How Stingray Cell Tower Simulators Actually Work

In 2015, journalists in Oslo borrowed detection equipment from a security research firm and drove around the Norwegian parliament building, the Prime Minister's office, and several government ministries. Their equipment flagged anomalous cell tower behaviour at multiple locations: towers that appeared and disappeared, base stations broadcasting on frequencies inconsistent with the local operator configuration, and cell identities that matched no known commercial deployment. The Norwegian government initially denied any knowledge. Later, the police admitted they operated IMSI catchers but refused to say where, when, or why. The devices near parliament were never attributed.

That episode is a useful starting point because it captures the essential tension around IMSI catchers. The technology is neither exotic nor secret. It exploits architectural decisions made in the 1980s when GSM was designed, decisions that traded network-side authentication of the handset for no handset-side authentication of the network. That asymmetry, baked into the most widely deployed cellular standard in history, is what makes IMSI catchers possible. Understanding how they work requires understanding how phones choose which tower to connect to, what happens during authentication, and where each generation of mobile technology did or did not close the gap.

1. What an IMSI Catcher Is

An IMSI catcher is a device that impersonates a legitimate cellular base station. The name comes from its primary function: capturing the International Mobile Subscriber Identity, a unique number stored on the SIM card that identifies a subscriber to the network. The IMSI is distinct from the phone number (MSISDN) and from the hardware identity of the phone itself (IMEI). By collecting IMSIs, an operator of the device can determine which subscribers are physically present in a given area, track their movements over time, and in more advanced configurations intercept their calls and text messages.

The most widely known brand name is the StingRay, manufactured by Harris Corporation (now L3Harris Technologies), a US defence contractor based in Melbourne, Florida. The StingRay and its successor, the StingRay II, have been sold to law enforcement and intelligence agencies worldwide since the early 2000s. But Harris is not the only manufacturer. Rohde & Schwarz, the German test and measurement company, produces systems marketed for "lawful interception." Septier Communication, an Israeli company, sells the Septier IMSI Catcher and Septier Guardian. Ability Inc., also Israeli, marketed a system called ULIN that claimed to intercept calls on 3G and 4G networks. Dozens of smaller firms in Europe, Israel, and China sell similar equipment.

The devices range from suitcase-sized portable units that a single officer can carry into a crowd, to vehicle-mounted systems with directional antennas, to fixed installations concealed in buildings near locations of interest. All of them exploit the same protocol-level behaviour: a mobile phone will connect to the strongest signal on a given frequency, and in certain configurations, the phone has no way to verify whether that signal comes from a legitimate operator tower or from a device in the boot of a car parked across the street.

The Three Identifiers

Before going further, it helps to clarify the three identifiers that IMSI catchers target:

IMSI (International Mobile Subscriber Identity): a 15-digit number stored on the SIM card. It encodes the Mobile Country Code (MCC), Mobile Network Code (MNC), and Mobile Subscriber Identification Number (MSIN). For example, an IMSI starting with 262-01 belongs to a subscriber on Telekom Deutschland (MCC 262, MNC 01). The IMSI uniquely identifies a subscriber across the entire global mobile network. Knowing someone's IMSI lets you track their SIM across different cells, different cities, and potentially different countries.

IMEI (International Mobile Equipment Identity): a 15-digit number that identifies the physical handset, not the SIM. If a target swaps their SIM card into a new phone, the IMSI stays the same but the IMEI changes. If they keep the same phone but use a new SIM, the IMEI stays the same. IMSI catchers collect both, which lets investigators correlate SIM swaps with physical devices.

TMSI (Temporary Mobile Subscriber Identity): a temporary, locally scoped identifier assigned by the serving network to avoid broadcasting the permanent IMSI over the air after initial registration. The TMSI is supposed to protect subscriber privacy by preventing passive eavesdroppers from linking radio transmissions to a specific IMSI. The network and the phone both know the mapping between TMSI and IMSI, but an eavesdropper hearing only the TMSI cannot determine the IMSI without additional information. IMSI catchers defeat this by forcing the phone to reveal the permanent IMSI, as described below.

2. How Phones Choose a Tower: Cell Selection and Reselection

To understand why IMSI catchers work, you need to understand how a phone decides which cell to camp on. The process is specified in 3GPP TS 43.022 for GSM and TS 36.304 for LTE, but the core logic is consistent across generations.

When a phone powers on, it scans the frequency bands it supports, looking for broadcast channels from base stations. In GSM, these are the Broadcast Control Channel (BCCH) carriers. In LTE, they are the Primary and Secondary Synchronisation Signals (PSS/SSS) followed by the Master Information Block (MIB) and System Information Blocks (SIBs). The phone measures the signal strength of each detected cell and evaluates whether the cell is "suitable" for camping.

A cell is suitable if it meets several criteria:

1. The cell belongs to a PLMN the phone is allowed to use. The SIM stores a list of preferred and forbidden PLMNs. The phone will not camp on a network it is not registered with, unless it is making an emergency call.

2. The signal quality exceeds a minimum threshold. In GSM, this is defined by the RXLEV_ACCESS_MIN parameter broadcast in the System Information. In LTE, it is Qrxlevmin. If the signal is below this floor, the cell is ignored.

3. The cell is not barred. A base station can set a "cell barred" flag in its system information to prevent phones from camping on it, typically during maintenance.

4. The cell passes access class checks. SIM cards are assigned to one of ten random access classes (0 through 9). A cell can restrict camping to specific access classes during congestion.

After evaluating suitability, the phone camps on the strongest suitable cell. This is the critical point: the phone trusts the broadcast information from the cell. In GSM, there is no cryptographic verification of the System Information messages. The phone reads the MCC, MNC, Location Area Code, Cell Identity, and various parameters from the broadcast channel and takes them at face value. A device that broadcasts valid-looking System Information on a frequency the phone is scanning will be evaluated alongside legitimate cells, and if its signal is stronger, it wins.

Cell Reselection

Once camped, the phone continuously monitors neighbouring cells. The serving cell broadcasts a list of neighbouring cell frequencies and identities in its System Information (the BA list in GSM, the SIB4/SIB5 neighbour cell lists in LTE). The phone periodically measures these neighbours and, if a neighbour becomes stronger by a defined hysteresis margin for a sustained period, the phone reselects to the new cell. This is cell reselection, the idle-mode equivalent of handover.

IMSI catchers exploit cell reselection by broadcasting a signal strong enough to exceed the current serving cell's signal by the required hysteresis margin. For a phone in idle mode, this causes a quiet, invisible switch: the phone detaches from the legitimate cell and attaches to the fake one. The user sees nothing. There is no notification, no prompt, no indication that the serving cell has changed. The phone icon in the status bar continues to show signal bars.

Why the Strongest Signal Wins

This behaviour is not a bug. It is a deliberate design choice from the GSM era. Mobile networks are built around the assumption that the strongest signal generally comes from the nearest and most appropriate cell. Handover and reselection toward stronger cells improves call quality, reduces interference, and balances load. The designers of GSM in the 1980s were building a civilian commercial system; the threat model did not prominently include an adversary deploying rogue base stations. The expense and expertise required to build a base station in 1990 was a natural barrier that no longer exists.

3. The GSM Authentication Gap

GSM's security architecture, specified in the original ETSI standards and later formalised in 3GPP TS 43.020, includes a subscriber authentication mechanism based on a shared secret. The SIM card and the network's Authentication Centre (AuC) both store a 128-bit secret key called Ki. When the network wants to authenticate a subscriber, the following happens:

1. The network generates a 128-bit random number (RAND).
2. The network sends RAND to the phone.
3. The SIM card computes SRES = A3(Ki, RAND), where A3 is the authentication algorithm (typically COMP128 in various versions).
4. The SIM sends SRES back to the network.
5. The network independently computes SRES from the same Ki and RAND and compares the two values.
6. If they match, the subscriber is authenticated.

This proves to the network that the SIM holds the correct Ki. The phone has authenticated itself to the network.

But the reverse does not happen. The network never proves its identity to the phone. There is no challenge sent from the phone to the network, no signed response the phone can verify, no certificate chain, no public key infrastructure. The phone receives RAND from whatever base station it connected to and obediently computes SRES. If the base station is a fake, the phone has no way to detect this.

This is the authentication gap that IMSI catchers exploit. The phone authenticates to the network, but the network does not authenticate to the phone. A device impersonating a base station can skip the authentication step entirely (since it does not need to verify the subscriber, it just wants the IMSI) or can relay the authentication challenge to the real network and forward the response, acting as a transparent man-in-the-middle.

Why This Gap Existed

The decision to omit network-side authentication was partly practical and partly economic. In the late 1980s, the primary security concern was cloned SIM cards and subscription fraud, not rogue base stations. Base stations were expensive, specialised equipment operated by licensed carriers. The idea that a private individual or even a government agency would deploy fake base stations against civilians was not a prominent scenario in the threat model. Additionally, adding mutual authentication would have required more complex SIM card cryptographic capabilities and increased signalling overhead, both significant concerns with the hardware constraints of that era.

The consequence is that every GSM phone ever manufactured, billions of devices across three decades, will happily connect to and authenticate with any device that looks like a GSM base station with a sufficiently strong signal. This is the foundation on which all IMSI catcher technology rests.

4. The Attack Step by Step

Here is what happens when an IMSI catcher is activated near a group of target phones. The specific sequence varies by device model and configuration, but the general flow applies to all GSM-mode IMSI catchers.

Step 1: Frequency Selection. The operator configures the IMSI catcher to broadcast on a frequency used by the target network. In Germany, for instance, Telekom operates GSM on the 900 MHz and 1800 MHz bands. The IMSI catcher is configured to use one of these frequencies, typically one where the local legitimate cell is weakest, to maximise the signal advantage.

Step 2: System Information Broadcast. The IMSI catcher begins broadcasting System Information messages that mimic a legitimate cell. It sets its MCC and MNC to match the target operator (e.g., 262/01 for Telekom), assigns itself a Cell Identity and Location Area Code (LAC), and configures parameters like RXLEV_ACCESS_MIN to be as permissive as possible. Critically, it sets a LAC that differs from the LAC of the legitimate serving cell. This is important for Step 4.

Step 3: Signal Strength Override. The IMSI catcher transmits at a power level sufficient to exceed the legitimate cell's signal at the target location. In an urban environment, a legitimate macro cell might provide -75 dBm at street level. The IMSI catcher, positioned 20 metres from the target, might provide -50 dBm. The 25 dB advantage ensures that cell reselection criteria are met quickly.

Step 4: Location Area Update. When the phone reselects to the IMSI catcher's cell, it detects that the LAC has changed. A change in LAC triggers a Location Area Update (LAU) procedure, during which the phone sends a Location Update Request message to the new "network." This message contains either the phone's TMSI (if one was previously assigned) or, if the IMSI catcher claims not to recognise the TMSI, the phone's permanent IMSI.

Step 5: Identity Request. If the phone initially sends a TMSI, the IMSI catcher responds with an Identity Request message specifying identity type "IMSI." The phone is required by the GSM specification (3GPP TS 24.008, section 4.3.3) to respond with its IMSI when requested by the network. There is no option to refuse. The phone sends back its full 15-digit IMSI in an Identity Response message.

Step 6: IMEI Collection. The IMSI catcher can also send an Identity Request for identity type "IMEI," and the phone is similarly required to respond with its hardware identifier.

Step 7: Release or Relay. After collecting the IMSI and IMEI, the IMSI catcher has several options depending on its operational mode:

• Collection mode: The catcher rejects the location update (sending a Location Update Reject with an appropriate cause code, such as "PLMN not allowed" or "roaming not allowed in this area"), forcing the phone to search for another cell and reconnect to the legitimate network. The target experiences a brief service interruption, typically a few seconds, which is usually unnoticeable.

• Interception mode: The catcher accepts the location update and keeps the phone connected. It then acts as a man-in-the-middle, relaying traffic between the phone and the real network. This mode is more complex and is discussed in Section 6.

The entire sequence, from signal detection to IMSI capture, takes between 2 and 15 seconds per device. In a crowded area, the IMSI catcher captures the identities of every phone within range that is using the target operator, not just the intended target. This mass collection aspect is one of the reasons IMSI catchers are controversial even among those who accept their use in criminal investigations.

5. Downgrade Attacks: Forcing Modern Phones onto 2G

Modern smartphones support 4G LTE and 5G NR, both of which include mutual authentication that makes traditional IMSI catching significantly harder. An IMSI catcher operator facing a population of 4G/5G phones cannot use the GSM authentication gap because those phones are not speaking GSM. The solution is to force them to.

A downgrade attack works by making the higher-generation signals unavailable, so the phone falls back to 2G GSM where the authentication gap exists. There are several methods:

Jamming

The most common approach is selective jamming of the 4G and 3G frequency bands. The IMSI catcher (or a separate jamming module) transmits noise or interference on the frequencies used for LTE and UMTS in the target area. The phone detects that its 4G connection has become unusable (the error rate climbs, the SINR drops below acceptable thresholds, the cell becomes unreadable), and begins searching for an alternative. If 3G is also jammed, the phone falls back to 2G, where the IMSI catcher's fake GSM cell is waiting with a strong, clean signal.

The jamming does not need to be sophisticated. Broadband noise across the relevant LTE bands (typically 800 MHz, 1800 MHz, and 2600 MHz in European deployments) is sufficient. The phone's baseband modem sees a dramatic drop in signal quality and triggers inter-RAT (Radio Access Technology) cell reselection, searching for any usable cell including GSM ones.

Fake Reject Messages

A more targeted approach avoids brute-force jamming. The IMSI catcher can set up a fake LTE cell and, when phones attach, respond with specific reject messages that instruct the phone to disable LTE usage. For example, an Attach Reject with EMM cause #7 ("EPS services not allowed") tells the phone that LTE service is not available and causes it to fall back to 2G/3G. Some implementations use cause #14 ("EPS services not allowed in this PLMN area") or Tracking Area Update Reject messages to achieve the same effect. The phone dutifully disables its LTE stack and searches for UTRAN or GERAN cells.

This approach was documented in academic research by Shaik et al. (2016) at Ruhr University Bochum and by Hussain et al. (2019) at Purdue University, who demonstrated practical downgrade attacks against commercial LTE networks using software-defined radio equipment costing under €3,000.

The Downgrade Problem Is Architectural

The reason downgrade attacks work is that mobile standards are designed for backwards compatibility. A phone that cannot find a 5G or 4G cell must still be able to make emergency calls, which means it must be capable of falling back to 2G. Network operators cannot simply disable 2G at the radio level without breaking emergency call requirements and leaving roaming subscribers in rural areas without service. In Europe, several operators have announced 2G sunset timelines (Swisscom shut down GSM in 2020, Vodafone Netherlands ended 3G in 2023, Deutsche Telekom has targeted 2030 for GSM shutdown), but the pace is slow and coverage obligations complicate the picture.

Until 2G is completely decommissioned across all operators in a given area, downgrade attacks remain viable. And even after 2G shutdown, as we will see in Section 9, there are other attack surfaces.

6. Call and SMS Interception

Capturing IMSIs is the basic function. More advanced IMSI catchers can intercept the content of calls and text messages. This requires the device to operate as a full man-in-the-middle: it maintains a connection to the target phone on one side and a connection to the real network on the other, relaying traffic between them while recording or modifying it in transit.

The Encryption Problem (for the Interceptor)

GSM supports encryption of the air interface using the A5 family of stream ciphers. During call setup, the network and the phone negotiate which cipher to use:

• A5/1: the "strong" cipher originally developed for GSM. A 64-bit key, with 10 bits fixed to zero, giving an effective key length of 54 bits. Considered adequate in the 1990s. Thoroughly broken by 2009: Karsten Nohl and colleagues at the Chaos Communication Congress demonstrated practical real-time decryption using rainbow tables precomputed over several months. The tables, occupying approximately 2 terabytes, allow decryption of an A5/1-encrypted GSM frame in seconds.

• A5/2: a deliberately weakened cipher, originally created for export to countries outside NATO. Broken trivially; real-time decryption requires negligible computation. Officially deprecated and removed from the 3GPP specifications in 2007, but some old networks still supported it for years afterward.

• A5/3 (KASUMI): a 128-bit block cipher introduced as part of the UMTS security enhancements, later backported to GSM. Significantly stronger than A5/1. However, adoption in GSM networks has been slow because operators would need to upgrade both the base stations and the SIM cards. As of 2025, many GSM networks still use A5/1.

• A5/0: no encryption at all. The traffic is sent in the clear.

An IMSI catcher in man-in-the-middle mode can force the connection to use A5/0 by telling the phone that the network does not support encryption. The phone cannot object; the GSM specification allows the network to select A5/0, and the phone must comply. Some phones display a warning icon (an open padlock or an exclamation mark) when operating without encryption, but this behaviour varies by manufacturer and is often disabled or hidden. Most users would never notice.

Alternatively, the IMSI catcher can negotiate A5/1 with the phone and A5/1 with the real network, decrypting in real time using the Nohl rainbow tables or using the Ki recovered from the authentication relay. In practice, many IMSI catchers simply force A5/0 because it is simpler and more reliable.

SMS Interception

SMS messages in GSM are carried on signalling channels (SDCCH or SACCH), not voice traffic channels. When a phone is connected to an IMSI catcher in MITM mode, SMS messages to and from the phone pass through the catcher. If the air interface is unencrypted (A5/0), the SMS content is visible in plaintext. This includes one-time passwords sent by banks, two-factor authentication codes, and any other content sent via SMS. This is one reason security professionals have long advised against SMS-based 2FA.

Voice Interception

Voice calls in GSM are carried on Traffic Channels using one of the GSM voice codecs (Full Rate, Enhanced Full Rate, or Half Rate). In unencrypted mode, the voice frames can be decoded directly. In A5/1 mode, real-time decryption is feasible with the appropriate hardware and precomputed tables. The IMSI catcher records the decrypted voice stream, which can be played back or processed through speech-to-text systems.

The result is that for any phone connected to the IMSI catcher over GSM with A5/0 or A5/1 encryption, voice calls and SMS are fully accessible to the IMSI catcher operator. This is not a theoretical attack. It is the documented operational capability of commercially sold IMSI catcher systems.

7. Operational Modes: Collection vs. Interception

IMSI catchers are typically operated in one of two distinct modes, and the distinction matters both technically and legally.

Collection Mode (Passive IMSI Harvesting)

In collection mode, the IMSI catcher captures the IMSI, IMEI, and TMSI of every phone that connects to it, then immediately releases the phone back to the legitimate network. The phone experiences a brief disruption (a few seconds of no service) and then reconnects normally. The user is unlikely to notice anything unusual.

This mode is used for:

• Identifying who is present in a location. Place the IMSI catcher near a protest, a meeting, or a border crossing, and you get a list of every phone (and by extension, every person carrying a phone) who was physically present.

• Locating a known target. If you already know the target's IMSI, you can deploy IMSI catchers at multiple locations and determine which one sees the target. By triangulating with multiple devices or by moving a single device and observing when the target appears and disappears, you can narrow down their physical location to within tens of metres.

• Building association networks. Collect IMSIs from the same location repeatedly, and you can build graphs of which phones (and people) are frequently co-located. Dimitris and Katerina always appear together at the same locations; Nikos and Andreas share a pattern that suggests they meet every Thursday evening.

Collection mode is lower-risk for the operator because the phone is released quickly, minimising the chance of detection, and because no call content is intercepted, which in many jurisdictions falls under a lower legal threshold than content interception.

Interception Mode (Active Man-in-the-Middle)

In interception mode, the IMSI catcher maintains the connection with the target phone and relays traffic to and from the real network. The phone remains connected to the fake cell for the duration of the operation, which may be minutes or hours. All calls and SMS pass through the catcher and can be recorded, modified, or blocked.

This mode is used for:

• Recording the content of phone calls and text messages.
• Injecting false SMS messages (the catcher can send an SMS to the phone that appears to come from any sender).
• Blocking specific calls or messages from reaching the target.
• Tracking the target's location in real time by monitoring the signal strength and timing advance of the phone's transmissions.

Interception mode is technically more demanding. The IMSI catcher must maintain a credible simulation of the network for the duration of the connection, handle paging, manage handover (if the target moves), and relay traffic with low enough latency that voice calls do not exhibit noticeable delays. Commercial IMSI catchers from Harris, Septier, and Rohde & Schwarz handle this automatically, but it requires more processing power and more sophisticated software than simple collection mode.

8. 3G and 4G Improvements: Mutual Authentication

The GSM authentication gap was recognised during the design of 3G UMTS in the late 1990s. The UMTS Authentication and Key Agreement (AKA) protocol, specified in 3GPP TS 33.102, introduced mutual authentication: the network authenticates the subscriber (as in GSM), and the subscriber also authenticates the network.

How UMTS AKA Works

The core addition is the AUTN (Authentication Token) parameter. When the network sends an authentication challenge:

1. The network generates RAND and computes several values from RAND and the subscriber's permanent key K (stored on the USIM and in the AuC): XRES (expected response), CK (cipher key), IK (integrity key), and AUTN.

2. AUTN contains a sequence number (SQN) encrypted with an anonymity key (AK), plus a Message Authentication Code (MAC) computed over RAND, SQN, and other parameters using K.

3. The USIM receives RAND and AUTN, verifies the MAC using its own K, checks that SQN is within an acceptable range (to prevent replay attacks), and only then computes RES and returns it.

4. If the MAC verification fails, the USIM rejects the authentication. This means a fake base station that does not possess the correct K cannot generate a valid AUTN, and the phone will refuse to authenticate.

This closes the one-way authentication gap. A device impersonating a 3G base station cannot produce a valid AUTN without access to the authentication vectors from the real network. The phone will reject the fake cell.

Why 3G Did Not Kill IMSI Catchers

Three reasons:

First, the IMSI is still sent in the clear during the initial attach procedure. When a phone first connects to a 3G network (or when it roams to a new area), the network may request the IMSI via an Identity Request, and the phone transmits it unencrypted over the air. The TMSI mechanism mitigates this for subsequent connections, but the initial IMSI transmission is a vulnerability. An IMSI catcher that forces a phone to re-attach (by jamming the current cell and triggering a search) can capture the IMSI during the new attach procedure.

Second, downgrade attacks bypass 3G entirely. If the attacker jams the UMTS bands and forces the phone to GSM, all the UMTS security improvements are irrelevant because the phone is now using GSM's broken security.

Third, some 3G implementations had weaknesses in sequence number management. If the SQN is predictable or can be desynchronised, authentication replay attacks become possible. Academic research demonstrated practical attacks against specific USIM implementations, though these are harder to exploit than the GSM authentication gap.

4G LTE and EPS-AKA

LTE uses EPS-AKA (3GPP TS 33.401), which is structurally similar to UMTS AKA with improvements. The USIM verifies the network's AUTN before responding, providing mutual authentication. Encryption and integrity protection of NAS signalling messages are mandatory (not optional as in GSM). The air interface uses AES-based ciphering (EEA1, EEA2) and integrity algorithms (EIA1, EIA2) that are vastly stronger than A5/1.

Despite these improvements, 4G retains the IMSI exposure problem. The initial attach message can contain the IMSI in cleartext. This means an IMSI catcher operating as a fake LTE cell can still capture IMSIs during the attach procedure, even if it cannot break the subsequent encryption. This vulnerability has been confirmed repeatedly in academic papers and security audits.

Additionally, certain pre-authentication messages in LTE are unprotected. Security Mode Command, Attach Reject, Tracking Area Update Reject, and other NAS messages sent before the security context is established are neither encrypted nor integrity-protected. These messages can be spoofed by an attacker to trigger downgrades, disconnections, or denial-of-service conditions.

9. 5G and the SUPI/SUCI Problem

5G NR, specified in 3GPP Release 15 and later, made the most significant architectural change yet to address IMSI catching: encrypting the subscriber identity.

SUPI and SUCI

In 5G, the permanent subscriber identity is called the SUPI (Subscription Permanent Identifier), which is functionally equivalent to the IMSI. The critical difference is that the SUPI is never sent in the clear over the air interface. Instead, the phone encrypts the SUPI using the home network's public key, producing a SUCI (Subscription Concealed Identifier). The SUCI is what travels over the radio link.

The encryption scheme uses Elliptic Curve Integrated Encryption Scheme (ECIES) based on either Profile A (Curve25519 with HKDF-SHA-256 and AES-128-CTR) or Profile B (secp256r1 with HKDF-SHA-256 and AES-128-CTR). The phone stores the home network's public key on the USIM. Each time the phone needs to send its identity, it generates a fresh ephemeral key pair, computes a shared secret with the home network's public key, and encrypts the MSIN portion of the SUPI. The result is a SUCI that changes every time, is unlinkable across sessions, and can only be decrypted by the home network using its private key.

This means an IMSI catcher that captures a 5G SUCI over the air cannot determine the underlying SUPI. The permanent identifier is cryptographically protected. The attacker would need to break ECIES, which is computationally infeasible with current technology.

The Null Scheme Problem

The 5G specification defines a "null scheme" (SUPI Protection Scheme identifier 0) in which the SUPI is sent as the SUCI without encryption. This exists for backwards compatibility and for network testing. If an operator deploys 5G with the null scheme, the SUPI is exposed in the clear, and the entire SUCI mechanism provides no protection. As of early 2026, most major European operators have deployed non-null SUCI encryption, but the specification allows the null scheme, and some smaller operators or private 5G networks may use it.

5G Vulnerabilities That Remain

Even with SUCI encryption, 5G is not immune to all IMSI catcher techniques. Researchers have identified several remaining attack surfaces:

GUTI Reallocation Tracking. The 5G-GUTI (Globally Unique Temporary Identifier) serves the same role as the TMSI in GSM: a temporary identifier that avoids exposing the permanent one. The network periodically reallocates the GUTI, but if the reallocation pattern is predictable, an attacker can link successive GUTIs to the same subscriber. Hussain et al. (2019) demonstrated a "ToRPEDO" attack that exploited paging protocol weaknesses to link temporary identifiers across paging occasions, effectively deanonymising subscribers without needing the SUPI.

Pre-Authentication Message Manipulation. As in LTE, certain NAS messages in 5G are sent before the security context is established and are therefore unprotected. A fake gNB can send Registration Reject messages with specific 5GMM cause codes to force the phone to disable 5G, disable the SIM, or enter a limited service state. These attacks do not reveal the SUPI but can be used for denial of service or to force downgrade to older generations.

Downgrade to 4G/3G/2G. If an attacker can jam 5G NR bands and force the phone to fall back to LTE or GSM, all the 5G security improvements are bypassed. The phone negotiates using the security mechanisms of the fallback generation, which may include the original GSM authentication gap. This is the same architectural weakness as before: backwards compatibility enables downgrade attacks.

RRC Layer Exploits. The Radio Resource Control (RRC) layer in 5G NR handles connection setup and reconfiguration. Certain RRC messages, particularly during the initial access procedure, are sent without integrity protection. Researchers at CISPA Helmholtz Centre in Saarbruecken demonstrated that these unprotected messages can be exploited for bidding-down attacks, where the attacker modifies the UE's capability information to remove its support for strong security algorithms.

Relay Attacks. A sophisticated attacker can set up a relay between a fake 5G cell and the real network, forwarding all messages transparently. While the phone and the real network complete mutual authentication successfully (because the relay does not modify the cryptographic messages), the attacker gains the ability to observe metadata: timing of connections, volume of data, paging patterns, and cell-level location information. The content remains encrypted, but the metadata alone has significant intelligence value.

10. Commercial and DIY IMSI Catchers

Commercial Systems

The commercial IMSI catcher market is worth hundreds of millions of euros annually and is dominated by a handful of companies:

L3Harris Technologies (formerly Harris Corporation): Manufacturer of the StingRay, StingRay II, Hailstorm, AmberJack, KingFish, and related products. Prices are not publicly listed, but documents obtained through freedom-of-information requests and investigative journalism suggest that a complete StingRay II system costs between €400,000 and €500,000, with annual maintenance and software update contracts adding €40,000 to €100,000 per year. L3Harris requires law enforcement customers to sign non-disclosure agreements and has historically asked prosecutors to drop criminal cases rather than reveal the use of StingRay technology in court.

Rohde & Schwarz: The Munich-based company sells lawful interception and monitoring solutions, including IMSI catcher capabilities integrated into broader surveillance platforms. Their products are marketed primarily to European law enforcement and intelligence agencies.

Septier Communication: An Israeli company offering the Septier Guardian system, which combines IMSI catching with voice and data interception on 2G, 3G, and (claimed) 4G networks. Septier has sold to agencies in multiple countries, and their products have appeared in surveillance technology catalogues obtained by journalists.

Ability Inc.: Another Israeli firm, which marketed the ULIN system claiming to intercept 3G and 4G communications by exploiting SS7 (Signalling System 7) vulnerabilities rather than over-the-air interception. The company's shares were traded on NASDAQ before being delisted.

Numerous Chinese manufacturers: Companies sell IMSI catchers at significantly lower price points (€50,000 to €150,000), often with fewer restrictions on who can purchase them.

DIY IMSI Catchers

The barrier to building an IMSI catcher has dropped dramatically. The essential components are:

Software-Defined Radio hardware. A transmit-capable SDR like the Ettus USRP B200 (approximately €1,200), bladeRF (approximately €400), or LimeSDR (approximately €300) provides the radio front-end. The RTL-SDR (€25) can receive but cannot transmit, so it is useful for passive monitoring but not for building an active IMSI catcher.

Open-source GSM base station software. Projects such as Osmocom (Open Source Mobile Communications), which includes OsmoBTS, OsmoNITB, and related components, implement a complete GSM base station in software. OpenBTS, originally developed by Range Networks, provides an alternative implementation. These are legitimate open-source projects intended for research, private networks, and rural connectivity in developing countries, but they can also be configured to operate as IMSI catchers.

A laptop. The SDR connects via USB, the GSM stack runs on the laptop, and the entire system fits in a backpack. Total cost: under €1,000 for a basic GSM IMSI catcher capable of collecting IMSIs in a radius of 100 to 300 metres.

Several researchers have published step-by-step guides and given conference presentations demonstrating DIY IMSI catchers. At the 2010 DEF CON security conference, researcher Chris Paget demonstrated a GSM IMSI catcher built for roughly €1,300 using a USRP and OpenBTS. In 2016, researchers at the University of Washington published "SeaGlass," a system that used cheap sensors to detect IMSI catchers in the wild; as part of the project, they built their own reference IMSI catcher to calibrate detection.

Legal Implications

Building or operating an IMSI catcher without authorisation is illegal in virtually every jurisdiction. In Europe, operating a radio transmitter on licensed mobile frequencies without a licence violates the radio spectrum regulations of each country (in Germany, the Telekommunikationsgesetz; in the Netherlands, the Telecommunicatiewet; in Greece, the relevant EETT regulations). Intercepting communications content adds additional criminal liability under wiretapping laws.

In Germany, operating an IMSI catcher without judicial or prosecutorial authorisation is a criminal offence under § 148 of the Telekommunikationsgesetz, punishable by up to two years in prison. Even the mere reception and decoding of mobile communications not intended for the receiver can be an offence under § 89 TKG.

Despite this, the availability of cheap SDR hardware and open-source software means that technically capable individuals can build and operate IMSI catchers. Security researchers, journalists, and activists have raised concerns about unauthorised IMSI catchers operated by foreign intelligence services, private investigators, corporate espionage actors, and stalkers. The devices found near the Norwegian parliament in 2015 were never attributed to any authorised agency.

11. Detection: How to Spot an IMSI Catcher

Detecting IMSI catchers is difficult because they are designed to be indistinguishable from legitimate cells. However, they inevitably create anomalies that can be observed with the right equipment and software.

Observable Anomalies

Unexpected 2G downgrade. If a phone in an area with strong 4G coverage suddenly drops to 2G, this may indicate a downgrade attack. Some Android phones display the network type (5G, LTE, 3G, 2G) in the status bar; a sudden change from LTE to GSM in a location where LTE coverage is known to be excellent is suspicious.

New or unknown Cell IDs. Every legitimate cell has a Cell Identity that is registered with the operator. IMSI catchers use fabricated Cell IDs that do not appear in the operator's cell database. Detection apps maintain databases of known cell towers and flag unfamiliar ones.

Missing neighbour cell information. Legitimate cells broadcast lists of neighbouring cells. An IMSI catcher may not broadcast a complete or accurate neighbour list, because doing so requires knowledge of the local network topology.

Unusual LAC changes. Frequent or unexpected changes in Location Area Code can indicate that the phone is repeatedly connecting to and disconnecting from different cells, which happens during IMSI catcher collection-mode cycles.

Signal strength anomalies. A very strong signal from a cell that appeared recently, with characteristics inconsistent with the known cell at that location (different frequency, different Cell ID, different system information parameters), is suspicious.

Disabled encryption. If the air interface is operating without encryption (A5/0) in a network that normally uses A5/1 or A5/3, this is a strong indicator of an IMSI catcher in interception mode. Unfortunately, most phones do not expose this information to the user.

Detection Tools

Several tools and applications have been developed for IMSI catcher detection:

AIMSICD (Android IMSI-Catcher Detector): An open-source Android application that monitors cell tower parameters and alerts on anomalies. The project was active from 2014 to approximately 2019 but has since stalled due to the increasing difficulty of accessing baseband information on modern Android versions, where Google has progressively restricted access to low-level telephony APIs.

SnoopSnitch: Developed by Security Research Labs (SRLabs) in Berlin, this Android app analyses baseband diagnostic data to detect IMSI catchers, SS7 attacks, and other mobile security threats. It requires a Qualcomm chipset and root access to function fully, limiting its practical deployment.

CryptoPhone and GSMK: GSMK, a Berlin-based company, sells the CryptoPhone, a hardened Android device with built-in baseband monitoring that alerts on IMSI catcher activity, encryption downgrades, and other anomalies. The CryptoPhone maintains a database of known cell towers and compares real-time observations against expected network behaviour. Prices start at approximately €2,500.

Crocodile Hunter: An open-source project developed by the Electronic Frontier Foundation using a Software Defined Radio to detect fake 4G base stations. It monitors for anomalies in the LTE broadcast channel, including unusual cell parameters, mismatched operator information, and suspicious system information.

SeaGlass: The University of Washington project mentioned earlier deployed sensors in ride-share vehicles in Seattle and Milwaukee to build city-wide maps of cell tower behaviour over time, identifying anomalies that correlated with known IMSI catcher activity.

Why Detection Is Hard

IMSI catchers have a structural advantage: they control the radio interface. A well-configured IMSI catcher can mimic the parameters of a legitimate cell precisely, including the correct MCC, MNC, Cell ID, LAC, frequency, transmit power, and neighbour list. If the operator has obtained the local cell database (which is not secret; it can be built by driving around with a monitoring phone), the fake cell can be made nearly indistinguishable from a real one.

Detection is further complicated by the fact that legitimate network behaviour includes many of the same anomalies. Cells are regularly added, removed, and reconfigured by operators. Temporary cells are deployed at events. Signal strength varies due to atmospheric conditions and building construction. Distinguishing "suspicious anomaly" from "normal network change" requires continuous baseline monitoring or access to the operator's cell database, which is not publicly available.

12. The European Legal Framework

The use of IMSI catchers by law enforcement and intelligence agencies is regulated differently across European countries, but most frameworks share common elements: the requirement for judicial or prosecutorial authorisation, restrictions on the type of data that can be collected, and limits on the duration of surveillance.

Germany: StPO § 100i

Germany has the most explicit legal framework for IMSI catcher use. Section 100i of the Strafprozessordnung (Code of Criminal Procedure) authorises the use of IMSI catchers for:

• Determining the IMSI and IMEI of a suspect's phone.
• Determining the location of a suspect's phone.

The authorisation requires a court order, which must specify the suspect, the offence under investigation (which must be a serious criminal offence, a "Straftat von erheblicher Bedeutung"), and the duration of the surveillance. The law explicitly states that the data of non-suspects captured by the IMSI catcher (which is inevitable, since IMSI catchers collect all phones in range) must be deleted immediately and cannot be used.

Section 100i does not authorise content interception via IMSI catchers. If police want to intercept calls or messages, they must use the separate, more restrictive authorisation under § 100a StPO (telecommunications surveillance), which requires a different court order with higher evidentiary thresholds.

In practice, the distinction between "location data" and "content interception" is important because it determines which legal threshold applies. IMSI collection and location tracking fall under § 100i, which has a lower threshold. Call and SMS interception falls under § 100a, which requires evidence of specific serious offences listed exhaustively in the statute.

France

French law authorises IMSI catchers under the 2015 Intelligence Act (Loi relative au renseignement), enacted after the Charlie Hebdo attacks. Authorisation is granted by the Prime Minister after consultation with the CNCTR (Commission nationale de controle des techniques de renseignement), an independent oversight body. Judicial involvement is not required for intelligence operations, which has drawn criticism from civil liberties organisations.

The Netherlands

Dutch police have used IMSI catchers since at least the early 2000s. The legal basis was formalised with the 2017 revision of the Intelligence and Security Services Act (Wiv), which authorises the AIVD and MIVD to use IMSI catchers with ministerial authorisation and oversight from the TIB. Police use falls under the Code of Criminal Procedure and requires prosecutorial authorisation.

Greece

Greek law permits lawful interception, including IMSI catchers, under the supervision of the Hellenic Authority for Communication Security and Privacy (ADAE). In 2022, a major scandal erupted when it was revealed that the Greek intelligence service (EYP) had used Predator spyware and potentially IMSI catchers to monitor journalists and opposition politicians, including MEP Nikos Androulakis. The scandal led to resignations, parliamentary inquiries, and a European Parliament investigation, highlighting the gap between the legal framework and actual practice.

The Broader European Picture

The European Court of Human Rights has ruled repeatedly (Klass v. Germany, 1978; Weber and Saravia v. Germany, 2006; Big Brother Watch v. United Kingdom, 2018) that surveillance measures must be "in accordance with the law," necessary in a democratic society, and proportionate. The ePrivacy Directive (2002/58/EC) and its national implementations reinforce these requirements, mandating that member states provide for judicial authorisation and proportionality safeguards.

13. Documented Use in Europe

IMSI catchers are not theoretical. Their deployment across Europe is documented, though details often emerge only through leaks, litigation, or investigative journalism.

Germany

German police use IMSI catchers routinely, with thousands of deployments per year. The Bundeskriminalamt (BKA), Bundespolizei, and Landespolizei forces all operate IMSI catchers. In 2002, the introduction of § 100i StPO was prompted by the fact that police had been using IMSI catchers for years without explicit legal authorisation, and the law was enacted partly to regularise existing practice.

During the 2017 G20 summit in Hamburg, German security forces deployed IMSI catchers extensively in the security zone surrounding the summit venue. Civil liberties organisations filed complaints arguing that the mass collection of IMSIs from tens of thousands of protesters, journalists, and bystanders was disproportionate. The Hamburg administrative court ruled in 2019 that some of the police surveillance measures during G20 were unlawful, though the specific ruling on IMSI catchers was not made public.

Norway

The 2014 Aftenposten investigation mentioned at the beginning of this article found anomalous cell behaviour near government buildings in Oslo. A subsequent investigation by the Norwegian Communications Authority confirmed the presence of "false base stations" but could not identify the operators. The Norwegian Police Security Service (PST) acknowledged that it operates IMSI catchers but denied responsibility for the devices found near parliament. In 2015, the Norwegian parliament's Control Committee launched an investigation into the possibility that a foreign intelligence service was operating IMSI catchers in the Norwegian capital.

United Kingdom

The use of IMSI catchers by UK police (Metropolitan Police, National Crime Agency) has been repeatedly confirmed through equipment procurement records, freedom-of-information requests, and court proceedings. The technology is authorised under the Regulation of Investigatory Powers Act 2000 (RIPA) and the Investigatory Powers Act 2016. In 2016, the Bristol Cable, a local media cooperative, revealed that Avon and Somerset Police had purchased IMSI catcher equipment, making it one of the first confirmed regional police forces to possess the technology.

Major Events and Border Areas

IMSI catchers are regularly deployed at major events across Europe. Football matches, political summits, state visits, and large-scale protests are all occasions where law enforcement has confirmed or been documented using IMSI catchers. The justification is typically public safety and counterterrorism.

Border surveillance is another documented use case. The European Border and Coast Guard Agency (Frontex) has been reported to use or facilitate the use of IMSI catchers in border surveillance operations, though Frontex has been reluctant to confirm specifics. In the Eastern Mediterranean, where migrant crossings have been a major political issue, reports from civil liberties organisations and journalists have documented the use of surveillance technology, including suspected IMSI catchers, at border crossing points and on surveillance vessels.

14. Counter-Surveillance: Protecting Yourself

Given that IMSI catchers exploit protocol-level weaknesses, perfect protection is difficult. However, several measures can significantly reduce exposure.

Disable 2G on Your Phone

The single most effective technical measure is disabling 2G (GSM) on your phone, which prevents downgrade attacks from forcing your device onto the vulnerable 2G air interface.

On Android (since Android 12): Settings > Network & internet > SIMs > [your SIM] > Allow 2G. Turn this off. This prevents the phone from connecting to 2G cells, eliminating the primary attack vector for IMSI catchers. Not all Android manufacturers expose this setting, and it may not be available on older devices.

On iOS: Apple does not provide a user-accessible setting to disable 2G specifically. The "5G Auto" and "LTE" options in Settings > Cellular > Cellular Data Options > Voice & Data do not explicitly exclude 2G. In Lockdown Mode (introduced in iOS 16), 2G is reportedly restricted in some configurations, but Apple has not published detailed documentation on the exact behaviour.

The limitation of disabling 2G is that in areas with no 4G or 5G coverage (rural areas, some indoor locations, some European countries with sparse LTE deployment), you will have no service at all. For most urban users in Western Europe, this is not a practical problem.

Use Encrypted Communication Apps

IMSI catchers that intercept calls and SMS only capture the content of unencrypted GSM voice and SMS. If you use end-to-end encrypted communication apps (Signal, WhatsApp, Threema, Wire), the voice and message content is encrypted at the application layer, regardless of what is happening at the radio layer. An IMSI catcher can capture encrypted blobs, but cannot decrypt them without the end-to-end encryption keys, which it does not have.

This does not prevent IMSI collection or location tracking, but it eliminates content interception as a risk.

VoLTE and VoNR

Voice over LTE (VoLTE) and Voice over 5G NR (VoNR) carry voice calls as data streams over the 4G/5G data channel, which is encrypted with strong ciphers (128-bit AES). Unlike GSM voice, which uses the broken A5/1 cipher, VoLTE and VoNR calls are protected by the LTE/NR encryption layer. An IMSI catcher that cannot break the LTE/NR encryption cannot intercept VoLTE/VoNR call content.

Ensure VoLTE is enabled on your phone and that your operator supports it. Most major European operators (Deutsche Telekom, Vodafone, Orange, KPN, Telia, Cosmote) support VoLTE as of 2026.

Faraday Bags

A Faraday bag is a pouch made of conductive material that blocks all radio signals. Placing your phone in a Faraday bag prevents it from communicating with any cell tower, real or fake. The phone cannot be tracked, cannot receive IMSI catcher probes, and cannot reveal its IMSI.

The obvious downside is that you cannot receive calls, messages, or data while the phone is in the bag. Faraday bags are used by investigative journalists meeting sensitive sources, by lawyers in certain client meetings, and by security professionals in high-threat environments. They are available from multiple European suppliers for €15 to €50. When evaluating bags, look for attenuation specifications; a good bag should provide at least 60 dB of attenuation across the relevant frequency bands (700 MHz to 6 GHz).

Monitor Your Network Connection

Pay attention to unexpected changes in your network connection. If your phone drops from 4G to 2G in an area where you normally have strong LTE coverage, if you see a brief service interruption followed by reconnection, or if you notice unfamiliar cell information in engineering mode (accessible via dialler codes like *#*#4636#*#* on many Android phones), these may indicate IMSI catcher activity.

This is not a reliable detection method. Most anomalies have innocent explanations (network maintenance, congestion, temporary cell outage). But awareness of what is normal for your usual locations makes it easier to notice when something is different.

Operational Security

For individuals facing targeted surveillance (journalists, activists, lawyers, political dissidents), technical measures alone are insufficient. Operational security practices include:

• Using prepaid SIMs purchased with cash for sensitive communications. This is increasingly difficult in Europe due to SIM registration requirements (mandatory in Germany since 2017, in Greece since 2009).
• Separating your "daily" phone from a "sensitive" phone, and never carrying both at the same time in the same location (to prevent correlation).
• Leaving phones outside meeting rooms for sensitive discussions.
• Being aware that IMSI catchers collect all phones in range, so your presence at a specific location and time is recorded regardless of whether you are the target.

15. The Future: 5G Standalone, 2G Sunset, and What Remains

The trajectory of cellular security is toward closing the gaps that IMSI catchers exploit. 5G Standalone with SUCI encryption removes the permanent identity exposure. Mandatory mutual authentication in 4G and 5G prevents rogue base station attachment (when 2G fallback is disabled). Stronger ciphers eliminate real-time decryption of air interface traffic.

But several factors slow this progress:

2G sunset is not complete. As long as GSM networks operate, downgrade attacks are possible. European operators are decommissioning 2G on different timelines. Swisscom shut down GSM in April 2020, making Switzerland an early leader. Deutsche Telekom has announced a 2G shutdown "by the end of 2028." Other operators have been less specific. In Southern and Eastern Europe, 2G may persist into the early 2030s due to IoT devices, legacy alarm systems, and rural coverage requirements.

IoT and M2M devices. Millions of embedded devices (smart metres, industrial sensors, fleet trackers) use 2G GSM because it is cheap and ubiquitous. These devices have lifespans of 10 to 15 years and cannot easily be upgraded, pressuring operators to maintain 2G.

Specification loopholes. The null SUCI scheme, optional integrity protection for user-plane data, and operator-configurable security policies mean that the actual security of a 5G deployment depends on how the operator implements it, not just what the specification allows.

Advances in attack techniques. As defensive measures improve, attack techniques evolve. Researchers continue to find new vulnerabilities in each generation. The 5G specification is enormous (thousands of pages across dozens of 3GPP Technical Specifications), and the implementation surface across different vendors' equipment is even larger. New attack vectors will be discovered.

State-level capabilities. Nation-state intelligence agencies have resources that dwarf the assumptions of the commercial IMSI catcher market. Access to SS7/Diameter signalling networks, cooperation with domestic operators, compromised network equipment, and zero-day vulnerabilities in baseband processors all provide alternative avenues for surveillance that do not depend on over-the-air IMSI catching. The shift from IMSI catchers to network-level interception is already underway for sophisticated actors.

The realistic picture for the next five years in Europe is: IMSI catchers targeting 2G will gradually become less effective as GSM is decommissioned. IMSI catchers targeting 4G/5G will continue to be capable of metadata collection (temporary identifiers, location, paging patterns, traffic volume) even if permanent identity capture and content interception become harder. And the surveillance capability will increasingly shift from the radio interface to the network core, where lawful interception interfaces already exist and where the legal and technical controls are different.

For the person carrying a phone through the streets of Berlin, Athens, or Stockholm, the practical advice is unchanged: disable 2G if your phone allows it, use end-to-end encrypted communication apps for anything sensitive, enable VoLTE, and understand that your phone is a tracking device that broadcasts its presence to every cell tower within range, real or fake. The IMSI catcher is one tool in a much larger surveillance ecosystem, and protecting against it is necessary but not sufficient for anyone facing a determined, well-resourced adversary.