Skip to content

Unmasked Spies

Security: Pwned. edited this page Aug 4, 2015 · 23 revisions

On this page we are aiming to collect our findings about IMSI-Catchers that we have spotted in real life. Contact SecUpwN if you have leaked information or fresh pictures!

Index


Demonstrations

Below collection of pictures and assumptions are purely based on monitoring demonstrations, especially the ones of PEGIDA (both sides) in Germany. Means: Don't take anything for granted, we could be riding a dead horse here. But we found it very strange that the casual-looking cars we discovered have so many antennas (which were also hidden under suitcases or similar on the roof in a few cases) and are always being used along the paths where demonstrators march. We don't think that these cars are used to assure communication of police during the demonstrations, but rather to find out who participated in them and spy on those people. Remember: Leave your phones at home!

Closeup of antennas and IMSI-Catcher device inside car

  • Picture taken on February 10, 2015 in Dresden, Germany
  • Notice the box inside the car - likely the IMSI-Catcher!

Blue VW T4

  • Picture taken on February 10, 2015 in Dresden, Germany

White VW T4

  • Picture taken on January 30, 2015 in Leipzig, Germany

Yellow VW T4

  • Picture taken on January 30, 2015 in Leipzig, Germany

VW Sharan

  • Picture captured at 16:44 on 25. February 20152015 during DÜGIDA/PEGIDA demos

VW Sharan 2

  • Picture captured at 18:30 PM on February 25, 2015 during DÜGIDA/PEGIDA demos

Biometric Scanner

  • Also be aware of above biometric scanners (likely running a software like GES-3D)

Appearance

  • Very popular car models for this purpose in Germany: VW (T4) and Mercedes
  • Darkened windows with curtains on the inside to ensure noone can see in
  • Vehicles are looking very unobtrusive (almost blending in too good)
  • Most of the time these vehicles are uni-color (preserves multipurpose)
  • Antennas may be hidden in the large "suitcase" on the roof of the car
  • IMSI-Catcher vehicles may have detachable police lights, but not always
  • Not sure if the antennas are also removable, but it certainly seems like so
  • Police is "lending" IMSI-Catchers to each other (IMSI-Catcher vehicles from Leipzig (Germany) have been seen at demonstrations in Dresden (Germany) and vice versa

License Plates

We know for a fact that every IMSI-Catcher has at least 10 (!) different license plates and the license plate is likely changed every time the vehicle is moving to a new operating site. But we have discovered that this is not always so case, so for the pure fun of it, here are some real ones (list will be expanded):

  • AC-JY 723
  • DD 30600
  • DD 31399
  • DD Q 3400
  • DD Q 3689
  • DD Q 7154
  • DD Q 7344
  • DD Q 7369
  • DD Q 7437
  • DD Q 7447
  • DD Q 2533
  • DD SB 1786
  • EF TP 9164
  • L 7122
  • L 7136
  • L 7157
  • L 7187
  • L 7214
  • L 7292
  • L 7437
  • MEI 00423
  • PIR BR 920

Even more Info

IMSI-Catchers false mobile towers (base stations) acting between the target mobile phone(s) and the real towers of service providers. As such they are considered a Man-In-The-Middle (MITM) attack and can be used to obtain a record of everyone who attended demonstrations with a cell phone (leave your phones at home by all means if you really have to attend). IMSI-Catchers also allow adversaries to intercept your conversations, text messages, and data. Police can use them to determine your location or to find out who is in a given geographic area at what time. Identity thieves can use freely available tools to monitor and manipulate communications from a parked car in your residential neighborhood; notably for stealing passwords or credit card data from people nearby who make purchases on their phones. In the USA the IMSI-Catcher technology is known under the name "StingRay". Below is a picture of StingRays on the roof of cars.

StingRays on the roof of cars

This specific MITM attack was patented and first commercialized by Rohde & Schwarz in 2003, although it would be hard to maintain such a patent, since in reality it is just a modified cell tower with a malicious operator. On 24 January 2012, the Court of Appeal of England and Wales held that the patent is invalid for obviousness. But ever since it was first invented, the technology has been used and "improved" by many different companies around the world. Other manufacturers (like Anite) prefer to refer to this spying and tracking equipment in glossy brochures using cozy marketing words like "Subscriber Trackers". IMSI-Catcher manufacturers are abusing your mind by disguising their spying products as "life saving equipment". Don't get fooled by heart-wrenching stories, their real purpose will always be surveillance and even killing people. Inside a "Vehicular Intercom System":

Vehicular Intercom System

IMSI-Catcher come in uncountable shapes and sizes:

IMSI-Catchers in Suitcase

  • Current IMSI-Catchers can be as tiny as the portable Septier IMSI-Catcher Mini.
  • The smartphone takes up the most space. IMSI-Catchers will even get smaller!

Septier IMSI-Catcher Mini

  • Below photograph has been taken during the riots on Taksim Square in Instanbul.
  • Note: It is way too conspicuous and you'll likely never encounter one of these.

Taksim Square

  • Body-worn IMSI-Catcher (for spies amongst the demonstrators):

Body-worn IMSI-Catcher

  • Pay close attention wherever you go: Cell Towers can be hidden everywhere!

Disguised Cell Tower

  • Google: "GSM Interceptor", "IMSI-Catcher", "StingRay" or "Cell Site Simulator".