IMSI catcher: How it works, legal situation and protective measures

An IMSI catcher—also known as a Stingray, IMSI trap, or fake base station—is a device that poses as a legitimate cellular base station to mobile phones and forces them to connect. This allows the operator of the IMSI catcher to identify the device’s International Mobile Subscriber Identity (IMSI), track locations, collect metadata, and, in older cellular standards, intercept or manipulate calls.

Originally developed exclusively for government law enforcement agencies, IMSI catchers are now also available as commercial products and are demonstrably in use in criminal circles.

Technical Functioning

Basic Principle: Fake Base Station

IMSI catchers exploit a fundamental vulnerability in the GSM standard (2G): one-way authentication. In GSM, the mobile phone authenticates itself to the network, but not vice versa. The mobile phone simply connects to the base station transmitting the strongest signal—without verifying whether that station actually belongs to the mobile network provider.

How an IMSI-Catcher Attack Works:

1. Signal Dominance: The IMSI-Catcher transmits a stronger signal than the legitimate base stations in the area.
2. Connection Establishment: The mobile phone automatically connects to the strongest signal—the IMSI-Catcher.
3. Identity query: The IMSI catcher prompts the device to transmit its IMSI (a permanent identifier on the SIM) in plain text. Legitimate networks rarely do this; IMSI catchers do it systematically.
4. Forwarding (optional): The IMSI catcher transparently forwards connections to the real mobile network, so the victim usually does not notice any interruption in service.
5. Interception (2G): In the GSM network, the IMSI catcher can intercept calls and SMS messages in plain text, as encryption between the device and the catcher can be disabled or broken.

Limitations in 3G and 4G (LTE)

In UMTS (3G) and LTE (4G), mutual authentication was introduced—the network must also authenticate itself to the device. Simple IMSI catchers resort to a downgrade attack in these networks: They trick the device into believing that no 3G/4G network is available and force it to connect via the less secure 2G/GSM.

Advanced commercial IMSI catchers (some government systems) can also intercept LTE connections by replaying valid authentication parameters or performing man-in-the-middle attacks on LTE—this is technically more sophisticated and more expensive.

IMSI vs. IMEI

• IMSI (International Mobile Subscriber Identity): Identifies the SIM card; stored on the SIM. Changing the SIM changes the IMSI.
• IMEI (International Mobile Equipment Identity): Identifies the physical device; permanently embedded in the hardware. IMSI catchers can also capture IMEIs.

Even changing the SIM card does not provide complete protection, as the device’s IMEI can still be captured.

Legal Situation in Germany

§100i StPO – Permitted Government Use

In Germany, the use of IMSI catchers by law enforcement agencies (police, public prosecutor’s office) is regulated by §100i of the Code of Criminal Procedure (StPO). Requirements:

• Suspicion of a serious criminal offense (offenses listed in §100a StPO)
• Judicial approval: An order by a judge is required (except in cases of imminent danger)
• Principle of subsidiarity: Other investigative methods must have failed or be significantly impeded
• Proportionality: The measure must be proportionate to the severity of the offense
• Duty to notify: Those affected must generally be notified upon completion of the investigation

§100i explicitly permits the collection of IMSI and IMEI data for device identification and location tracking. The interception of conversations is not permitted under §100i alone—a separate telecommunications surveillance order under §100a StPO would be necessary for that.

Unauthorized Use as a Criminal Offense

The use of an IMSI catcher without government authorization is a criminal offense in Germany:

• §202b StGB (Interception of Data): Up to 2 years’ imprisonment
• §202a StGB (Spying on Data): Up to 3 years’ imprisonment
• §89 TKG (Interception of radio communications): Fine of up to €1,000

Detecting IMSI Catchers

Reliably detecting an IMSI catcher is technically difficult and virtually impossible for ordinary users. The following signs may indicate the presence of an IMSI catcher:

Technical Indicators

• Forced 2G/GSM: The device is downgraded to 2G for no apparent reason, even though 4G/5G should be available
• Unknown Cell IDs: A base station with an unknown or unusual Cell ID (LAC/TAC) appears in the area
• Severe signal drop and surge: A sudden signal drop followed by a strong signal from a new base station
• Increased battery consumption: Frequent network handoffs caused by IMSI catchers increase the device’s radio activity

IMSI Catcher Detection Apps (Limited)

Apps such as AIMSICD (Android, open source) or SnoopSnitch attempt to identify suspicious base stations based on network parameters. However, these apps have significant limitations:

• No root access → no complete baseband information on modern Android versions
• High false positive rate
• Advanced IMSI catchers can mimic normal network parameters

Professional Detection

For high-risk situations (journalists, activists, corporate security), there are professional hardware detection systems (e.g., GSMK CryptoPhone, Pwnie Express products) that can analyze baseband signals and detect anomalies.

Protective Measures

Technical Protective Measures

Use VoLTE (Voice over LTE): VoLTE calls run exclusively over LTE encryption and cannot be intercepted by a simple 2G downgrade attack. Prerequisite: The device and mobile carrier must support and enable VoLTE.

Disable 2G on the device: On modern Android devices and iPhones, 2G connectivity can be disabled (Settings → Network → Preferred network type: LTE/4G or 5G only). This prevents the downgrade attack but has limitations in areas without 4G/5G coverage.

SUPI (5G successor to the IMSI): In the 5G standard, the IMSI is replaced by the SUPI (Subscription Permanent Identifier), which is transmitted in encrypted form via a SUCI (Subscription Concealed Identifier). The home network’s public key is used, so that IMSI/SUPI are no longer transmitted in plain text over the air. Traditional 5G IMSI catchers are thus significantly more difficult to implement.

End-to-end encrypted communication: Even if an IMSI catcher is active, end-to-end encryption (Signal, Wire) protects the content of messages and calls. The attacker then only obtains metadata (who is communicating with whom, when, and for how long), not the content of the conversation.

Airplane Mode in sensitive situations: In highly sensitive meetings, disabling all wireless communication (Airplane Mode) or using Faraday bags for mobile phones can enhance protection.

Organizational Measures

• Raising awareness among employees in high-risk roles (executive level, M&A teams, legal department)
• Policy for sensitive conversations: Mobile phones outside the meeting room
• For critical communication: Dedicated encrypted phones or VoIP over encrypted VPN connections

IMSI Catchers in the Context of OSINT and Penetration Testing

In the context of red team exercises and physical penetration tests, IMSI catchers may be used (with the client’s express permission) to test whether:

• Employees are conducting sensitive conversations in public areas
• Companies have appropriate protective measures in place for mobile communications
• Awareness training is effective

Any use without a written authorization is—as described above—a criminal offense.