IMSICatching attacks on 4G networks (part 2)

Some time ago I wrote about IMSI-Catching attacks on 3G and on another previous article the different studies regarding these attacks in 4G networks, but I finally found enough time to write about these attacks in 4G and of course, detection.


When looking for SDR solutions to implement our 4G network, we currently have 3 options for our laboratory; OpenLTE, OpenAirInterface and srsLTE. In this case, I created a laboratory using the USRP B200 with srsLTE:

The EPC (srsepc) has a modified version of the code to allow client devices to send their “Attach” request, being identified with their IMSI, as we can see in the following image :

Once we have obtained the IMSI of our victim, as we saw in the previous article about these attacks in 3G, we could continue modifying the 4G SDR based network code to degrade the 4G service completely forcing the mobile to look for another cell in the 3G frequencies or 2G. Or just do nothing else and collect more IMSI identities from new victims, a typical fast and effective IMSI Catch attack.


How could we detect these intrusions?  I continue using the active approach, instead of the 2G passive sniffing. Using 4G modems and capturing the signaling we are able to analyze all these situations and in the same hand, we can monitor our mobile operator security parameters, but this requires using a valid SIM card in the modem. Xgoldmon or SCAT (Signaling Collection and Analysis Tool) are also valid candidates.

CellAnalysis 3G & 4G will be released soon, so stay tuned.