Beware the IMSI catcher

A while back, we posted about drones hacking into your phones.

This linked article digs into a different sort of attack, by way of a device called an IMSI catcher.

Call it the “IMSI catcher” war, with the acronym standing for International Mobile Subscriber Identity. Every device that communicates with a cell tower—mobile phone, smartphone or tablet—has one. What StingRay (manufactured by Florida-based Harris Corp.) and its competitors do is act like a cellphone tower, drawing the unique IMSI signals into their grasp. Once the device is locked onto a signal, the quarry’s data is ripe for the plucking. Major targets include people working for U.S. national security agencies, defense contractors and officials, including members of such congressional panels as the armed services and intelligence committees.

The technology was originally demonstrated several years ago. It’s now become part of the mainstream, much like ATM card sniffers.

Mike Janke, a former Navy SEAL and co-founder of Silent Circle, a company that sells state-of-the-art encryption software, says, “Defense firms in the Washington, D.C. area have found IMSI catchers attached to the light poles in their parking lots. In February, one or two were found in the parking lot of a defense contractor near Washington.”

He adds, “They’ve also been found in Palo Alto,” the capital of Silicon Valley. “The FBI has been called in, but you can’t track who has made it.”

Hard to tell if this is a real problem, or a problem invented to get people to buy encryption solutions, but certainly an interesting read.

  • Ron Miller

    I’m not sure if I’m misunderstanding the situation or not, but this just seems sensationalist and incorrect:

    … the digital eavesdropping equipment was capable of sucking all the data from their phones—emails, contact files, music, videos—whatever was on them.

    If its just eavesdropping, then it can only listen to what is sent out, but cannot “suck” anything from the phone. It can listen to your voice calls, read your SMS messages, and figure out what data is coming to and from your phone.

    This doesn’t seem all that dangerous to me. Listening to voice calls is not something that can easily be automated by a computer, and you already have to assume that internet data can be seen by others since you don’t know who is looking at it between your device and the final destination.

    As we have seen in the headlines recently, we already know that the police can use portable cell towers to listen in on people’s conversations.

    To me, the most dangerous thing about this new technique seems to be that it can tie everything together via the unique IMSI #. However, it seems like it is only useful as a targeted technique by a private investigator, police, etc. rather than a general danger.