IMSI catchers (sometimes known by the popular brand name “Stingrays”) are shrouded in mystery. Originally developed for military use, they are now used by law enforcement, foreign intelligence, and spammers. IMSI catchers are unauthorized cell sites designed to coerce phones into providing persistent identifiers (IMSIs) and enable RF direction-finding of particular users, intercept traffic, and/or deliver spam. Unfortunately, due to sketchy legal arrangements around their procurement and deployment, very little is publicly known about IMSI catchers, how they work, and how they are used. Based on leaked documents, 3GPP specifications, and experience detecting (and accidentally deploying) IMSI catchers, this talk infers many previously publically unknown aspects of IMSI catchers. We will cover how they convince phones to connect, reveal their IMSIs, and capture or release particular phones. We will also talk about how IMSI catchers use RF direction-finding to precisely locate particular users. We will describe how one might identify IMSI catchers based on their abuse of particular cellular standards. We will demonstrate a city-wide passive monitoring system for IMSI catchers and introduce our open-source app to detect IMSI catchers using Calypso-based GSM phones running custom baseband firmware. Finally, we’ll talk about how one might build their own IMSI catcher.