The Weakest Link is Motherboard's third, annual theme week dedicated to the future of hacking and cybersecurity. Follow along here.
With some dirt cheap tech I bought from Amazon and 30-minutes of set-up time, I was streaming sensitive information from phones all around me. IMSIs, the unique identifier given to each SIM card, can be used to confirm whether someone is in a particular area. They can also be used as part of another attack to take over a person’s phone number and redirect their text messages. Obtaining this information was incredibly easy, even for a non-expert.
This attack isn’t revolutionary in any way—IMSI-catchers are certainly not new, and have become famous because they are commonly (and controversially) used by law enforcement to track suspected criminals. A commercial version made by Harris is called a “Stingray,” and they are sometimes called “cell-site simulators” or “fake cell towers.” This is because they spoof a cell phone tower’s connection, meaning that cell phones in the area will try to connect to it; in doing so, the IMSI-catcher is able to passively collect information about phones in the area.
Harris’s Stingray was so secretive that, for years, the FBI dropped criminal court cases that used Stingrays rather than reveal the details of how the evidence was gathered.
But a DIY IMSI catcher is relatively trivial to setup, and the technology is accessible to anyone with a cheap laptop, $20 of gear, and, the ability to essentially copy and paste some commands into a computer terminal. This is about ease of access; a lower barrier of technical entry. In a similar way to so-called spouseware—malware used by abusive partners—surveillance takes on different character when it trickles down to more ordinary, everyday users. The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
For legal and technical reasons, our IMSI-catcher did not intercept text messages or phone calls, like more powerful versions can. It only captured IMSIs from devices, as well as provides some additional information such as the country and telecom operator of the phone. Motherboard did not store any of the collected data. You should be aware of the laws in your local region before attempting to do this; Motherboard does not condone or suggest you do anything illegal (and, even if legal, you shouldn’t use an IMSI catcher to do anything creepy.)
We’ll explain what each of these are, but in short, the process was:
- Buy a cheap, software defined radio
- Install Ubuntu
- Download IMSI-catcher script with its dependencies
- Find the right frequency to scan for
- Start scanning on that frequency and picking up IMSIs
As the name implies, a software defined radio, or SDR, is simply a radio that instead of having its feature baked in at a hardware level, can be controlled by a computer program. We bought the ‘NooElec NESDR Mini’ from Amazon for around $20 and received it a few days later.
To get the SDR to talk to phones, I needed to give it some instructions. Fortunately, I didn’t need to write my own, but just take some code from GitHub. I used a Python tool simply called ‘IMSI-catcher’, written by the hacker known as Oros42. The program requires an up-to-date version of Ubuntu, a particular Linux distribution, that can be downloaded for free and written either to a USB stick or installed inside a virtual machine.
To install the IMSI-catcher software, I just followed the instructions on the project’s GitHub.
Once installed, I booted up grgsm_livemon, one of the programs included with the project. which presented a slider and a graph, to find a frequency to scan. This required a bit of trial and error—moving the frequency slider until finding a sweet spot where the graph represented a bell curve. The curve meant that the SDR had found what frequency nearby phones were broadcasting on. Depending on where you are, that frequency is going to be different.
Once I found the sweet spot, after a few seconds IMSIs started appearing on my screen.
If I wanted to make the IMSI-catcher a bit more portable, I could theoretically run it on a Raspberry-Pi, a miniature computer you can buy for as little as $30 or cheaper, depending on what model you need. Note that the IMSI-catcher would still need to have Ubuntu on the Pi, which it is not traditionally designed for, but it is likely possible. I would also need to make sure the SDR is receiving enough power from the USB port.
In all, the process of making an IMSI-catcher didn’t take much time at all, as I thankfully didn’t hit any roadblocks. I just made sure I had the latest version of Ubuntu, followed the instructions carefully, and ended up with an IMSI-catcher on my laptop.