1. What is an IMSI Catcher?

An IMSI Catcher could be defined as a device that pretends to be a cell tower in order to trick your phone into thinking that it is a regular one and connecting to it, giving the IMSI Catcher all the information related to your phone and its communications. An IMSI Catcher can be used to collect IMSI codes from a particular area or to deny service to cell phone users.

2. Why the name IMSI Catcher?

The IMSI (International Mobile Subscriber Identity) is a code that comes inside your SIM card and that can be tied to you by your phone company or anyone that have been surveilled you for some time, an IMSI Catcher can do many different things, but one of its most common tasks is to try to find the IMSI codes of its targets, so it can associate the captured calls, SMSs and traffic to specific users.

3. Where could an IMSI Catcher be located?
The answer for this could be as wide as you can imagine, since it  might be stationary (for instance running inside a building), or mobile (like in automobiles, handheld or it might even be airborne). All of those options had been used previously.
4. Why does my phone connect to an IMSI Catcher?

Cell phones are designed to search for all compatible cell towers. The IMSI Catcher can be configured to represent a cell tower from your provider. The IMSI Catcher operator needs to adjust settings to replicate a cell tower in your area. Using higher power output than other genuine cell towers will make the IMSI Catcher look like a cell tower that has a more reliable signal so your cell phone will connect immediately.

An IMSI Catcher might be configured to tell all cell phones within the range that it is the only available cell tower, cheating your phone into thinking its the single available connection.


5. How can an IMSI Catcher track me?

Most of the IMSI Catchers used today are legitimately used by local authorities in judicial investigations. Knowing the target’s IMSI, the operator might configure an IMSI Catcher to connect to the target’s phone within range. Once connected, the operator uses a process of RF (radio frequency) mapping to extract the information from the mobile phone.

6. Does the IMSI catcher run as an active or passive device?

Another way to put it is, does the device actually have specific cell phones connected to it, or does it just sits back and collects ordinary cell phone traffic that passes by? The truth is, both have been done in the past.

7. What would an IMSI operator use IMSI catchers for?

An IMSI Catcher basically can intercept and even manipulate phone data, so it could be used for instance to cause terror through threatening text messages, monitor law enforcement investigations, spy on businesses and government, steal personal information given over the phone, and deny cell phone users access to emergency or phone services at all.

8. Is the cellular carrier involved?

Although sometimes it is, generally, when some actor has access to the carrier infrastructure, using an IMSI Catcher becomes unnecessary given that the information can be extracted from the regular infrastructure.

9. Does the device disrupt cell service?

 In some cases, it will not be forwarding information to the carrier. Still, sometimes the IMSI Catcher process the data and gives it to the regular network infrastructure, so service is not interrupted for the user.

10. Which phones are affected by IMSI catchers?

Sometimes it is just the target’s cell phone, such as when the carrier has instructed the phone to connect to an IMSI Catcher from the police. However, often the communications from all phones near the device can be intercepted too.

11. Do IMSI operators listen to my calls?

Although 2G calls are easy to listen to, this frequency depends on the IMSI Catcher being used. A basic IMSI catcher captures basic data from the phone. Now, to listen to calls, a commercial IMSI catcher requires several additional features charged separately by manufacturers.

12. What about phone calls on 3G or 4G range, aren’t they encrypted?

Sure! Calls on 3G and 4G have better encryption than calls on 2G. However, IMSI Catchers might feature add-ons that tricks a 3G or 4G phone into thinking that those connections are unavailable at the moment, making the phone “degrade” its signal to 2G, making phone call interception easier. With a correctly configured IMSI Catcher, your mobile phone will still show your normal cellular 3G or 4G connection. Meanwhile, your phone has been forced back to the weaker 2G encryption for monitoring.

13. Is it possible to adjust my cell phone settings so it can only connect to 4G networks?

Yes! It is possible indeed, however, 4G isn’t everywhere, so your coverage will decrease significantly. Although 3G and 4G networks are now in widespread use, 2G networks still provide backup if 3G and 4G become unavailable.

14. What information does an IMSI catcher collect?

Very often, these devices are used to precisely spot a cell phone location. Still, they can also be used to gather phone information such as serial numbers, or even communications metadata, or content, which can conduct to tremendous legal implications.

15. Could IMSI operators install software on my phone?

 An IMSI Catcher collects the IMSI and IMEI (International Mobile Station Equipment Identity) from your mobile device. So, the operator will learn what model phone you are using and potentially where you bought it. Knowing the model number makes it easier to push a firmware update developed explicitly for that phone or exploit any other specific vulnerability made for that device.

16. What if I switch SIM cards, can IMSI operators still listen?

IMSI Catchers take your IMSI directly from your SIM Card and your IMEI (International Mobile Station Equipment Identity)  from your cell phone. Both are then usually added to a target database. So switching SIM cards or switching cell phones won’t help significantly in most cases.

17. What if I get a new cell phone and SIM card?

A new cell phone and SIM card won’t be in the IMSI Catchers target database. However, the people you have been calling would need to get new cell phones, or your unique number will show up again within the target area. Also, some actors may be interested in looking for any other devices that are consistently close to the target phone, making it easy for them to associate the new phone with the new SIM card. If, for example, you carry both turned on together for enough time.

18. I’m currently using CDMA, so am I safe from IMSI Catchers?

Unfortunately, No! The same people who make the GSM IMSI Catchers build CDMA versions. Also, CDMA technology is easy to intercept, given its old implementation with low-security standards.

19. Is there any app that I might download to detect IMSI Catchers?

Many different apps on the market propose some ways to detect IMSI Catchers based on unusual activities in the phone communications and/or comparing the cell tower data to previously obtained information. In many cases, these app results show a significant rate of false positives since the information on the cell towers is outdated, or some wrong configuration is mistaken for anomalies associated with an IMSI Catcher. In order to be effective, an app would need to have access to the phone’s baseband, radio stack, and hold the right analytical method to determine a true IMSI Catcher in opposite to a poorly configured cell tower. This is a difficult task to achieve and one of the main challenges in the IMSI Catcher detection.

20. What is the legal use for IMSI Catchers?

IMSI Catchers might be used by law enforcement to track or monitor suspects in criminal investigations. You could also block someone using a cell phone used as an explosive detonator. Locate a child during an amber alert (America’s Missing: Broadcast Emergency Response). Find missing hikers in a national park, or even create a small cellular network in a remote area.

Telecommunications interception has developed into a significant industry in the last decades. Intelligence agencies of all countries try to intercept calls that might yield political, economic, or military information. Several large intelligence agencies, sucking in vast amounts of telecommunication data with a substantial worldwide system of antennas, special satellites, undersea and land cable taps, backdoor’s in switching stations, and any other means available. The most significant computer capacities on earth are subsequently used to evaluate the calls, SMS, emails based on complex sets of criteria, forwarding the ones matching specific criteria to human analysts, and database storage.

Trusting that law enforcement agencies use interception carefully and only under strictly warranted circumstances is no longer granted. The number of reports about abuse and excessive use of interception without proper cause and even for minor infractions is rising substantially.

“Lawful interception” also means a very different thing from country to country. In a dictatorship or some other less than a democratic state, it is frequently “lawful” to intercept anyone at will. The technology for interception is available on the open market and is widely deployed even in the most deprived areas of the world. It would be naive to assume that the term “lawful interception” somehow automatically meant that the interception is performed under even the most basic legal oversight.

FADe project is an initiative of South Lighthouse with the support of the Open Technology Fund.


This website is available under a Creative Commons Attribution 4.0 International (CC BY 4.0) License creativecommons.org