Build your own IMSI slurping, phone-stalking Stingray-lite box – using bog-standard Wi-Fi
Uni eggheads discuss track-and-trace threat
Black Hat EU Wi-Fi networks can tease IMSI numbers out of nearby smartphones, allowing pretty much anyone to wirelessly track and monitor people by their handsets' fingerprints.
Typically, if you want to stalk and identify strangers via their IMSI numbers, you use a Stingray-like device, or any software-defined radio, that talks to handsets via cellular protocols. Your snooping gear masquerades as a legit mobile phone mast, which mobile handsets try to connect to when nearby.
During this process, the handhelds cough up their IMSI numbers, which are unique to each subscriber's SIM card. If you collect up these numbers and track where they pop up, you can figure out where and when people are or have been. It's like leaving your email address at every website you visit.
That involves special hardware. Now here's an easier way: with good old Wi-Fi, which any home, shop, airport, mall, or office can install.
University of Oxford researchers Piers O'Hanlon and Ravishankar Borgaonkar have shown that it's possible to harvest IMSI details via Wi-Fi authentication protocols. Most modern mobile operating systems can hand over their owner's identifying numbers to log into a network, if required, allowing anyone to build a low-cost Wi-Fi-based IMSI catcher. The most obvious protocol is described in RFC 4186 aka EAP-SIM.
Android and iOS smartphones and tablets can be tracked this way. Crucially, this stalking can be carried out silently and surreptitiously without requiring any user interaction.
O'Hanlon told El Reg that he began his research after noticing that his phone had connected to a protected wireless network during a London Underground journey without any interaction from him. He was subsequently able to confirm that many, but not all, Apple and Android devices are configured to auto-connect to mobile-operator-run Wi-Fi networks.
It works like this: the device tries to connect to the Wi-Fi network, and it is asked for its IMSI number so the wireless operator can check that the subscriber is authorized to access the service. The handset duly hands over the details.
Rogue base station
By setting up a Mac laptop as a rogue wireless access point, O'Hanlon and Borgaonkar were able to demonstrate the harvesting of IMSI details. Attackers could potentially do the same thing in order to track devices. The approach does not facilitate the interception of communications – unlike a conventional Stingray device that does more than slurp IMSI digits – but is still a privacy concern.
"[Mobile] operators offload connections onto Wi-Fi and this will happen more in the future," according to O'Hanlon, who is part of a team of academics and industry experts across Europe who are researching 5G security and privacy issues as part of the EU-funded Horizon 2020 project.
Rogue access points with the same name as genuine devices are assumed to be part of an operator's network. Phones will automatically try to connect to it. And the rogue devices can pose as kit from multiple operators.
The threat can be mitigated by handsets exchanging pseudonyms and not identifiers – a technology supported by Apple's iOS 10. Using mobile VPN software will not protect against this kind of attack because private information is leaked during the handshaking.
VPN technology will, however, protect a second attack demonstrated by the two Oxford boffins, where hackers deploy a fake Wi-Fi Calling server in order to extract IMSI identifiers. Not every phone supports Wi-Fi calling, an emerging technology that typically comes into play when a mobile signal is weak.
A disassociation attack might be run to boot a subscriber off legitimate networks before getting them to connect to a rogue access point, potentially spilling IMSI subscriber information in the process.
Subscription services offer a mechanism to find the phone number from an IMSI identifier for a price. In any case, IMSI offers a way to track devices. End users have no way to change them, short of changing SIM cards.
The two Oxford boffins demonstrated a proof-of-concept system that demonstrates their IMSI catcher employing passive and active techniques during a presentation [slides PDF] at the Black Hat EU security conference in London on Thursday. ®