All posts by pedro

4G/LTE IMSI Catchers

Two papers in a short period of time describe how to implement easy IMSI Catchers in 4G, using OpenLTE, srsLTE or gr-LTE:

– “Easy 4G/LTE IMSI Catchers for Non-Programmers“, Stig F. Mjølsnes and Ruxandra F. Olimid (Norwegian University of Science and Technology, Trondheim)

– “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems“, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert

Although these 4G stations aren’t functional, also can be use to downgrade our mobile to a 2G or 3G fake station using “TAU Reject” code “LTE services not allowed”.

CellAnalysis at BlackHat Arsenal


For the 30th and 31st of March, Black Hat Asia was held in Singapore, where I taught together with Simón Roses the course “Attacking 2G/3G mobile networks, smartphones and apps” and was able to present the Arsenal “CellAnalysis“.

After reviewing some news about fake stations, such as the last one in China to distribute bank malware and other recent attacks, we verify the operation of the application with the different software defined radio boards and compatible phones, analyzing advantages and disadvantages of each one of them to detect the most common attacks. We also presented results of exercises performed in audits in Madrid and Barcelona, analyzing the large amount of information that can be extracted from the files generated by the tool, such as behavior patterns or temporary identities entropy of each 2G/GSM station, in order to detect abnormal behaviors.

In the following days I will update CellAnalysis download link with Singapore version. A real experience been able to share the project in Singapore.

Real example of BTS rogue, fake BTS or IMSI catcher

Is far from the intention of this project focusing on creating attacks or disclosure of the methods to achieve, but it is clear that when you want to detect attacks, You should study them to understand and get ahead or warn them.

By way of introduction I have prepared this short article for those who want to know what a false station (also called BTS or Fake IMSI Catcher). In the DefCon security event 18, Chris Paget we illustrated in his talk entitled “PRACTICAL CELLPHONE SPYING”, how to steal the identity of subscribers to a GSM network by creating a false cell using a USRP as hardware for transmitting and receiving terminals to a Linux computer and OpenBTS and Asterisk to set the cell and allow calls to victims.

This is the video of the talk:

A year later (2011) our compatriots Jose Perez David Stang and exposed at Blackhat DC security conference 2011 how to apply the same attack but networks GPRS / EDGE, afectanto even UMTS / HSPA:

https://media.blackhat.com/bh-dc-11/Perez-Pico/BlackHat_DC_2011_Perez-Pico_Mobile_Attacks-Slides.pdf