IMSI Catchers

Stingray Devices: How IMSI Catchers Work

What Is an IMSI Catcher

An IMSI catcher is a device that impersonates a legitimate cell tower to trick nearby phones into connecting to it. Once a phone connects, the IMSI catcher can harvest the phone's International Mobile Subscriber Identity (IMSI, a unique number stored on the SIM card), track the phone's location, and in some configurations intercept calls and text messages.

The name "IMSI catcher" describes the basic function: catching (collecting) IMSI numbers from phones in the area. But modern IMSI catchers do far more than collect identifiers. They are full cellular base station emulators capable of acting as a man-in-the-middle between the target phone and the legitimate network.

"Stingray" is technically a brand name. The StingRay is a specific product made by Harris Corporation (now L3Harris Technologies) and sold to law enforcement and military agencies. It has become a generic term for IMSI catchers in the same way that "Xerox" became a generic term for photocopying. Other manufacturers include Rohde and Schwarz, Septier Communication, PKI Electronic Intelligence, and numerous Chinese manufacturers whose products are widely available.

The technology exploits a fundamental asymmetry in cellular network design: phones authenticate to the network (proving they are legitimate subscribers), but in 2G networks, the network does not authenticate to the phone. A phone has no way to verify that the cell tower it is connecting to is operated by a legitimate carrier.

How IMSI Catchers Work

sequenceDiagram
    participant Phone as Target Phone
    participant IMSI as IMSI Catcher
    participant Tower as Real Cell Tower
    
    Note over IMSI: Broadcasts strong signal
on legitimate frequencies Phone->>Phone: Scans for towers Phone->>IMSI: Connects (strongest signal wins) IMSI->>Phone: Request IMSI Phone->>IMSI: Sends IMSI + IMEI Note over IMSI: Captured: IMSI, IMEI, location Note over IMSI: For interception mode: IMSI->>Tower: Relays connection (acts as phone) Tower->>IMSI: Network response IMSI->>Phone: Forwarded response Note over IMSI: Man-in-the-middle established Note over IMSI: Can read all traffic

An IMSI catcher tricks phones into connecting by broadcasting a stronger signal than legitimate towers, then acts as a man-in-the-middle

The attack exploits the cell selection process built into every phone. When a phone searches for a cell tower, it evaluates available towers by signal strength and selects the strongest one. An IMSI catcher broadcasts a signal on the same frequencies as nearby legitimate towers but at higher power. The target phone, following its normal cell selection algorithm, connects to the IMSI catcher because it appears to be the best available tower.

Once the phone connects, the IMSI catcher requests the phone's identity. In 2G (GSM), the phone sends its IMSI in cleartext during the authentication process. The IMSI catcher now knows the subscriber's unique identifier and can correlate it with the phone's location (the phone is within the IMSI catcher's coverage area, typically a few hundred meters to a few kilometers depending on power).

For passive identification only (just collecting IMSI numbers), this is sufficient. The IMSI catcher collects the IMSI, then either releases the phone (which reconnects to a legitimate tower) or maintains the connection for active interception.

For active interception, the IMSI catcher establishes a man-in-the-middle position. It connects to the target phone on one side and relays traffic to the legitimate network on the other side, acting as a proxy. The phone believes it is connected to a normal tower. The network believes it is communicating with a normal phone. The IMSI catcher sits between them, able to read, record, or modify traffic in both directions.

The Stingray: Harris Corporation's Product

The StingRay is the most well-known commercial IMSI catcher, manufactured by Harris Corporation (now L3Harris Technologies) in Melbourne, Florida. Harris has sold StingRay devices to federal, state, and local law enforcement agencies across the United States, as well as to military and intelligence agencies worldwide.

The StingRay product line includes several variants. The original StingRay operates on 2G (GSM/CDMA) networks. The StingRay II added 3G and 4G capabilities. The Hailstorm is a newer variant designed for 4G LTE interception. Related products include the KingFish (a handheld, portable version for foot surveillance) and the Gossamer (a backpack-mounted system).

Harris requires purchasers to sign non-disclosure agreements that prohibit discussing the capabilities or even the existence of the device. This secrecy has led to numerous legal controversies. In several court cases, prosecutors have dropped charges rather than disclose the use of a StingRay, suggesting that Harris's NDA takes priority over the government's prosecutorial interest.

The cost of a StingRay system ranges from approximately $200,000 to $500,000 for the hardware, plus annual maintenance and software subscription fees. However, open-source alternatives and cheaper commercial products from other manufacturers have significantly lowered the barrier to entry. Open-source projects using software-defined radios (SDRs) can create basic IMSI catchers for under $2,000.

What IMSI Catchers Can Do

The capabilities of an IMSI catcher depend on its sophistication and the target network's technology generation.

IMSI/IMEI collection. All IMSI catchers can collect the IMSI (subscriber identity) and IMEI (device hardware identity) from phones that connect. This identifies both the person (through the SIM card) and the device (through the hardware serial number). Even if a target changes SIM cards, the IMEI can track the device. Even if a target changes phones, the IMSI can track the subscriber.

Location tracking. By measuring signal strength and potentially direction-of-arrival, an IMSI catcher can determine a phone's approximate location within its coverage area. Mobile IMSI catchers mounted in vehicles can drive through an area and narrow a target's location by observing when the target phone connects and disconnects as the IMSI catcher moves.

Call and SMS interception. On 2G networks, where encryption can be disabled or downgraded to a broken cipher, IMSI catchers can intercept voice calls and text messages in real time. The IMSI catcher decrypts traffic from the phone, reads or records it, re-encrypts it (or not), and forwards it to the legitimate network.

Denial of service. An IMSI catcher can prevent phones from connecting to the legitimate network, effectively jamming cellular service in the area. This can be targeted (blocking a specific IMSI from registering with the real network) or area-wide (forcing all phones in the area to connect to the IMSI catcher and then providing no service).

Content injection. Advanced IMSI catchers can inject content into unencrypted data streams. This could include injecting malware into HTTP downloads, sending fake SMS messages that appear to come from legitimate senders, or modifying web content in transit.

Downgrade Attacks

4G LTE networks require mutual authentication - both the phone and the network verify each other's identity. This makes it significantly harder for an IMSI catcher to operate transparently on 4G. However, IMSI catchers can force phones to connect using 2G by jamming 4G and 3G frequencies in the area.

stateDiagram-v2
    [*] --> Normal_4G: Phone connected to 4G LTE
    Normal_4G --> Jamming: IMSI catcher jams 4G/3G bands
    Jamming --> Fallback_2G: Phone falls back to 2G
    Fallback_2G --> Connected_IMSI: Connects to IMSI catcher's 2G signal
    Connected_IMSI --> No_Auth: 2G has no mutual authentication
    No_Auth --> Interception: Full man-in-the-middle active
    
    Interception --> A5_1_Crack: A5/1 cipher cracked in real-time
    Interception --> A5_0_Force: Force A5/0 - no encryption
    A5_1_Crack --> Full_Access: Call/SMS content visible
    A5_0_Force --> Full_Access

Downgrade attacks force phones from secure 4G to vulnerable 2G, where IMSI catchers can intercept communications

When 4G and 3G signals are jammed, phones fall back to 2G as a last resort (most phones still support 2G for backward compatibility). Once on 2G, the phone is vulnerable to the full range of IMSI catcher attacks: no mutual authentication, breakable encryption (the A5/1 cipher used in GSM was cracked in 2009, and A5/0 provides no encryption at all), and full man-in-the-middle capability.

This downgrade attack is the primary method for intercepting communications in modern cellular environments. The target's phone shows it is connected to a cell tower (which it is - just a fake one), and the only visible indication of the downgrade might be a brief network disruption and a change from "4G" or "LTE" to "2G" or "E" on the status bar. Most users do not notice or understand the significance of this change.

Some phones allow users to disable 2G connectivity entirely (Android added this option in Android 12). This prevents the downgrade attack but means the phone cannot connect in areas with only 2G coverage.

Who Uses IMSI Catchers

IMSI catchers are used by a range of actors, from legitimate law enforcement to authoritarian governments to criminals.

U.S. law enforcement. Federal agencies (FBI, DEA, ATF, ICE, U.S. Marshals Service), state police, and many local police departments use IMSI catchers. The ACLU has identified at least 75 agencies in 27 states that own cell-site simulators. Usage has grown significantly since the technology became commercially available in the mid-2000s.

Military and intelligence. The U.S. military uses IMSI catchers extensively in overseas operations for intelligence gathering and target tracking. The NSA's TAO (Tailored Access Operations) catalog, leaked by Edward Snowden, included several IMSI catcher variants for tactical deployment.

Foreign governments. IMSI catchers have been detected operating near government buildings, embassies, and protest sites in multiple countries. In 2017, DHS acknowledged detecting unauthorized cell-site simulators in Washington, D.C., near government buildings and the National Mall. The origin of these devices was not publicly determined, but the leading hypothesis was foreign intelligence services.

Criminals. The decreasing cost of IMSI catcher technology has made it accessible to organized crime groups. SMS phishing (smishing) operations in Asia have used IMSI catchers to send fake bank notifications directly to phones in a target area, bypassing carrier spam filters because the messages are injected at the radio level rather than through the SMS network.

The legal framework for IMSI catcher use by law enforcement varies by jurisdiction and has evolved rapidly in response to increased public awareness.

United States. In 2015, the Department of Justice issued a policy requiring federal agencies to obtain a warrant before using cell-site simulators, except in emergency situations or cases involving national security. Previously, many agencies used IMSI catchers under pen register orders, which require a lower evidentiary standard than search warrants. Several states have passed laws explicitly requiring warrants for IMSI catcher use.

The secrecy surrounding IMSI catchers has created legal friction. Harris Corporation's non-disclosure agreements have led prosecutors to drop cases, misrepresent how evidence was obtained (a practice sometimes called "parallel construction"), or withhold information from defendants about the surveillance methods used against them.

European Union. IMSI catcher use by law enforcement varies by member state. In Germany, their use is regulated under Section 100i of the Code of Criminal Procedure. In the UK, the Police Act 1997 and RIPA (Regulation of Investigatory Powers Act) provide the framework. In most EU jurisdictions, judicial authorization is required, but the specifics vary.

International. Many countries lack specific legislation governing IMSI catchers, creating legal gray areas. Some authoritarian regimes use IMSI catchers extensively for political surveillance without any legal framework or judicial oversight.

IMSI Catchers in 4G and 5G

4G LTE introduced mutual authentication that prevents the simplest form of IMSI catcher attack. However, 4G-capable IMSI catchers still exist and exploit different vulnerabilities.

In 4G, phones initially identify themselves using a temporary identifier (TMSI/GUTI) rather than the permanent IMSI. However, the IMSI is still transmitted during the initial attachment procedure on a new network, and an IMSI catcher can trigger re-attachment by sending a specially crafted reject message. Researchers have demonstrated that 4G IMSI catchers can reliably collect IMSI numbers even without the 2G authentication weakness.

5G introduces SUPI (Subscription Permanent Identifier, replacing IMSI) encryption, where the permanent identifier is encrypted before transmission using the network's public key. This prevents a passive observer or a fake base station from reading the permanent identifier. The encrypted identifier is called SUCI (Subscription Concealed Identifier).

However, 5G's protection is not absolute. Research has identified vulnerabilities in 5G's attachment procedures that can still reveal device presence and enable tracking, even without obtaining the permanent identifier. The 5G AKA (Authentication and Key Agreement) protocol has been shown to have linkability issues where an attacker can determine whether a specific device is in the area without decrypting the SUCI.

The backward compatibility issue also remains. As long as 5G networks maintain 4G and 2G fallback capability, downgrade attacks remain viable. A network that properly signals to devices that 2G fallback is not supported would prevent the downgrade, but this requires both network-side and device-side configuration changes that are not universally deployed.

Detection Methods

Detecting IMSI catchers is challenging because they are designed to be indistinguishable from legitimate cell towers. However, several detection approaches exist.

Network anomaly detection. Apps like SnoopSnitch (for rooted Android phones with Qualcomm baseband chips), AIMSICD (Android IMSI-Catcher Detector, now archived), and the EFF's Crocodile Hunter project monitor cellular network behavior for anomalies that suggest IMSI catcher presence. Indicators include unexpected Cell ID changes, unusually strong signals from unknown towers, encryption downgrade requests, abnormal location area updates, and rejection of strong legitimate towers in favor of weaker unknown ones.

Spectrum monitoring. Dedicated spectrum analyzers can detect the radio emissions of IMSI catchers. Since an IMSI catcher broadcasts on cellular frequencies, its signal is visible to anyone monitoring those frequencies. Identifying it as a fake tower requires comparing observed cell broadcast parameters against known legitimate tower databases.

Crowdsourced detection networks. Projects like the SeaGlass system (developed at the University of Washington) use sensors deployed across a city to continuously monitor the cellular landscape and detect anomalies that suggest cell-site simulator activity. EFF's Rayhunter is a newer open-source tool that runs on inexpensive mobile hotspots to detect IMSI catcher behavior.

Carrier-side detection. Mobile operators can detect IMSI catchers by monitoring for anomalies in their own signaling traffic, such as unexpected UpdateLocation messages or authentication failures that suggest phones are being intercepted. Some operators have deployed detection systems, though the effectiveness and coverage vary.

Protecting Yourself

Complete protection against IMSI catchers is difficult because they exploit fundamental aspects of cellular network design. However, several measures reduce risk.

Disable 2G on your phone. On Android 12+, go to Settings, Network and Internet, SIMs, and toggle off "Allow 2G." This prevents the downgrade attack that enables interception. Not available on all phones or all carriers.

Use encrypted communications. IMSI catchers intercept cellular voice and SMS, not internet traffic encrypted at the application layer. Signal, WhatsApp, and similar end-to-end encrypted apps are immune to IMSI catcher interception because the encryption happens between your device and the recipient's device, not between your device and the cell tower.

Monitor your network connection. Be alert to unexpected drops to 2G, unusual service interruptions, or rapid cell tower changes. While these can have innocent explanations (entering a building, network congestion), they can also indicate IMSI catcher activity.

Use a VPN. A VPN encrypts all internet traffic leaving your device, preventing an IMSI catcher from inspecting data traffic even if it successfully performs a man-in-the-middle attack on the cellular connection. The VPN does not protect voice calls or SMS routed through the cellular network, but it protects internet traffic.

Understanding the full spectrum of wireless surveillance - from IMSI catchers operating at the cellular level to WiFi and BLE tracking operating at shorter ranges - provides the foundation for informed decisions about privacy. The BLEShark Nano lets you see the BLE and WiFi activity around you, revealing the wireless surveillance infrastructure that operates below the cellular layer.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment