Presentation Material
Abstract
We introduce a new type of IMSI catcher which operates over WiFi. Whilst existing Stingray type IMSI catchers exploit 2-4G radio protocols to track movements of mobile subscribers, in this talk, we introduce two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi. These protocols are now widely implemented in most modern mobile OSes, allowing for the creation of a low cost IMSI catcher.
We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
Finally, we present guidelines for vendors and cellular network operators to mitigate the user privacy issues that arise.
AI Generated Summary
This research presented a novel “Wi-Fi-based IMSI catcher” that exploits automatic Wi-Fi connection features in modern smartphones to extract the International Mobile Subscriber Identity (IMSI). Unlike conventional IMSI catchers that operate on licensed mobile bands and can intercept calls via fake base stations, this technique operates in Wi-Fi bands and is limited to IMSI harvesting and potential location tracking.
The attack targets two standard Wi-Fi authentication protocols used for carrier-managed, auto-connecting networks: EAP-SIM and EAP-AKA. These protocols, implemented across Android, iOS, and Windows Mobile, are designed to allow phones to seamlessly connect to operator-provided Wi-Fi networks using SIM credentials. The researchers discovered a vulnerability in the initial authentication handshake where the device transmits its permanent IMSI identifier before switching to temporary pseudonyms. An attacker can force this initial exchange by deploying a rogue access point mimicking a carrier’s auto-connect network or by spoofing traffic to the operator’s gateway. The attack requires minimal, inexpensive hardware like a laptop or Raspberry Pi.
The practical implication is a stealthy, low-cost tracking vector. Since many phones are pre-configured to auto-connect to carrier Wi-Fi networks without user intervention, the attack can occur without any visible prompt or user action. There is no effective built-in defense on most consumer devices; existing detection apps are limited, often require rooted phones, and provide incomplete protection. Mitigations reported include Apple’s implementation of a “conservative peer” mode in iOS 10, which avoids sending the permanent IMSI