WiFi-Based IMSI Catcher

Presented at Black Hat Europe 2016, Nov. 3, 2016, 10 a.m. (60 minutes)

<div class="">We introduce a new type of IMSI catcher which operates over WiFi. Whilst existing Stingray type IMSI catchers exploit 2-4G radio protocols to track movements of mobile subscribers, in this talk, we introduce two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi. These protocols are now widely implemented in most modern mobile OSes, allowing for the creation of a low cost IMSI catcher.<br class=""><br class="">We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.<br class=""><br class="">Finally, we present guidelines for vendors and cellular network operators to mitigate the user privacy issues that arise.</div>


  • Ravishankar Borgaonkar - Researcher, University of Oxford
    Ravishankar Borgaonkar's research themes are related to mobile telecommunication and involved security threats. This ranges from GSM/UMTS/LTE network security to end ­user device security.
  • Piers O'Hanlon - Researcher, University of Oxford
    Piers O'Hanlon's research focuses on security and privacy for Internet and mobile communication protocols and related systems. He has also worked on networked multimedia transport over IPv4 and IPv6, large­scale conferencing applications, grid systems, and congestion control, authoring a number of standards and drafts, in the Internet Engineering Task Force (IETF).


Similar Presentations: