Bodyworn IMSI Catchers

If you never talk on your cell phone, communicate only via SMS, and paid cash for phone and SIM, you should be very hard to track… right?

Body worn IMSI catchers mean, “maybe not.” A surveillance team member equipped with one of these can get within a few feet of you (say, by standing in line behind you) and identify all powered-on cell phones within a small radius. (And eavesdrop on the calls, presumably.) Two people doing this twice over two different days are almost certain to ID only the phone(s) you carry, IF you keep it powered on.

(Strangely, the brochure referenced in the linked article is *not* from the latest Wikileaks “Spy Files” release, and it’s since been pulled from Dropbox. Anyone know where to download a copy?)

Someone in the comments points out that a few years ago someone made a smartphone app that produced similar functionality (showing all IMSIs in range) before it got pulled ostensibly over minor copyright infringement. (

A similar issue to this kind of stuff is bodyworn phased-array mics: as detailed in one of the earlier WL “Spy Files” releases — a surveillance operator wears a special vest under their jacket containing a microphone phased array covering the back; he or she can then “steer” the audio beam to eavesdrop on the apparently private conversation between two people walking behind him. Yes, surveillance can happen from “in front.”

Either way, if you see someone with a weirdly lumpy jacket, do NOT walk up to the “brother” and explain why today’s a poor day for martyrdom… report them to your local anti-terror authority immediately 🙂

“Recently leaked brochures advertising next generation spy devices give outsiders a glimpse into the high-tech world of government surveillance. And one of the most tantalizing of the must-have gizmos available from a company called GammaGroup is a body-worn device that surreptitiously captures the unique identifier used by cell phones.

“The unit is optimized for short-range covert operation, designed to allow users to get close to Target(s) to maximize the chances of only catching the Target(s’) identities and minimal unwanted collateral,” one of the marketing pamphlets boasts. “The solution can be used as a standalone device or integrated into wider data-gathering and geo-tracking systems.”

At just 41 x 33 x 18 centimeters, the device is small enough to fit under a shirt. It needs from one to 90 seconds to capture the international mobile subscriber identity (IMSI) or international mobile equipment identity (IMEI) of the person being tracked. It works on all GSM-based networks regardless of country and is fully operational even when functioning in a moving vehicle. The same brochure advertises several other varieties of IMSI catchers, including some that work in a totable briefcase and one that receives signals from a covert vehicle roof bar antenna. The James Bond spying tools are sold to government agencies and law enforcement organizations.

It’s not clear who leaked the brochures, but it’s a safe guess it wasn’t anyone loyal to GammaGroup. The company has come under sharp criticism for a spyware product known as FinFisher, which has been caught posing as the Mozilla Firefox browser and being used against human rights activists.

Other devices available from GammaGroup help snoops physically track and tap a target once his IMSI is known. One device helps spies physically locate a target by locking into his mobile phone signal. It can also intercept the target’s SMS messages and “take control of target phones for the purpose of denying GSM service.” The devices can even “create a bubble or exclusion zone to deny GSM network coverage without alerting cell phones.”

Yet another brochure markets devices with the ability to decrypt voice calls that use the A5/1 encryption algorithm that protects GSM communications. Known weaknesses in the aging crypto standard have made it vulnerable to cracking for more than a decade, making it possible for an adversary to identify in real-time the key being used to encrypt a specific conversation. GammaGroup’s interceptors are designed to streamline the process with a “fully passive system with A5/1 realtime decipher.” In 2011, a white-hat security researcher designed a lower-cost device that did much the same thing, but we’re guessing it’s not as easy to use.

Many network operators have begun bolstering A5/1 with an upgrade that adds randomization to reduce the amount of predictable plaintext that’s available to people monitoring and trying to decode a signal. “Any changes in the plaintext will have a catastrophic effect on the current generation of passive decryptors,” the GammaGroup marketers warn.

Not to worry, next-generation technology described as “BB” can work around the new randomization protection. It does so by implementing “clever cryptographic shortcuts which do not rely on receiving specific messages or plaintext.” Oh, and the devices are “extremely power efficient” too.”

%d bloggers like this: