Versione di lingua italiana
Deutsch Sprachenversion
English language version
Choose language:

» Economics » Electronic conduct of operations » Topics begins with I » IMSI Catcher

Page modified: Wednesday, July 13, 2011 01:05:21

IMSI Catcher are devices, with which the international stored on the portable radio map of a mobile telephone mobile Subscriber Identity (IMSI) be selected and the location of a mobile telephone can be limited within a radio cell. A model variant of the IMSI Catchers makes it possible to monitor also Handy telephone calls.

The equipment works in addition opposite the mobile phone like a radio cell (basis station) and in relation to the network like a mobile phone; all mobile phones in a certain periphery book themselves with this radio cell with the strongest signal, thus the IMSI Catcher, in. The IMSI Catcher simulates thus a portable radio network.

However also data of indifferent within the radio net range of the IMSI Catchers are seized, without these experience it. The IMSI Catcher puts in addition perhaps the entire portable radio traffic of the mobile phones concerned lamely, so that also emergency calls are not possible.

IMSI Catcher are used mainly for the determination of the location and movement profile by persons. IMSI Catcher of prosecution authorities and secret services are used; common in Germany furthest the "GA is probably 090" of the company Rohde & Schwarz.

Function mode (with hearing function)

The Catcher simulates a certain portable radio cell of the network carrier. The Catcher ascends in the channel neighbourhood list of the mobile phone as Serving cell. The IMSI Catcher radiates a changed location AREA Identity and arranges thus the mobile phones to it to develop contact to (simulated) the portable radio net ("location update" - procedure). The Catcher demands thereupon a "Identity Request" instruction on. Mobile phone answers with a Identity Response, which IMSI or TMSI (temporary IMSI) as well as IMEI can contain. The received data must be compared then with existing volume of data. The entire procedure is made possible thereby that a mobile phone authenticates itself opposite the portable radio net, not however the portable radio net itself opposite the mobile phone. After the Catcher took over mobile phone as basis station, he brings mobile phone over a signaling way planned for it in GSM minutes into the unencrypted move mode. Thus a discussion led across the Catcher becomes hearable. The telephone call is passed on now in the unencrypted mode by the IMSI Catcher to the official basis stations of the portable radio net. Opposite the portable radio net simulate the IMSI Catcher thus a mobile phone. Although the firmware of a mobile phone could signal this uncommon mode to the user, without it one does. Only with some models it is possible to attain explanation whether the portable radio equipment transfers in the coded mode: for this an internal network monitor of the equipment must be activated. This is mostly not user friendly and required however for expertise, in order to interpret the indicated values correctly. Anyway is to be considered with portable radio discussions just like with fixed net discussions: National hearing measures take place directly at the portable radio/Telefongesellschaft and can be recognized for reasons, which result from systematics of the hearing method, not at the terminal.

Example scenario

A goal person is in her dwelling. Investigators approach the goal person with a vehicle, in which the Catcher is accommodated, and accomplish one simulation each per network carrier. Now straight in a large city per measurement and net might become imprisoned a quantity of pairs of identifications "IMSI" or "TMSI", "IMEI". This circumstance might make it necessary to accomplish several measurements.

Now the goal person leaves the dwelling and drives e.g. into another city. The investigators pursue the goal person and accomplish possibly already on the travel again measurements. By the alignment of the first series at measurements with the second or further measurement series, can be found out, which equal to identifications are. The IMSI and IMEI which with first as well as the second measurement series are identical, belong with high probability to the goal person.

Even if the person changes the SIM map, still the IMEI number of the mobile phone remains the same. This is the reason, why criminal ones changed over in addition, apart from the change of the SIM map another mobile telephone to be used, several different mobile phones with different SIM maps to thus use. Conclusions can be closed by comparison with all collected data on the exchange cycle.

With some older mobile phones also the IMEI can be amended over a special software with the help of a data cable. With the change of the IMEI such an identification should be respected to assign like it also in practice of manufacturing is assigned (stimmiger type Approval code and stimmiger Ever after-require at secrecy e.g. with meetings no mobile phones are recommended to carry, since already alone transaction data /Ortsdaten of a mobile phone are noted and to be inkriminierend to be able.

Preventive measures

  • In large cities it might be only very with difficulty possible to determine the IMSI and IMEI of a Handynutzers on the basis only one location within a short time. If that is used mobile phone thus only at a certain place (e.g. a house with many parties) and the position is not changed, looked for mobile phone goes down regarding the quantity of the others and is to identify more with difficulty. Beyond that the simulated signal of the IMSI Catchers would have to be substantially stronger over longer time, than the radio net supply of the network carrier. This would lead to a fast unmasking of the IMSI Catchers.
  • In the GSM network mobile phone authentifiziert itself opposite the net, not however the network opposite the mobile phone. Therefore an attack with a IMSI Catcher is possible for attack as "one in the Middle" -. In UMTS networks this weak point and also the network was repaired must authorize itself on the basis an authentication opposite the mobile phone. Therefore such attacks with IMSI Catchern are not possible in the UMTS net.


By special monitor software, which notes all signals continuously, e.g. Cells ID, channel, location AREA, receipt level, Timing Advance, minimum/maximum level, the employment of a IMSI Catchers can be perhaps reconstructed. Since IMSI Catcher are used also by secret services, it is to be accepted that these are well camouflaged. This means that a network carrier cell 1 is copied to 1.

Remarkable it is however that at all mobile phones of a network carrier in the proximity of the Catchers "communication" takes place at the same time. This can be recognized e.g. by monitor software. Still more remarkably: This phenomenon repeats itself in short distances with all network carriers in the proximity of the Catchers. Around this to determine thus at least 2 mobile phones per network carrier would be necessary, whose data are constantly evaluated by software.

Example possible signaling profile as (/) represented and four mobile network code (network carrier). For each MNC 2 mobile phones are used, therefore the double line (/). The sequence of the MNCs is insignificant. A simple line (/) is e.g. a Periodic location update.

t (time axis)------->

MNC1 ......./................/...........

MNC2 ........./..........................

MNC3 ............/.........../...........


The stair structure refers to a foreign interference by a Catcher into the portable radio net

A normal profile without permanent changes of station and own interference is completely unstructured:

t ---->

MNC1 ............................/........


MNC3 ................../..................

MNC4 ........../................../.......

Since the IMSI Catcher can simulate a GSM network opposite the mobile telephone, however not in relation to the network a mobile phone, is to be unmasked a Scanvorgang with IMSI Catcher also quite simply by a telephone call: one calls questionable mobile phone. If it does not ring, signaling coming from the "genuine" net was swallowed. A successful scheduled call can exclude the employment of a "simple" IMSI Catchers. Of it unimpaired are however monitoring functions, which are perfectly steered directly by the genuine network without IMSI Catcher.

Legal basis

In Germany is stepped of the code of criminal procedure the legal basis for the employment of a IMSI Catchers by prosecution authorities, to 14.08.2002 into force.

Related links

Articles in category "IMSI Catcher"

We found here 1 articles.


» IMSI Catcher

Page cached: Thursday, November 26, 2015 02:13:48
Valid XHTML 1.0!  Valid CSS!

Page copy protected against web site content infringement by Copyscape