Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic

Authors: Tyler Tucker, Nathaniel Bennett, Martin Kotuliak, Simon Erni, Srdjan Čapkun, Kevin Butler, and Patrick Traynor

Network and Distributed System Security (NDSS) Symposium 2025

PDF

Abstract

IMSI-Catchers allow parties other than cellular network providers to covertly track mobile device users. While the research community has developed many tools to combat this problem, current solutions focus on correlated behavior and are therefore subject to substantial false classifications. In this paper, we present a standards-driven methodology that focuses on the messages an IMSI-Catcher textit{must} use to cause mobile devices to provide their permanent identifiers. That is, our approach focuses on causal attributes rather than correlated ones. We systematically analyze message flows that would lead to IMSI exposure (most of which have not been previously considered in the research community), and identify 53 messages an IMSI-Catcher can use for its attack. We then perform a measurement study on two continents to characterize the ratio in which connections use these messages in normal operations. We use these benchmarks to compare against open-source IMSI-Catcher implementations and then observe anomalous behavior at a large-scale event with significant media attention. Our analysis strongly implies the presence of an IMSI-Catcher at said public event ( $p « 0.005$ ), thus representing the first publication to provide evidence of the statistical significance of its findings.

Research Area: Cellular Security

People

Martin Kotuliak

Doctoral Student

Simon Erni

Doctoral Student

Prof. Srdjan Čapkun

Group Leader

BibTex

@INPROCEEDINGS{tucker2025detecting,
	isbn = {979-8-9894372-8-3},
	doi = {10.14722/ndss.2025.241115},
	year = {2025-02},
	booktitle = {Network and Distributed System Security (NDSS) Symposium 2025},
	type = {Conference Paper},
	author = {Tucker, Tyler and Bennett, Nathaniel and Kotuliak, Martin and Erni, Simon and Capkun, Srdjan and Butler, Kevin and Traynor, Patrick},
	size = {19 p.},
	abstract = {IMSI-Catchers allow parties other than cellular network providers to covertly track mobile device users. While the research community has developed many tools to combat this problem, current solutions focus on correlated behavior and are therefore subject to substantial false classifications. In this paper, we present a standards-driven methodology that focuses on the messages an IMSI-Catcher textit{must} use to cause mobile devices to provide their permanent identifiers. That is, our approach focuses on causal attributes rather than correlated ones. We systematically analyze message flows that would lead to IMSI exposure (most of which have not been previously considered in the research community), and identify 53 messages an IMSI-Catcher can use for its attack. We then perform a measurement study on two continents to characterize the ratio in which connections use these messages in normal operations. We use these benchmarks to compare against open-source IMSI-Catcher implementations and then observe anomalous behavior at a large-scale event with significant media attention. Our analysis strongly implies the presence of an IMSI-Catcher at said public event ($p << 0.005$), thus representing the first publication to provide evidence of the statistical significance of its findings.},
	language = {en},
	address = {s.l.},
	publisher = {Internet Society},
	title = {Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic},
	PAGES = {1115},
	Note = {32nd Network and Distributed System Security Symposium (NDSS 2025); Conference Location: San Diego, CA, USA; Conference Date: February 24-28, 2025; Conference lecture held on February 25, 2025.}
}

Research Collection: 20.500.11850/728634