A new generation of IMSI catcher which operates over WiFi
Two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi
Modern smartphones are programmed to automatically connect to known Wi-Fi networks, without user interaction, by handing over their IMSI numbers to log into the network.
Exploiting the WiFi authentication protocols (EAP and AKA) an attacker could set up a “rogue access point” masquerading as a well-known WiFi network, and a smartphone in the AP range tries to connect, the rogue access point extracts his IMSI number immediately.
With the captured identifier the attackers can track movements of the smartphone:
We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
Some tips extracted from the slides:
Selectively disable WiFi-Calling
Switch off WiFi in untrusted environments
- Turn off ‘Auto-Join’ toggle for Auto-WiFi networks
- iOS10 may provide better protection (once operators deploy support)
- Disable Auto-WiFi profiles