IMSI Catchers Demystified

ShmooCon XV - 2019

Presented by: Karl Koscher
Date: Sunday January 20, 2019
Time: 12:00 - 12:50
Location: Belay It room
Track: Belay It

IMSI catchers (sometimes known by the popular brand name “Stingrays”) are shrouded in mystery. Originally developed for military use, they are now used by law enforcement, foreign intelligence, and spammers. IMSI catchers are unauthorized cell sites designed to coerce phones into providing persistent identifiers (IMSIs) and enable RF direction-finding of particular users, intercept traffic, and/or deliver spam. Unfortunately, due to sketchy legal arrangements around their procurement and deployment, very little is publicly known about IMSI catchers, how they work, and how they are used. Based on leaked documents, 3GPP specifications, and experience detecting (and accidentally deploying) IMSI catchers, this talk infers many previously publically unknown aspects of IMSI catchers. We will cover how they convince phones to connect, reveal their IMSIs, and capture or release particular phones. We will also talk about how IMSI catchers use RF direction-finding to precisely locate particular users. We will describe how one might identify IMSI catchers based on their abuse of particular cellular standards. We will demonstrate a city-wide passive monitoring system for IMSI catchers and introduce our open-source app to detect IMSI catchers using Calypso-based GSM phones running custom baseband firmware. Finally, we’ll talk about how one might build their own IMSI catcher.

Karl Koscher

Karl Koscher (@supersat) is a research scientist working at the University of Washington Security and Privacy Research Lab where he specializes in wireless and embedded systems security. Previously, he was a postdoctoral scholar working with Stefan Savage at UC San Diego. He received his Ph.D. from the University of Washington in 2014, working with his advisor Tadayoshi Kohno. In 2011, he led the first team to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats