mobile network surveillance system operators

Given the number of mobile network surveillance system operators and handsets in a given area, IMSI Catchers need to operate as multiple fake towers simultaneously to harvest as much data as possible in a short amount of time. Some report a rate of 1200 IMSIs per minute across 5 networks while others boast simultaneous voice intercepts as featured on the Surveillance Industry Index. Often it will operate by purporting to be many towers from the same network provider thereby reducing the time it takes to get all the IMSIs from users on a popular network.

Each fake tower will emit a signal containing numbers to tell a mobile phone how to talk to it when it wants to make a call or send a text. Or information on how to register with it so the tower can contact it when an incoming call or text arrives. Specifically, the tower will send a country code and an operator code to the handset. In normal circumstances, this allows phones to stay connected to their operators' towers and not to start roaming in border areas if another native tower is present.

It is these values that were problematic in the GSOC case. Irish towers should not be identifying themselves as being in the UK or offering the service of a UK network provider. The mobile phone of a UK 16 channel nvr visitor to GSOC would have spotted its native tower and connected to it. Depending on the model of IMSI Catcher used, full intercept of all data to and from that handset would then be possible.

It is interesting to note that the fake UK network was the only one detected by Verrimus. However, given that IMSI Catchers 4 channel nvr operate multiple fake towers simultaneously, it is highly likely that one or more Irish networks were also being intercepted. Very often a misconfiguration, such as an incorrect country code, is the only evidence available of an IMSI Catcher being deployed when forensic tools are not being used to look for one. This recently occurred around the Ecuadorian Embassy in London where base stations from a Ugandan telco were mysteriously popping up.