IMSI-Catcher

The transmission between a cell phone and the base station is encrypted by default. However, there are special technical systems, so called IMSI-catchers, which can be used to switch off the encryption and to tap the mobile calls.

This system exploits the fact, that the GSM specification requires the handset to authenticate to the network, but does NOT require the network to authenticate to the handset.

Since every mobile phone has the requirement to optimize the reception, it will always choose the base station with the strongest signal. The IMSI-catcher masquerades as a base station and causes every mobile phone within a certain radius to log in.

With the help of a special identity request, it is able to force the transmission of an identity response, which allows an explicit identification of the user. This exchange proceeds noteless.

Now the catcher can use a special command in the GSM-protocol to force the cell phone to use no call encryption, making the call data easy to intercept and convert to audio.

With the help of an own SIM, it simultaneously logs into the GSM network as a mobile device. The intercepted calls are relayed to the network like independent calls from an ordinary cell phone; the receiver cannot see the number of the (original) calling party.

There are only very few mobile phones that can notify the unencrypted sending mode. In most cases, the operation cannot be recognized by the subscriber.

The IMSI-catcher subjects the phones to a man-in-the-middle attack.