Easy 4G/LTE IMSI Catchers for Non-Programmers

  • Stig F. Mjølsnes
  • Ruxandra F. OlimidEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10446)


IMSI Catchers are tracking devices that break the privacy of the subscribers of mobile access networks, with disruptive effects to both the communication services and the trust and credibility of mobile network operators. Recently, we verified that IMSI Catcher attacks are really practical for the state-of-the-art 4G/LTE mobile systems too. Our IMSI Catcher device acquires subscription identities (IMSIs) within an area or location within a few seconds of operation and then denies access of subscribers to the commercial network. Moreover, we demonstrate that these attack devices can be easily built and operated using readily available tools and equipment, and without any programming. We describe our experiments and procedures that are based on commercially available hardware and unmodified open source software.


4G LTE security IMSI Catcher Denial-of-Service 



The authors would like to thank master student Fredrik Skretteberg for providing the Samsung phone necessary for some experiments.


  1. 1.
    Shaik, A., Seifert, J., Borgaonkar, R., Asokan, N., Niemi, V.: Practical attacks against privacy and availability in 4G/LTE mobile communication systems. In: 23nd Annual Network and Distributed System Security Symposium, NDSS 2016, San Diego, California, USA, February 21–24, 2016 (2016)Google Scholar
  2. 2.
    Jover, R.P.: Security attacks against the availability of LTE mobility networks: overview and research directions. In: 2013 16th International Symposium on Wireless Personal Multimedia Communications (WPMC), pp. 1–9. IEEE (2013)Google Scholar
  3. 3.
    Jover, R.P.: LTE security, protocol exploits and location tracking experimentation with low-cost software radio. CoRR abs/1607.05171 (2016)Google Scholar
  4. 4.
    Lichtman, M., Jover, R.P., Labib, M., Rao, R., Marojevic, V., Reed, J.H.: LTE/LTE-a jamming, spoofing, and sniffing: threat assessment and mitigation. IEEE Commun. Mag. 54(4), 54–61 (2016)CrossRefGoogle Scholar
  5. 5.
    Rupprecht, D., Jansen, K., Pöpper, C.: Putting LTE security functions to the test: a framework to evaluate implementation correctness. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016) (2016)Google Scholar
  6. 6.
    OpenLTE: An open source 3GPP LTE implementation.
  7. 7.
    srsLTE: Open source 3GPP LTE library.
  8. 8.
    Gomez-Miguelez, I., Garcia-Saavedra, A., Sutton, P.D., Serrano, P., Cano, C., Leith, D.J.: srsLTE: an open-source platform for LTE evolution and experimentation. arXiv preprint arXiv:1602.04629 (2016)
  9. 9.
    gr-LTE: GNU Radio LTE receiver.
  10. 10.
    Open Air Interface: 5G software alliance for democratising wireless innovation.
  11. 11.
    SMScarrier.EU: Mobile Country Codes (MCC) and Mobile Network Codes (MNC).
  12. 12.
  13. 13.
    Niviuk: LTE frequency band calculator.
  14. 14.
    Europen Communication Office: ECO Frequency Information System.
  15. 15.
    ETSI TS 136 331 V13.0.0 (2016–01): LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Radio Resource Control (RRC); Protocol specification (3GPP TS 36.331 version 13.0.0 Release 13) (2016).
  16. 16.
    ETSI TS 124 301 V12.6.0 (2014–10): Universal Mobile Telecommunications System (UMTS); LTE; Non-Access-Stratum (NAS) protocol for Evolved Packet System (EPS); Stage 3 (3GPP TS 24.301 version 12.6.0 Release 12) (2014).
  17. 17.
    ETSI TS 136 304 V12.2.0 (2014–09): LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); User Equipment (UE) procedures in idle mode (3GPP TS 36.304 version 12.2.0 Release 12) (2014).
  18. 18.
    ETSI TS 136 133 V12.7.0 (2015–06): LTE; Evolved Universal Terrestrial Radio Access (E-UTRA); Requirements for support of radio resource management (3GPP TS 36.133 version 12.7.0 Release 12) (2015).
  19. 19.
    Research, E.: USRP B200mini (Board only).
  20. 20.
  21. 21.
    Samsung: Samsung Service Mode.
  22. 22.
  23. 23.
  24. 24.
    Nikaein, N., Knopp, R., Kaltenberger, F., Gauthier, L., Bonnet, C., Nussbaum, D., Ghaddab, R.: OpenAirInterface 4G: an open LTE network in a PC. In: International Conference on Mobile Computing and Networking (2014)Google Scholar
  25. 25.
    RangeNetworks: OpenBTS.
  26. 26.
    McGuiggan, P.: GPRS in Practice: A Companion to the Specifications. Wiley, New York (2005)Google Scholar
  27. 27.
    Dabrowski, A., Petzl, G., Weippl, E.R.: The messenger shoots back: network operator based IMSI catcher detection. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 279–302. Springer, Cham (2016). doi: 10.1007/978-3-319-45719-2_13 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Department of Information Security and Communication Technology, NTNUNorwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations