly referred to as 'hacking' - in the Bill has been said to be broad enough to include IMSI Catchers which are not strictly speaking equipment for hacking [9].

Freedom of Information Requests

Eric King, then of Privacy International, made a Freedom of Information request in October 2011 to the Metropolitan Police asking them to release information on:

"procedures law enforcement must follow before using "IMSI catchers", "cell site simulators", "virtual base transceiver stations" or "mobile phone jammers" including but not limited to, guides, manuals, policy statements, memoranda and presentations."

and

"how frequently "IMSI catchers", "cell site simulators", "virtual base transceiver stations" or "mobile phone jammers" have been used by the Metropolitan Police Service, with a breakdown per year."

The Metropolitan Police Service did not release the information on National Security and law enforcement grounds arguing that:

To confirm or deny that this level of policing interest has or has not occurred in any specific area would enable those engaged in criminal activity to identify the focus of policing targets

Use of IMSI Catchers in other countries

USA

TODO

http://www.wsj.com/news/articles/SB10001424053111904194604576583112723197574

Canada

TODO

http://www.theglobeandmail.com//news/national/rcmp-trying-to-keep-lid-on-high-tech-methods-used-to-fight-mafia/article29204759/

Germany

German intelligence agencies' use of IMSI Catchers is reported every six months to Parliamentary Control Panel which reports to the Bundestag - the German Parliament[10].

Arguments for and against IMSI Catchers

Arguments for

IMSI Catchers help law enforcement and intelligence agencies identify criminals and investigate crimes.

Law enforcement should use the tools that are legally available to them to help them to their job. IMSI Catchers are legal so they should be used.

Arguments against

It is very difficult to use IMSI Catchers in a targeted way. When used in public, they collect data about phones belonging to people who are not suspected of any crimes.

Collecting the location and traffic of mobile phones is an unreasonable invasion of the phone owner's right to privacy.

The use of IMSI Catchers in the UK is not confirmed by British police. The lack of transparency means their use is not open to public scrutiny.

The vulnerabilities in the mobile phone network which allow IMSI Catchers to work have not been dealt with. This allows foreign intelligence agencies and criminals to use IMSI-Catchers and similar tools.

IMSI Catchers have been used to create databases of phones belonging to lawful protestors. This has the potential to limit democratic protest and restrict freedom of speech and association.

Detecting IMSI Catchers and Counter-measures

Android IMSI-Catcher Detector (AIMSICD) is an Android app which can detect nearby IMSI-Catchers. As of March 2016, it is in Alpha status and is not expected to be 100% accurate.


SnoopSnitch is another Android app that collects and analyses mobile radio data to warn about possible IMSI Catchers.

IMSI Catchers in culture and media

Season Three of the Baltimore-based police TV show The Wire featured a "Triggerfish" device - similar to an IMSI Catcher. [11]

Resources

Privacy International - Privacy 101 - Phone Monitoring

Detecting IMSI-catchers and other mobile network attacks - video from CCCamp15

Phone Hackers: Britain's Secret Surveillance - Vice News documentary on police use of IMSI catchers in London

References

  1. "Detecting IMSI-catchers and other mobile network attacks". Chaos Computer Club. 
  2. "Someone Sent a Mysterious Mass Text to Protesters in Kiev". Mashable. 
  3. "Cellxion Brochure UGX Series 330". Privacy International. 
  4. "Met police using surveillance system to monitor mobile phones". The Guardian. 
  5. "The body-worn “IMSI catcher” for all your covert phone snooping needs". Ars Technica. 
  6. "Fake mobile phone towers discovered in London: Stingrays come to the UK". Ars Technica. 
  7. "Fake Mobile Phone Towers Operating In The UK". Sky News. 
  8. "Phone Hackers: Britain's Secret Surveillance". VICE News. 
  9. "What the UK’s Proposed Surveillance Law Means for Police Hacking". Vice Motherboard. 
  10. "Behind the curve: When will the UK stop pretending IMSI catchers don't exist?". Privacy International. 
  11. "Baltimore Cops Asked Creators Of 'The Wire' To Keep Cellphone Surveillance Vulnerabilities A Secret". Techdirt.