How to detect IMSI catchers

Defending against the most effective mobile attacks.

IMSI catchers are one of the most effective surveillance techniques of all time. They’re used by police, governments and criminals to spy on victim’s phones. This spy tech is rarely deployed with a warrant. Western governments buy commercial products from US companies like the “Stingray” from Harris Corp. Criminals can also buy IMSI catchers, from unregulated online Chinese and Israeli vendors. These IMSI catchers have been used for corporate espionage and blackmail. They’ve been found at embassies, airports, political protests and sports events.

IMSI catchers work by intercepting the traffic from all phones in an area. Operators can track a victim’s location, read their SMS, listen to phone calls and intercept data. An attacker can target thousands of devices. IMSI catchers can be mounted on people, cars or airplanes that can spy on entire cities at once.

Apple and Google seem unwilling to help their users against IMSI catchers. However, if you have the right tools you can at least catch them spying on you.

The “BlackFin” IMSI catcher from leaked NSA catalogues.

Radio Sentinel

Radio Sentinel is an app that’s included with Armadillo Phone. It’s capable of detecting cellular attacks over 2G, 3G, 4G and 5G. Besides IMSI catchers, Radio Sentinel can also detect silent SMS and some SS7 attacks.

It works offline, without needing to upload data to a third-party server. Radio Sentinel requires extensive modifications to Android, so unfortunately it can’t easily be ported to other devices.

Radio Sentinel will trigger a notification when a warning is detected. If that attack is high severity, you will automatically be disconnected from the cellular network. By default, while Radio Sentinel is active only 4G and 5G networks are allowed. This is to prevent “downgrade attacks”, caused when an IMSI catcher forces the victim to use an older or weaker network so it can be attacked.

Radio Sentinel has a wide range of warnings to detect different attacks. This includes warnings about incorrect frequencies, unknown networks, frequent location updates, empty paging requests, TAU rejects, silent SMS, cell reselect offsets and other behaviours that indicate a cellular attack. Radio Sentinel was tested extensively in Vancouver during development. It has been tested by early adopters against real attack equipment successfully. Now that it’s been released, we are continuing to improve it using the bug reports customers send us. We’re in the process of arranging a formal third-party audit to test Radio Sentinel against more attack equipment. If you have an IMSI catcher and would like to attack an Armadillo Phone, please contact us.

Phone apps

There are apps you can download that claim to detect IMSI catchers. These include “Android IMSI-Catcher Detector”, “Cell Spy Catcher”, “Darshak”, “SnoopSnitch” and others. Many are fake or useless. Some can detect IMSI catchers, however there are caveats. Most importantly, these apps can’t work on a normal phone. Apple and Google have restricted access to radio information that’s needed to detect attacks. To bypass this, these detection apps require a rooted phone, which weakens security protections. This means your phone is more vulnerable to hackers.

Every app we tested had at least two of the following problems:

  • Can’t detect the attacks they claim to
  • Only detect attacks on one type of network ( i.e: only 3G and not 4G )
  • Only detect one type of attack ( i.e: only silent SMS )
  • Very old and don’t work on modern versions of Android
  • Generates constant false positives, making them impractical
  • Rely on crowdsourced data, which can be easily compromised
  • Uploads data to a third-party server
  • Only runs on a specific brand and model of phone
  • Required a rooted phone ( less security )

SnoopSnitch is one of the best apps… but that’s not saying much. It’s nearly a decade old, requires root, and only works on ancient devices like the Nexus 5X. SnoopSnitch also requires an internet connection to their server. This means you could track people who are using SnoopSnitch. Although some of the uploaded data is anonymized, there is still lots of sensitive data like build properties and radio infromation being sent. These problems could open you up to new privacy and security concerns besides IMSI catchers.

First Point

FirstPoint is a company based in Israel that sells special SIM cards that can be inserted into any device. They developed an applet on the SIM that sends information over to their backend network. This information from the device combined with their backend infrastructure allows them to detect IMSI catchers. Although their heuristics appear to be great, the approach uploads a lot of sensitive data to FirstPoint’s servers, which could be problematic for organizations that want to control their own data.

Crocodile Hunter

Crocodile Hunter is a tool developed by the EFF to detect IMSI catchers. It requires an SDR ( software defined radio ) along with a dedicated Linux laptop or Raspberry Pi. Crocodile Hunter is a relatively simple project. It first gets the GPS location, then looks up cell tower IDs from the same location in the crowdsourced website WiGLE. WiGLE uses data uploaded by ordinary people. It compares the cell towers from WiGLE to the nearby cell towers and sees if they match. If there is a nearby tower that is not in WiGLE, it detects it as a potential IMSI catcher.

Unfortunately Crocodile Hunter has many flaws:

  • It relies on WiGLE data which can be easily compromised. Attackers could simply upload their malicious tower ID to WiGLE’s database. They could also search WiGLE for an existing tower ID in the same location and use that instead.
  • Average people can’t use it. It requires expert knowledge and assembling electronics.
  • Its bulky and impractical. You could probably fit this in a backpack but not your pocket ( and definitely not on an airplane, unless you want to be cavity searched ).
  • It sends the user’s GPS location to WiGLE

The future of IMSI catchers

A popular IMSI catcher capable of monitoring 10,000 people at once.

You cannot truly “prevent” an attack, only react to it. This is because IMSI catchers exploit vulnerabilities at the protocol level. The best you can do is detect the attack afterwards and disconnect from the network. Although 4G and 5G have brought increased network security, IMSI catchers will continue to pose a threat for decades. Some researchers are already speculating on new security for 6G networks.

Detecting cellular attacks requires information that Google and Apple do not want to give to consumers. So solutions to mitigate the attacks are expensive, bulky or limited to a narrow selection of devices. There are many fake or ineffective solutions that rely on false positives to fool consumers The global cellular network is so diverse and anomalous to make many heuristic detection difficult, but not impossible. Deep investigation is required to actually track down if an IMSI catcher was ever used. Although boutique solutions can detect IMSI catchers it remains limited to specific devices or come with other drawbacks.

Radio Sentinel is the most effective solution we are aware of for detecting IMSI catchers. It’s our hope eventually more solutions will emerge that become commonplace enough to deter IMSI catcher use.

  • Published on: Mar 18th, 2022