4G/LTE IMSI Catchers

Two papers in a short period of time describe how to implement easy IMSI Catchers in 4G, using OpenLTE, srsLTE or gr-LTE:

– “Easy 4G/LTE IMSI Catchers for Non-Programmers“, Stig F. Mjølsnes and Ruxandra F. Olimid (Norwegian University of Science and Technology, Trondheim)

– “Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems“, Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert

Although these 4G stations aren’t functional, also can be use to downgrade our mobile to a 2G or 3G fake station using “TAU Reject” code “LTE services not allowed”.

CellAnalysis at BlackHat Arsenal


For the 30th and 31st of March, Black Hat Asia was held in Singapore, where I taught together with Simón Roses the course “Attacking 2G/3G mobile networks, smartphones and apps” and was able to present the Arsenal “CellAnalysis“.

After reviewing some news about fake stations, such as the last one in China to distribute bank malware and other recent attacks, we verify the operation of the application with the different software defined radio boards and compatible phones, analyzing advantages and disadvantages of each one of them to detect the most common attacks. We also presented results of exercises performed in audits in Madrid and Barcelona, analyzing the large amount of information that can be extracted from the files generated by the tool, such as behavior patterns or temporary identities entropy of each 2G/GSM station, in order to detect abnormal behaviors.

In the following days I will update CellAnalysis download link with Singapore version. A real experience been able to share the project in Singapore.