oran-testing / soft-t-ue

Open source O-RAN 5G security testing tool
https://rantesterue.org
GNU Affero General Public License v3.0
2 stars 3 forks source link

IMSI Catching Attack #36

Open cueltschey opened 3 months ago

cueltschey commented 3 months ago

International Mobile Subscriber Identity Catching Attack

Implementation (gNB):

Create a dummy gNB:

Mitigation:

Attack Metrics:

cueltschey commented 3 months ago

An International Mobile Subscriber Identity (IMSI) Catching Attack is a type of surveillance attack on cellular networks where an adversary intercepts and captures the IMSI, a unique identifier assigned to each mobile subscriber. The attack typically involves deploying a rogue base station, often referred to as an IMSI catcher or "stingray," that masquerades as a legitimate cell tower. When a mobile device attempts to connect to the network, it transmits its IMSI to the rogue base station during the initial authentication process. The attacker can then use this information to track the user's location, monitor their communications, or even perform more advanced attacks like eavesdropping or denial of service. This attack exploits the fact that many networks still use plaintext IMSI transmission during the initial connection process, making it vulnerable to interception.

To perform an IMSI Catching Attack test in srsRAN, we can set up a rogue srsGNB that acts as a fake base station. Configure the srsGNB with a higher signal strength to lure nearby UEs (User Equipment) into connecting to it instead of the legitimate base station. When a UE attempts to connect, it will send its IMSI to the rogue srsGNB. We can modify the rrc.cc file in the srsGNB to log the received IMSIs. By analyzing these logs, we can capture and study the IMSI information transmitted by the UEs. This test helps demonstrate the vulnerabilities in the initial connection procedure and the importance of secure authentication methods like Temporary Mobile Subscriber Identity (TMSI) in preventing IMSI catching attacks.