An IMSI-catcher (also known as a Stingray) is a device used to collect information about all mobile phones that are turned on in a limited area (from a few meters to several hundred meters) around it. A passive IMSI-catcher simply listens to the traffic, while an active IMSI-catcher acts as a “fake” cell tower between the phones and the legitimate cell towers.
An IMSI-catcher can collect the following information about the phones around it:
- Their numbers.
- Their IMSI[1] and IMEI[2] numbers.
- Data and metadata about their activity: the content of SMS and regular calls, the list of visited websites, metadata about the use of end-to-end encrypted messaging applications (e.g. when Signal is used and the approximate size of messages sent or received through Signal).
An adversary can use an IMSI-catcher to link people and phone numbers. For example:
- At a public demonstration, to record the phone numbers of all the phones present at the demonstration and later obtain the names associated with those phone numbers through the collaboration of mobile network operators.
- As part of a physical surveillance operation to record the target's phone number or the phone numbers of people in contact with the target.
An adversary can also use an IMSI-catcher to record phone activity. For example:
- To record the activity of a target phone without requiring the collaboration of the mobile network operator (which, in some contexts, may require a warrant).
- To record the activity of a target phone when the adversary knows where the phone is being used, but doesn't know its phone number.
See the “IMSI-catchers” topic.
Used in tactics: Incrimination
Mitigations
| Name | Description |
|---|---|
| Bug search | You can conduct a bug search to detect the presence of an IMSI-catcher. Detecting the presence of an IMSI-catcher can have several benefits:
|
| Encryption | You can encrypt a phone “in-motion” data so that if the data is collected by an IMSI-catcher, it cannot be analyzed. For example, you can use end-to-end encrypted messaging applications instead of legacy texts and calls for your phone communications. |
Used in repressive operations
| Name | Description |
|---|---|
| Case against Boris | Investigators used IMSI-catchers during physical surveillance operations to find the phone numbers of people Boris was meeting with — and then identified those people by asking mobile network operators for the names corresponding to the phone numbers[3]. |
| Bure criminal association case | Investigators used IMSI-catchers to identify the phone numbers of people who lived in places associated with the struggle against Cigéo or who participated in demonstrations[4]. |
An International Mobile Subscriber Identity (IMSI) number is a number that uniquely identifies a SIM card.
An International Mobile Equipment Identity (IMEI) number is a number that uniquely identifies a phone.
Private source.