IMSI-Catcher
IMSI catcher are devices that read on the mobile card of a mobile phone stored International Mobile Subscriber Identity (IMSI ) and the location of a mobile phone can be limited within a radio cell. Also listening in on mobile phone calls is possible.
The device operates over to the mobile phone such as a radio cell ( base station) and to the network such as a cellular phone; all mobile phones within a certain radius Book at this radio cell with the strongest signal, ie the IMSI catcher, a. Thus, the IMSI catcher simulates a cellular network.
Here, however, data uninvolved in the wireless network area of the IMSI catcher are recorded without experience this is. The IMSI catcher also defines circumstances the total mobile traffic of the affected mobile phones lame, so that emergency calls are not possible.
IMSI catcher are mainly used for determining the location and to create a movement profile of subjects. Are used IMSI - Catcher by law enforcement agencies and intelligence services, but for example also by the police as those in the canton of Zurich ( Zurich cantonal police ).
Operation
The Catcher simulates a specific mobile radio cell of the network operator. The Catcher rises into the channel neighborhood list of the mobile phone as a serving cell. The IMSI catcher exudes a changed location area identity and thereby causes the mobile phones to build contact with the (simulated) mobile network ("Location Update" procedure). The catcher then requests an " Identity Request" command. The phone responds with an Identity Response, IMSI or TMSI which (temporary IMSI ) and IMEI can contain. The data obtained must then be compared with existing data.
The entire process is made possible in that a mobile phone is indeed authenticated against the mobile network, but not the wireless network in comparison with the mobile phone. After the catcher has taken the mobile phone as a base station, he brings the mobile phone over a dedicated signaling in the GSM protocol in the unencrypted transmission mode. Thus, a run over the catcher call is intercepted. To the intercepted forward ( man-in- the-middle attack), the IMSI catcher to have to spend as a mobile phone over the mobile network. He can not pass unencrypted heard messages unencrypted, because the mobile device can be moved from the base station to though, unencrypted to send this mode but not allowed to vote on their own. Therefore, the IMSI catcher needs its own SIM card and forwards the intercepted data as a separate call. Calls that are placed by an intercepted mobile phone, therefore do not show the called party telephone number of the actual caller who left but that of the IMSI-catcher, or they are not displayed.
Although the firmware of a mobile phone could be the unusual mode of non - encryption of conversations signal the user will be waived. Only in some models, it is possible to obtain information as to whether the mobile device transmits the encrypted mode. To this end, an internal network monitor of the device must be activated. However, this is usually not user friendly and requires expertise to interpret the readings correctly. In any case, is on mobile phone calls as well as to consider when landline calls: State interceptions take place directly in the mobile / telephone company, and are identifiable for reasons arising from the scheme of monitoring method, not on the terminal.
Example Scenario
A target person is in her apartment. Investigators approach the target person with a vehicle in which the catcher housed and run each simulation per network operator. Now just expected in a big city per measurement and network a lot of code pairs " IMSI " or " TMSI ", are " IMEI " trapped. This circumstance may make it necessary to perform several measurements.
Now the target person leaves the apartment and goes for example to another city. The investigators track the target person and may lead already on the ride again measurements. By comparing the first series of measurements with the second or further measurement series can be found out which identifiers are equal. The IMSI and IMEI, which are identical in the first and the second measurement series are, with high probability to the target person.
Even when the person changes the SIM card are still the IMEI of the mobile phone is the same. For this reason, criminals have started to use in addition to the replacement of the SIM card to another mobile phone, so to use several different mobile phones with different SIM cards. By comparison with all collected data to draw conclusions about the exchange cycle are possible.
On some older mobile phones can be changed at a special software using a data cable and the IMEI. When changing the IMEI should be taken to grant such an identifier, as it is given in practice by the manufacturers ( Type Approval Code coherent and harmonious country code).
BKA and Protection of the Constitution already using equipment that can monitor what type of calls (eg, GA 090). They are - at a price 200000-300000 € - already an export hit.
Other fields of
One often not mentioned and also underestimated problem is the special feature of IMSI catchers; they can block as are in its area of influence cell phones, so that even a distress call to police, fire or ambulance service during such an operation is impossible.
Just so but can be implemented by police surveillance and access measures also an intentional communication in the context of oppression.
Protection measures
In large cities, it would be very difficult, the IMSI and IMEI of a mobile phone user on the basis only of a site in a short time to be determined. If the mobile phone is therefore used only in a particular place (eg a house with many parties ) and the position is not changed, the desired mobile phone in the crowd of other sets and is difficult to identify. In addition, the simulated signal of the IMSI catcher for a long time would have to be substantially stronger than the radio network supply of the network operator. This would lead to a rapid unmasking of the IMSI-catcher.
Detectability
With the help of special monitoring software that continuously records all signals (eg cell ID, channel, location -area, reception level, timing advance, Mindest-/Maximal-Pegel ) the use of an IMSI catcher can be traced under certain circumstances be. Since IMSI catcher are also used by intelligence agencies, is to assume that those are well camouflaged. This means that a network operator cell is copied one to one.
Strikingly, however, is that with all mobile phones of a network operator in the vicinity of the catcher at the same time " communication " takes place. This is, for example, be determined by monitor software. Even more striking: This phenomenon is repeated at short intervals all network providers near the catcher. To determine this, so at least two mobile phones per network operator would be required, the data is continuously analyzed by software.
Example of a possible signaling profile - represented as / / - and four Mobile Network Codes ( network operator). For each MNC 2 mobile phones are used, hence the double slash ( / /). The order of the MNCs is irrelevant. A simple slash (/) is eg a Periodic Location Update.
T (time axis) -------- > MNC1 ....... / / ................ / ........... MNC2 ......... / / .......................... MNC3 ............ / / ........... / ........... MNC4 ..... / ......... / / .................... The staircase structure indicates a tampered with by a Catcher in the mobile network.
A normal profile without relocation and own intervention is completely unstructured:
T (time axis) -----> MNC1 ............................ / ........ MNC2 ..... / ............................. /. MNC3 .................. / .................. MNC4 .......... / .................. / ....... However, this recognizable pattern in the simplest way by the IMSI catcher is to counter by using a pseudo- random script ensures activity on each logged-on participants, such as by silent SMS or RRLP queries. Thus, the T3212 timer of each participant is made to no longer to run quasi- synchronous activity patterns appear random, and this simple way of recognition is prevented.
Since the IMSI catcher can indeed over the phone to simulate a GSM network, but not to the network a mobile phone, a scan with IMSI catcher is also quite easy to expose by a phone call: You call to the mobile phone in question. If it does not ring, coming from the "real" network signaling has been swallowed. A successful terminated call can rule out the use of a "simple" IMSI catcher ( eg R & S GA 090). Meanwhile, there are more intelligent IMSI catcher who work only half active. Thus, incoming calls can eavesdrop. However, a few mobile phones ( eg previous Sony Ericsson devices ) show a disabled encryption on ( " Ciphering Indication feature" ), which may be due to the use of an IMSI catcher - assuming that the network operator this is not bit on the OFM in EF_AD (Operational feature monitor LSB in byte 3 of the Elementary File: Administrative Data " 6FAD " ) suppressed on the SIM. Of these, however, are unaffected monitoring functions that are controlled directly from real network completely without IMSI catcher.
Legal basis
In Germany, which entered into force on 14 August 2002 § 100i of the Code of Criminal Procedure is the legal basis for the use of an IMSI catcher by law enforcement agencies. The provision serves inter alia, the investigation and the grounds of physical evidence. In a decision of 22 August 2006, the Federal Constitutional Court confirmed the compatibility of the use of IMSI catchers to law enforcement with the Basic Law. According to the judges of this use does not infringe privacy regulations, nor against fundamental rights such as the secrecy of telecommunications or the general right of personality.
In Austria the use of the IMSI-catcher by an amendment to the Security Police Act is possible since 1 January 2008 without court permission. Since this is an enormous threat to privacy, initiated the Greens a petition that called for a re-examination of this amendment; However, this requirement of the relevant ministries were not followed. A parliamentary question from Mr Alexander Zach gave ( Liberal Forum ) to the then Interior Minister Guenther Platter that occurred within the first four months, ie January to April of 2008 more than 3800 requests ( 32 times per day) to monitor mobile telephone and Internet.
Normally interceptions over the operator will be handled and be made of this until after judicial approval. IMSI catcher, the police can (technically ) to use at any time and thus bypass the judicial review. This approach would indeed be illegal, but that is difficult to prove. At least at a court hearing so illegally collected data were not admissible as evidence.
Preventive use in the police laws is regulated in the section on data collection.
Devices
In Germany, the most widely used is probably the " GA 090 " of Rohde & Schwarz. In Austria there are already several devices of Rohde & Schwarz in use, purchase such a device with UMTS capability was decided.
At a cost of about 1500 Euros, it is possible to build an IMSI catcher himself.