Criminal IMSI catchers are pretty much dead, but with the aid of carriers law enforcement can still use similar technology even with full standalone 5G networks. I don't know how often unauthorized IMSI catchers are used in the wild, but I doubt it's a relevant percentage of the total amount of IMSI catchers out there.
Thanks to mmWave and beam forming, 5G allows operators to practically track you down to the exact centimeter in 3D space. Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
Basically, who needs IMSI catchers when you can just see all of the information you'd get from them remotely on a computer screen on the other side of the country?
Of course this is great to protect against criminals that are looking to find your personal phone number or whatever by showing up to your doorstep, but for the vast majority of cases, IMSI catchers are defeated because they're no longer necessary.
5G beamforming is not that accurate a proxy signal, and mmWave is phone vaporware, instead only significantly used for point-to-point connections. Line-of-sight requirements make it dead in the water for anything else.
What about convention centers, subway platforms, and other places where you have a lot of people packed together outside the reach of exterior towers? They stick microcells on the ceilings of these — wouldn't it make sense for those to be mmWave?
> Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
It should be feasible for an operator to issue a command to the (e)UICC (SIM) in the phone to fetch the current location from the modem and send it back via SMS. At least this was the case for a relatively long time.
Not that it _really_ matters because most people willfully give away their location information to Google anyways. There's a reason why Google has the best Wi-Fi AP -> Location database that they provide commercially. Send them a list of Wi-Fi BSSID's and their associated RSSI's and you'll get a fairly accurate location.
In comparison, using Cell ID's for geolocationing is finicky. In dense urban environments, you're likely looking at ~500 m radius of accuracy - at least based on the commercially available options.
The reason Google has the best Wi-Fi AP location database is because they knowingly violated wiretapping laws, when they rolled out Streetview, and they were only fined a cool 13 million for it.
They were ordered to destroy any data related to the collection from Streetview, and they did it seems, but they may not have deleted any of the data that had already been copied/integrated to other separate services like GiS, where they may have simply just moved that wiretapping to the edge devices to facilitate geo-location similar to how Apple uses Wi-Fi points as landmarks as a plausible (we aren't wiretapping), while still physically mapping based on radio signal, and also indirectly on calls through AI.
The only learned lesson they had seemed to be that you don't make a public-facing API that allows searches of locations based on BSSID, or MAC address to the general public (which is what they had for Streetview).
> depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware
Do you know if (at least some) basebands actually limit network-side location requests to emergency call/text situations only?
All I know is that some don't. I don't know brands or if there are even common modems that are filtering for this.
If you don't have a Faraday cage and cell site equipment, you're going to have a hard time verifying any of this. The modem is closed source, the SIM card is closed source, and various firmware blobs to make phones work are all closed source. I believe Qualcomm has debug interfaces on some chipsets, which might catch these messages, but verifying that they catch all use cases is impossible unless you have knowledge of the actual mechanism used (or usable) to activate the modem.
This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones), but it only takes a small group of Linux enthusiasts to actually catch the phone network in the act.
Of course, the trouble is that you'll need to be the target of government surveillance to be even at risk of any of this. If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you, and whatever criminal enterprise hacked its way into the carrier network won't either. If you are being tracked by either of those, I think developing open source modem firmware is probably the least of your concerns.
I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
It's all rather pointless anyway when 5G and to an extend 4G can geolocate you about as well as GPS can, barring reflections and such.
Is this a US-centric view? Presumably crossing national borders, as noted in the article, it would be more effective to catch IMSIs. When there are lots of countries clustered together in a smaller geographical space, ie, not the USA, it might be relevant.
It's common to discover IMSI-catchers in national capitals around the world. There are many interesting targets.
Washington, D.C. mobile traffic is probably the most spied in the world. Especially now when it's run by technological cavemen and overly confident techbros. Israeli, Russians, Chinese, French and everyone.
Back in the mid-80s, it was an open secret that some AMPS transmissions could be received on ordinary TV tuners which were capable up to Channel 83 or so.
My father being a DXer and installer of a home-built Yagi and rotator system, I discovered this fairly easily. All he told me was to just guard the privacy of these people I was snooping on, because they were supposed to be private conversations after all. I never heard anything of substance anyway. It was one of the more boring surveillance activities of my misspent youth.
The Soviet/Russian station in San Francisco was heavily involved in SIGINT back in the days of microwave radio trunks and analog mobile phones, and I would imagine the Chinese have taken the throne from them today.
To see news related to them, search "Fake Base Stations" or "SMS Blaster", as this is how they're commonly referred to in the media now.
Other notable highlights from the last few years include: the news from Paris a few years ago where police detonated a car with an imsi-catcher in it because they thought it was a bomb, but actually the driver was being paid to send out sms spam via 2g downgrade attacks: https://commsrisk.com/paris-imsi-catcher-mistaken-for-bomb-w.... Also the attempt to disrupt the federal elections in the Phillippines using a kind of "SMS blaster" that takes advantage of unauthenticated emergency alert messages, so a step beyond the "classic" imsi catching attack that we haven't seen used in the wild before.
I've always been wondering: Is there a SIM card configuration flag that allows telling the phone to never even attempt an attach using a given technology?
This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.
SIM cards don't connect to networks, the phone modem can just disable support for such protocols. That'd probably be illegal, though, in case you're trying to call emergency services and don't have 5G reception.
Some Android phones have a setting to at least disable 2G and you can easily configure them to a "preference" of only 5G. I believe iPhones have a 2G toggle as well if you enable lockdown mode.
It'll be years before you can reliably get rid of 4G without losing coverage, though.
I don't know about any such settings on mobile platforms such as watches, though. I also doubt cars have a setting for this (maybe if you use one of those Chinese Android-tablet-with-a-car-skin systems?).
SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
That said, some knobs are frustratingly missing, though – why is manually entering an APN a thing, but the default SMSC can be stored on the SIM?
The wording your usage here seems to suggest that the phones can be configured to not connect to 2G networks. This is false if you live in the USA. The phone will not connect to 2G networks regardless of any setting. There have not been any to connect to for a while now. The only thing out there that is 2G any longer is malicious actors.
It should come as no small surprise that phones in the US markets ship with a feature that is a de-facto backdoor.
Tangentially related, the latest major Android release supports updates from the modem with details about whenever your IMSI/IMEI/unencrypted SUCI are disclosed to the network (with support for some contextual information, e.g. which protocol message was it disclosed in), as well as insight into the in-use network cryptography configuration for different protocols.
if you pay the google tax for a pixel, you get a convenient 2G toggle.
if you don't have an extra $400-900 and buy a cheaper android, you get to dial ##4636## (hn screws asterisks, look it up) them go into phone info, select each sim radio and change the drop down (and hopefully you know all the standards by all names to make the right choice. hint 5G is NR there)
There's a convenient toggle on my Moto G Stylus 5G 2023, if not a convenient name. In the carrier settings right next to allow 5G. Can't easily disable 3G or LTE though. IIRC, LTE is also mutually authenticates, but if we're talking about passive catching and the ismi is sent in the clear as the article says, then that doesn't eliminate passive catching. I'm not sure about 3G, I thought it wasn't mutual auth either.
The 2G toggle can also be found in some other phones, but not every phone manufacturer has support for configuring their modems like that or has bothered to keep the setting in their settings app overhaul.
I know that setting, but I'm not entirely sure if that controls a preference or a mandatory cell config, and if it will prevent downgrades from the network side or not.
Some manufacturers and most custom ROMs also seem to offer that option without a dial code, but I haven't found any documentation about that feature yet to be sure it actually forces the modem configuration. I've found mentions online about this setting being changed without user interaction, so there seems to be a mechanism on some phones (carrier-branded ones maybe?) that alters this config.
If you force 4G and 5G only, you are likely to lose access to mobile calls. VoLTE interoperability is still lacking, and this issue is unlikely to be resolved without intervention from a standards organization mandating interoperability and default settings. Unfortunately it will only get attention when somebody can't do an Emergency Call.
'Android allows users to disable 2G at the radio hardware level on any device that implements the capability constant, "CAPABILITY_USES_ALLOWED_NETWORK_TYPES_BITMASK". This stops a device from scanning or connecting to 2G networks.
Note: Emergency calling is never impacted. A device still scans and connects to 2G networks for emergency services.'
5G Standalone networks don’t have 4G to fall back to. 5G Non-standalone networks are essentially 4G networks with a 5G RAN, so SUCI remains optional and most core vendors don’t support it.
> To help ensure compatibility of iPhone and cellular iPad devices on private 5G SA networks, infrastructure vendors must adhere to the following security and privacy requirements:
> Privacy concealment: The Subscription Concealed Identifier (SUCI) must use a non-null protection scheme. This can be achieved through either an on-SIM SUCI calculation or an ME SUCI calculation, as outlined in TCA 2.3.1 and 3.1 specifications. For detailed information, refer to the 3GPP Technical Specification 33.501.
This pertains to private networks rather than public operator networks, but it certainly seems to imply that use of SUCI is an expectation on 5G SA networks (private in this context).
I know very little about the protocol aspects of cellular communication, so can anyone explain how such a huge gaping security hole could come into existence?
Before 2G, networks used completely unencrypted analog voice. You could snoop on anyone's calls with a slightly-modified radio; at least until Congress heard about this and made it illegal to sell a radio that could be modified to do this[0].
2G was actually considered a huge bump up in security because you could encrypt the contents of calls. Albeit with hilariously insecure crypto mandated by the old ITAR regime[1]. IMSI catchers weren't part of their threat model, for the same reason why people only recently have realized that metadata is relevant to security.
[0] This law is still on the books, even though analog cellular is entirely dead. It's still a pain in the ass to properly comply with this for, e.g. software-defined radio.
[1] This is the same reason why DVD CSS was so easy to crack, and why we there used to be 10 different ways to strip SSL before we decided to stop serving old browsers entirely.
In the beginning of cell phones, security was too expensive. Telcos also like to do their own things, so GSM encryption wasn't built on best practices. And some countries forbid use of even GSM encryption.
Early mobile phone networks suffered from cloning, so work was done to improve verification of clients, but verifying the network wasn't seen as required. Telcos have been historically light on authentication and verification; so it's not surprising.
Adding to this the GSM A3/A8 algo were broken shortly after they arrived in the US. The only mitigating control was my boss in a wireless provider and the FBI meeting up with someone that was going to demo breaking it. They were advised what prison they would be relocating to and the demo was called off. Rinse and repeat. This was before the internet was popular or even widely used. The word eventually got out.
The networks are insecure by standard. They are designed such that they can have "lawful intercept" by government entities. The key material on the SIM card is readily transferred between the carrier and SIM/eSIM card manufacturers, which enables multiple levels of supply chain attacks if the material is mishandled.
IMSI-catchers are not considered a security hole by the carriers or the standards bodies. SUCI/SUPI was put in at the request of phone vendors, if I remember correctly, and is still the only piece of public key cryptography in the networks. Everything else is symmetric keys.
"Depending on national requirements, the CSP may be required to report the location of the Target at the beginning and
end of CS calls and PS and IMS sessions on a per warrant or per intercept basis. It may also be a national requirement
for the CSP to report the location of the Target [...]"
The telco trusts its own network. Telcos doesn't trust users, so users need to authenticate themselves, and devices need to be regulated. But under the traditional telco security model, the network doesn't need to authenticate itself to the devices.
Even today, building the necessary infrastructure for network trust management is also really, really hard across the many jurisdictions involved.
The phreaking [1] community was huge and becoming increasingly sophisticated long before mobile was even a thing. I think it's mostly that telecoms were traditionally discouraged from pursuing security. There's, at most, a minimal commercial incentive to it, and the government loves comms that can be easily spied on meaning you're going to get pushback from that side if you start aiming for security.
The idea to start using SMS for secure purposes was similarly probably never really about security, but an advertising/government driven effort given that it helps create a fairly reliable tracking identity for a person. It makes no sense otherwise to use SMS over something like a 2FA app which is completely cross platform, secure, free, and has basically 0 downsides relative to SMS, and a whole bunch of upsides. The only thing is that it's also anonymous.
No curious reason for it coming into existence. It's software, it will have bugs and oversights. What's curious is that it and so many other problems of the cellular grid have been left untended to for almost three decades.
The article mentions active catchers "requires RF transmission, which violates FCC laws (and international equivalents) and is detectable"... except...
... couldn't one build a 'modern' IMSI catcher with a CBRS LTE band 48 small cell and their own LTE infrastructure and be above-board legal anyways?
No, because the devices now do authentication of the base station. You would need to issue sim cards with your own service (and then obviously you could track your own carrier's users). Cannot just force other devices to connect to it that are on different carriers. 2G they didn't do this so the malicious base station could just lie about what it was and encourage devices to connect.
Readit News
Thanks to mmWave and beam forming, 5G allows operators to practically track you down to the exact centimeter in 3D space. Furthermore, depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware.
Basically, who needs IMSI catchers when you can just see all of the information you'd get from them remotely on a computer screen on the other side of the country?
Of course this is great to protect against criminals that are looking to find your personal phone number or whatever by showing up to your doorstep, but for the vast majority of cases, IMSI catchers are defeated because they're no longer necessary.
Is it? I've definitely seen "5G UW" show up on my 15 Pro Max in the bay area. Att and Verizon are slowly expanding mmWave
Dead Comment
It should be feasible for an operator to issue a command to the (e)UICC (SIM) in the phone to fetch the current location from the modem and send it back via SMS. At least this was the case for a relatively long time.
Not that it _really_ matters because most people willfully give away their location information to Google anyways. There's a reason why Google has the best Wi-Fi AP -> Location database that they provide commercially. Send them a list of Wi-Fi BSSID's and their associated RSSI's and you'll get a fairly accurate location.
In comparison, using Cell ID's for geolocationing is finicky. In dense urban environments, you're likely looking at ~500 m radius of accuracy - at least based on the commercially available options.
https://www.etsi.org/deliver/etsi_ts/133100_133199/133106/14...
https://www.etsi.org/deliver/etsi_ts/101600_101699/101671/02...
https://epic.org/documents/investigations-of-google-street-v...
They were ordered to destroy any data related to the collection from Streetview, and they did it seems, but they may not have deleted any of the data that had already been copied/integrated to other separate services like GiS, where they may have simply just moved that wiretapping to the edge devices to facilitate geo-location similar to how Apple uses Wi-Fi points as landmarks as a plausible (we aren't wiretapping), while still physically mapping based on radio signal, and also indirectly on calls through AI.
https://www.courthousenews.com/google-must-face-claims-of-ai...
The only learned lesson they had seemed to be that you don't make a public-facing API that allows searches of locations based on BSSID, or MAC address to the general public (which is what they had for Streetview).
Quite the opposite. They are more popular than ever, in the form of SMS blasters.
https://commsrisk.com/first-uk-arrests-of-imsi-catching-sms-...
Do you know if (at least some) basebands actually limit network-side location requests to emergency call/text situations only?
If you don't have a Faraday cage and cell site equipment, you're going to have a hard time verifying any of this. The modem is closed source, the SIM card is closed source, and various firmware blobs to make phones work are all closed source. I believe Qualcomm has debug interfaces on some chipsets, which might catch these messages, but verifying that they catch all use cases is impossible unless you have knowledge of the actual mechanism used (or usable) to activate the modem.
This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones), but it only takes a small group of Linux enthusiasts to actually catch the phone network in the act.
Of course, the trouble is that you'll need to be the target of government surveillance to be even at risk of any of this. If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you, and whatever criminal enterprise hacked its way into the carrier network won't either. If you are being tracked by either of those, I think developing open source modem firmware is probably the least of your concerns.
I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
It's all rather pointless anyway when 5G and to an extend 4G can geolocate you about as well as GPS can, barring reflections and such.
But I don't know.
Washington, D.C. mobile traffic is probably the most spied in the world. Especially now when it's run by technological cavemen and overly confident techbros. Israeli, Russians, Chinese, French and everyone.
My father being a DXer and installer of a home-built Yagi and rotator system, I discovered this fairly easily. All he told me was to just guard the privacy of these people I was snooping on, because they were supposed to be private conversations after all. I never heard anything of substance anyway. It was one of the more boring surveillance activities of my misspent youth.
Here in Europe phone manufacturers don't even bother including the antennas anymore.
This isn't true, there are major incidents related to IMSI-catchers going on globally right now. E.g. last week from Japan: https://newsonjapan.com/article/145466.php, https://commsrisk.com/amateur-detectives-find-numerous-fake-..., and mass arrests happening in Thailand related to the operation of them recently.
To see news related to them, search "Fake Base Stations" or "SMS Blaster", as this is how they're commonly referred to in the media now.
Other notable highlights from the last few years include: the news from Paris a few years ago where police detonated a car with an imsi-catcher in it because they thought it was a bomb, but actually the driver was being paid to send out sms spam via 2g downgrade attacks: https://commsrisk.com/paris-imsi-catcher-mistaken-for-bomb-w.... Also the attempt to disrupt the federal elections in the Phillippines using a kind of "SMS blaster" that takes advantage of unauthenticated emergency alert messages, so a step beyond the "classic" imsi catching attack that we haven't seen used in the wild before.
This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.
Some Android phones have a setting to at least disable 2G and you can easily configure them to a "preference" of only 5G. I believe iPhones have a 2G toggle as well if you enable lockdown mode.
It'll be years before you can reliably get rid of 4G without losing coverage, though.
I don't know about any such settings on mobile platforms such as watches, though. I also doubt cars have a setting for this (maybe if you use one of those Chinese Android-tablet-with-a-car-skin systems?).
SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
That said, some knobs are frustratingly missing, though – why is manually entering an APN a thing, but the default SMSC can be stored on the SIM?
It should come as no small surprise that phones in the US markets ship with a feature that is a de-facto backdoor.
if you don't have an extra $400-900 and buy a cheaper android, you get to dial ##4636## (hn screws asterisks, look it up) them go into phone info, select each sim radio and change the drop down (and hopefully you know all the standards by all names to make the right choice. hint 5G is NR there)
I know that setting, but I'm not entirely sure if that controls a preference or a mandatory cell config, and if it will prevent downgrades from the network side or not.
Some manufacturers and most custom ROMs also seem to offer that option without a dial code, but I haven't found any documentation about that feature yet to be sure it actually forces the modem configuration. I've found mentions online about this setting being changed without user interaction, so there seems to be a mechanism on some phones (carrier-branded ones maybe?) that alters this config.
You can include asterisks if you escape them, like \*: *#*#4636#*#*.
'add support for "5G only" and "4G or 5G only" modes in addition to our existing "4G only" mode' - https://grapheneos.org/releases#2025022700
'Android allows users to disable 2G at the radio hardware level on any device that implements the capability constant, "CAPABILITY_USES_ALLOWED_NETWORK_TYPES_BITMASK". This stops a device from scanning or connecting to 2G networks.
Note: Emergency calling is never impacted. A device still scans and connects to 2G networks for emergency services.'
btw 4636 means INFO.
I've been doing that all these years and never thought of that! You learn something new everyday. For people who don't know, it's T9 dialing.
> To help ensure compatibility of iPhone and cellular iPad devices on private 5G SA networks, infrastructure vendors must adhere to the following security and privacy requirements:
> Privacy concealment: The Subscription Concealed Identifier (SUCI) must use a non-null protection scheme. This can be achieved through either an on-SIM SUCI calculation or an ME SUCI calculation, as outlined in TCA 2.3.1 and 3.1 specifications. For detailed information, refer to the 3GPP Technical Specification 33.501.
(From https://support.apple.com/en-gb/guide/deployment/depac674731...)
This pertains to private networks rather than public operator networks, but it certainly seems to imply that use of SUCI is an expectation on 5G SA networks (private in this context).
2018, EFF Crocodile Hunter, https://github.com/EFForg/crocodilehunter
2G was actually considered a huge bump up in security because you could encrypt the contents of calls. Albeit with hilariously insecure crypto mandated by the old ITAR regime[1]. IMSI catchers weren't part of their threat model, for the same reason why people only recently have realized that metadata is relevant to security.
[0] This law is still on the books, even though analog cellular is entirely dead. It's still a pain in the ass to properly comply with this for, e.g. software-defined radio.
[1] This is the same reason why DVD CSS was so easy to crack, and why we there used to be 10 different ways to strip SSL before we decided to stop serving old browsers entirely.
Early mobile phone networks suffered from cloning, so work was done to improve verification of clients, but verifying the network wasn't seen as required. Telcos have been historically light on authentication and verification; so it's not surprising.
Deleted Comment
IMSI-catchers are not considered a security hole by the carriers or the standards bodies. SUCI/SUPI was put in at the request of phone vendors, if I remember correctly, and is still the only piece of public key cryptography in the networks. Everything else is symmetric keys.
https://www.etsi.org/deliver/etsi_ts/133100_133199/133106/14...
Here's an interesting quote from the above:
"Depending on national requirements, the CSP may be required to report the location of the Target at the beginning and end of CS calls and PS and IMS sessions on a per warrant or per intercept basis. It may also be a national requirement for the CSP to report the location of the Target [...]"
Even today, building the necessary infrastructure for network trust management is also really, really hard across the many jurisdictions involved.
The idea to start using SMS for secure purposes was similarly probably never really about security, but an advertising/government driven effort given that it helps create a fairly reliable tracking identity for a person. It makes no sense otherwise to use SMS over something like a 2FA app which is completely cross platform, secure, free, and has basically 0 downsides relative to SMS, and a whole bunch of upsides. The only thing is that it's also anonymous.
[1] - https://en.wikipedia.org/wiki/Phreaking
This is due to flaws in its design as shown here:
https://dl.acm.org/doi/10.1145/3448300.3467826
... couldn't one build a 'modern' IMSI catcher with a CBRS LTE band 48 small cell and their own LTE infrastructure and be above-board legal anyways?