Two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi

In a presentation at BlackHat Europe, researchers Piers O’Hanlon and Ravishankar Borgaonkar from Oxford University have demonstrated a new type of IMSI catcher attack that operates over WiFi.

Modern smartphones are programmed to automatically connect to known Wi-Fi networks, without user interaction, by handing over their IMSI numbers to log into the network.

Exploiting the WiFi authentication protocols (EAP and AKA) an attacker could set up a “rogue access point” masquerading as a well-known WiFi network, and a smartphone in the AP range tries to connect, the rogue access point extracts his IMSI number immediately.

With the captured identifier the attackers can track movements of the smartphone:

We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.

The presentation

Some mitigations?

Some tips extracted from the slides:

Selectively disable WiFi-Calling
Switch off WiFi in untrusted environments


  • Turn off ‘Auto-Join’ toggle for Auto-WiFi networks
  • iOS10 may provide better protection (once operators deploy support)


  • Disable Auto-WiFi profiles