Nowadays, IMSI-catchers are pretty much vanilla surveillance. Such devices have been used by law enforcement and not-so-lawful adversaries alike to seize phone data for over a decade. Now, researchers have demonstrated how the same can be done over Wi-Fi. And it is also relatively easy.
First, let's explain what IMSI-catchers are. Also referred as stingrays, these are surveillance devices that go after, you guessed it, your phone’s International Mobile Subscriber Identity (IMSI) number. This is a unique set of 15 digits, with which your phone authenticates to any network on the planet. Think of it as your phone’s social security number.
IMSI-catchers exploit a hole in the way mobile phones operate – that they always connect to the nearest cell tower because they are looking for the best available signal; the phone authenticates to the network but the network doesn’t have to authenticate back to it. So, anyone pretending to be a legitimate cell tower can easily get the phone’s IMSI number.
This is exactly what stingrays do.
IMSI numbers can be stolen over Wi-Fi too
Well, now Oxford University researchers Piers O’Hanlon and Ravishankar Borgaonkar demonstrated that the same can be done over Wi-Fi – and also quite easily because Wi-Fi equipment is easier to tweak and can’t be subject to the beforementioned regulations. You don't need anything besides a laptop and a router in order to create such a device.
The Wi-Fi IMSI-catcher exploits flaws in two SIM-based authentication protocols – EAP-SIM and EAP-AKA – used by most contemporary phones to auto-connect to public hotspots. Interactions over those protocols are not encrypted so when a device initially connects to a network, the IMSI could be observed by the one operating the IMSI-catcher.
And when attackers get your IMSI, they basically have your ID. It is more than sufficient to allow them to carry out man-in-the-middle (MITM) attacks – ones in which they intercept a conversation, pretending to be one of the two parties and eavesdrop on the communications. Or they can turn your phone into a listening device. Anything they wish really.
What can you do to evade such attacks?
For starters, you can employ the common wisdom that nothing in life is free – and that if someone is offering you access to a free network, there could be something fishy about that. Of course, it could be a perfectly legit free Wi-Fi – like what many cities offer at their subways. But it is preferred that you turn auto-connect off by default and opt to communicate only over secure, private networks.
There are also IMSI-catcher detector apps available that would warn you if you are in the vicinity of a cell tower that is not run by your network provider – and could potentially be a stingray. If the app prompts you that you are near such, it is advised you turn off your data connection as well as Wi-Fi, and turn them back on only when you are at a secure location.