How IMSI Catchers Work

How IMSI Catchers Work

Follow Jason on Twitter.

Surveillance is a huge issue, especially domestic and more precisely surveillance aimed at those exercising their First Amendment rights. We report on these issues a great deal at the North Star Post and receive many requests for clarification of the technical side of that topic. The amount of questions in regards to cellphone surveillance and how exactly that works have increased following our recent reporting on IMSI Catchers used at the Jamar Clark protests in Minneapolis. Below is a useful primer to help in the effort of understanding this secretive technology and will serve to increase awareness of these Fourth Amendment issues.

We will start with a few things that are obvious, then dig into details that are important to understand with regard to your privacy. Cell phones are small computers designed to continuously connect to a network and fit in your pocket. A cell phone has a small constellation of chips and cores within chips that are all smaller computers designed to handle specific functions (like turning your voice into a series of numbers that can be sent over a network). These chips all exchange information with the CPU, which runs an operating system like Android or iOS. The chips and cores work to transform signals they receive into a form that the CPU can easily understand. This makes it easier for your phone to handle a number of tasks simultaneously without slowing down.

The baseband is a key component that handles all of your phone’s communications with cell towers owned by various carriers. The baseband turns signals received over radio waves into digital packets and passes along the ones that contain bits of audio from a call or internet data to the CPU. The baseband constantly communicates with at least one cell tower that it can communicate with, based on a list of preferred towers provided by the user’s carrier and signal strength. Towers announce that they’re available for connection, and your baseband may decide to switch to a new tower if it has better signal and meets your carrier’s requirements. The baseband is pretty trusting of towers and will connect to a new tower with stronger signal in most cases, so you don’t lose service if you’re on the move. The baseband is a computer in its own sense, and is capable of being attacked and forced to run exploit code. The baseband has access to key components within your phone, which could allow it to spy on you without ever being visible to your phone’s OS.

If the baseband processes a signal that tells it that a new tower is in range, it will connect and generally accept instructions from the tower. The tower can tell it to provide its IMSI, a unique identifier linked to your billing account. IMSIs can be tracked to record people who associate with each other, participate in political events (such as protests), and are even a key basis for identifying targets of drone assassinations.


IMSIs and IMEIs visible on the left side of the above slide – image courtesy The Intercept.

The tower can also tell your phone that it does not support encryption, so your phone broadcasts calls and texts unencrypted over the air. Your phone can also be told to route its calls, data and text messages through the new tower. If the tower is actually an IMSI catcher, it might take a copy of communications before passing them along to your mobile carrier, this is called a man-in-the-middle attack. The tower can also tell your phone to check in very frequently, allowing the tower to roughly track movement as your phone acts as a beacon. IMSI catchers exploit the fact that your phone / baseband does not check if a tower / IMSI catcher communicating with it is legitimate and generally does what the tower tells it to. Most of the procedures for cell phones contacting towers were developed in the late 80s and early 90s. The cost of spying on cell phones was far greater at the time, so most of the security efforts at the time were focused on preventing fraud and other attacks on the network, not the users.

North Star Post used a rooted Android cell phone with the SnoopSnitch app, which is able to monitor traffic normally only visible to the baseband, via diagnostic code in some Android phones (we used a Moto E 2nd Gen LTE). SnoopSnitch identified two suspicious events outside of the Minneapolis Police Department’s 4th Precinct during protests by Black Lives Matter on November 25th, which we shared the details of on December 7th. Our observations showed that a device twice announced itself as a new tower and requested our phone’s IMSI, then rejected connections. Further information from our investigation can be found on our continuously updated article.

John Elder public information officer with the Minneapolis Police Department denied ownership, use of and coordination with other agencies for the use of cellphone surveillance tools.

Jill Oliveira with the Department of Public Safety under the Bureau of Criminal Apprehension denied their department deployed any such hardware and stated that “the BCA does not lend equipment of any kind to other agencies.”

Rebecca Gilbuena public information officer with the Hennepin County Sheriffs Office denied that their office has used or shared this technology with Minneapolis Police in relation to the protests.

The Federal Buerau of Investigations Minneapolis office stated over the phone they were not involved in any investigations in the area at the time, according to Chief Division Council Kyle Loven. “It was not us,” Loven said, adding they are “not certain what the situation was and we are not certain who else was in that area.” When asked if the data could suggest a cyber threat instead of possibly law enforcement involvement, Loven stated the FBI has not “received any reports of that nature,” adding they are “not certain what to make of your information.”

AT&T was contacted and asked if maintenance was being performed on the nearby cell tower, which can look similar to an IMSI Catcher, but no maintenance was performed in the area, according to AT&T Minnesota spokesman Mark Giga.

Follow Jason on Twitter.