santiago silver - Fotolia

How does an IMSI catcher exploit SS7 vulnerabilities?

A warning was issued by the Department of Homeland Security regarding the exploitation of SS7 vulnerabilities by IMSI catchers. Learn how this puts mobile communication at risk.

The Department of Homeland Security recently warned that vulnerabilities in the Signaling System 7 (SS7) protocol can be exploited by malicious actors using IMSI catchers. How do IMSI catchers work and what security risks do they present to mobile communications?

An International Mobile Subscriber Identity (IMSI) catcher is an eavesdropping device used to track mobile users and intercept their communications. The device, sometimes referred to as a stingray from the brand name of a popular IMSI catcher sold by the Harris Corporation, can be used to impersonate a legitimate cell tower, giving the malicious operator access to local mobile device traffic.

The malicious operator can broadcast pilot signals -- the signals that devices interpret as coming from a legitimate cell tower -- enabling the operator to intercept all the mobile traffic from targeted devices. In this type of man-in-the-middle attack, the IMSI catcher boosts its pilot signal so targeted devices will choose it rather than the signal from the legitimate service provider's real cell tower. In this way, the legitimate cell tower is bypassed and the malicious actor can intercept -- and forward -- all texts and calls, as well as being able to track the location of devices.

The IMSI catcher is able to detect Global System for Mobile Communications (GSM) subscriber information from the SIM card inside phones, and a vulnerability in the GSM specification permits the phone to connect through the IMSI to a network without requiring the network to authenticate the device. When this occurs, mobile devices send their IMSI data to the IMSI catcher, which can then log and track devices.

SeaGlass is a system designed by researchers at the University of Washington to measure IMSI catcher use across an urban area; the pilot project used the system in Seattle and Milwaukee. The SeaGlass detection kit includes a bait phone, GSM modem, GPS unit and a Wi-Fi hotspot all loaded into a passenger car. The SeaGlass system is able to detect and differentiate between IMSI catcher signals from legitimate cell tower transmissions, and "pick out aberrations that indicate the presence of cell-site simulators," according to the SeaGlass website.

A major risk with this attack is that the catcher must emit stronger signals than those provided by the real cell tower because cell phones don't have the means to bypass towers with the strongest signals. Real cell towers have no way of knowing if the catchers have been picked up, monitored or have recorded wireless signals. As technology improves, the devices in the kit will become inconspicuously smaller, making it more difficult for victims driving by to notice.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Network security