Tagged: IMSI catcher

YouTube Tutorial: Building a Passive IMSI Catcher with an RTL-SDR

Thank you to M Khanfar for submitting his YouTube tutorial on how to build a passive IMSI catcher with an RTL-SDR. He writes:

In this video im processes of easy step by step building a passive IMSI catcher. The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised today ! easy step by step install and running under virtual machine Ubuntu 18.04 and cheap SDR dongle! .

An IMSI catcher is a device commonly used by law enforcement and intelligence agencies around the world to track mobile phones. They are designed to collect and log IMSI numbers, which are unique identifiers assigned to mobile phone subscriptions. Under certain circumstances, IMSI numbers can be linked back to personal identities, which inherently raises a number of privacy concerns.

The purpose of this video is to be educational - to highlight the ease of which these devices can be built, and to practically show how privacy is already being compromised . Nothing in this video is necessarily new, and those with less than honest intentions are most certainly already using these (or similar) devices.

This video walks through the processes of building a passive IMSI catcher, which is distinctly different from traditional IMSI catchers in that it does not transmit nor does it interfere with cellular networks in any way.

Traditional IMSI catchers are illegal in most jurisdictions due to the fact that they transmit on cellular frequencies (which requires a license), and that they essentially perform a man-in-the-middle attack between a phone and mobile base station (which breaks all sorts of anti-hacking laws). A passive IMSI catcher does neither of these.

How it works
The passive IMSI catcher works by capturing IMSI numbers when a phone initializes a connection to a base station. The IMSI is only disclosed during this initial connection. In an effort to protect privacy, all subsequent communication to that base station is done with a random Temporary Mobile Subscriber Identity (TMSI) number.

This means you will only collect IMSI numbers for devices as they move between base stations. Traditional IMSI catchers work differently, by spoofing a legitimate base station and forcing subscribers to connect to itself. They have the added ability to collect data about stationary devices, and can potentially have a more targeted range.

The only hardware required is a PC and SDR receiver that supports GSM frequencies. Generally this means 850/900/1,800/1,900 MHz. Most of the inexpensive RTL2832U based receivers have an upper-frequency range of about 1,700 MHz. You can get by with one of these, but of course, you won't be able to listen to stations at 1,800 or 1,900 MHz.

--- you can easy search GSM towers around you and show its frequencies then select specific tower then access its HLR data, then you can locate tower location in google map when you have specific data collected from SDR in terminal like :
MCC,MNC,LAC,CELLID , then you can easy add these data in this website: https://cellidfinder.com/cells  then locate it on map, and you can use IMSI number that you sniff to collect details info from database that have access with subscription to full database from this website :https://www.numberingplans.com

Building a Passive IMSI Catcher


SigintOS: A Linux Distro for Signal Intelligence

Recently we've heard of a new Linux distribution called SigintOS becoming available for download. SigintOS is an Ubuntu based distribution with a number of built in signal intelligence applications for software defined radios such as RTL-SDRs and other TX capable SDRs like the HackRF, bladeRF and USRP radios.

The distro appears to be very well executed, with a built in GUI that grants easy access to the some common sigint tools like an FM and GPS transmitter, a jammer, a GSM base station search tool and an IMSI catcher. SigintOS also has various other preinstalled programs such as GNU Radio, gr-gsm, YatesBTS, wireshark and GQRX.

The OS also teases an LTE search and LTE decoder which to access requires that you get in contact with the creators, presumably for a licencing fee. Regarding an LTE IMSI catcher they write:

LTE IMSI Catcher is not myth!

Due to the nature of LTE base stations, the capture of IMSI numbers seems impossible. LTE stations use GUTI to communicate with users instead of IMSI. The GUTI contains the temporary IMSI number called T-IMSI. This allows the operator to find out who is at the corresponding LTE station who is authorized to query T-IMSI information.

Can the GUTI number be found?
Answer Yes!

How to find GUTI and T-IMSI numbers?
Can be found with the help of SigintOS …

For detailed information [email protected]

The image comes as a 2GB ISO file, and it's possible to run it in WMWare or VirtualBox.

SigintOS IMSI Catcher

Motherboard Article: Creating an IMSI Catcher with an RTL-SDR

Motherboard, an online technology magazine has recently run an article titled "With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes". The article describes how an RTL-SDR together with the IMSI-Catcher Linux software can be used to collect IMSI numbers from cellphones connected to a nearby cell tower. The IMSI is a unique number assigned to each SIM card and collecting this data could be used to identify if someone is in the area covered by the cell tower.

The IMSI-Catcher software only works with the older 2G GSM signals which are now being phased out in some countries and are relatively unused in others. Also unlike more advanced IMSI-Catchers which create a fake cell tower signal, the RTL-SDR based IMSI-Catcher can only collect IMSI numbers when the cellphone first connects to the cell tower.

One of our older posts with a YouTube tutorial video explains the RTL-SDR IMSI Catcher in more detail. 

IMSI-Catcher Python Script
IMSI-Catcher Python Script