A new generation of IMSI catcher which operates over WiFi
Two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi
In a presentation at BlackHat Europe, researchers Piers O’Hanlon and Ravishankar Borgaonkar from Oxford University have demonstrated a new type of IMSI catcher attack that operates over WiFi.
Modern smartphones are programmed to automatically connect to known Wi-Fi networks, without user interaction, by handing over their IMSI numbers to log into the network.
Exploiting the WiFi authentication protocols (EAP and AKA) an attacker could set up a “rogue access point” masquerading as a well-known WiFi network, and a smartphone in the AP range tries to connect, the rogue access point extracts his IMSI number immediately.
With the captured identifier the attackers can track movements of the smartphone:
We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
The presentation
https://www.blackhat.com/docs/eu-16/materials/eu-16-OHanlon-WiFi-IMSI-Catcher.pdf
Some mitigations?
Some tips extracted from the slides:
Selectively disable WiFi-Calling
Switch off WiFi in untrusted environments
iOS
- Turn off ‘Auto-Join’ toggle for Auto-WiFi networks
- iOS10 may provide better protection (once operators deploy support)
Android
- Disable Auto-WiFi profiles