Biz & IT —

The body-worn “IMSI catcher” for all your covert phone snooping needs

Other next-gen devices locate and decrypt mobile phone calls in real time.

A body-worn IMSI catcher for covert snooping.
A body-worn IMSI catcher for covert snooping.

Recently leaked brochures advertising next generation spy devices give outsiders a glimpse into the high-tech world of government surveillance. And one of the most tantalizing of the must-have gizmos available from a company called GammaGroup is a body-worn device that surreptitiously captures the unique identifier used by cell phones.

"The unit is optimized for short-range covert operation, designed to allow users to get close to Target(s) to maximize the chances of only catching the Target(s') identities and minimal unwanted collateral," one of the marketing pamphlets boasts. "The solution can be used as a standalone device or integrated into wider data-gathering and geo-tracking systems."

At just 41 x 33 x 18 centimeters, the device is small enough to fit under a shirt. It needs from one to 90 seconds to capture the international mobile subscriber identity (IMSI) or international mobile equipment identity (IMEI) of the person being tracked. It works on all GSM-based networks regardless of country and is fully operational even when functioning in a moving vehicle. The same brochure advertises several other varieties of IMSI catchers, including some that work in a totable briefcase and one that receives signals from a covert vehicle roof bar antenna. The James Bond spying tools are sold to government agencies and law enforcement organizations.

It's not clear who leaked the brochures, but it's a safe guess it wasn't anyone loyal to GammaGroup. The company has come under sharp criticism for a spyware product known as FinFisher, which has been caught posing as the Mozilla Firefox browser and being used against human rights activists.

Other devices available from GammaGroup help snoops physically track and tap a target once his IMSI is known. One device helps spies physically locate a target by locking into his mobile phone signal. It can also intercept the target's SMS messages and "take control of target phones for the purpose of denying GSM service." The devices can even "create a bubble or exclusion zone to deny GSM network coverage without alerting cell phones."

Yet another brochure markets devices with the ability to decrypt voice calls that use the A5/1 encryption algorithm that protects GSM communications. Known weaknesses in the aging crypto standard have made it vulnerable to cracking for more than a decade, making it possible for an adversary to identify in real-time the key being used to encrypt a specific conversation. GammaGroup's interceptors are designed to streamline the process with a "fully passive system with A5/1 realtime decipher." In 2011, a white-hat security researcher designed a lower-cost device that did much the same thing, but we're guessing it's not as easy to use.

Many network operators have begun bolstering A5/1 with an upgrade that adds randomization to reduce the amount of predictable plaintext that's available to people monitoring and trying to decode a signal. "Any changes in the plaintext will have a catastrophic effect on the current generation of passive decryptors," the GammaGroup marketers warn.

Not to worry, next-generation technology described as "BB" can work around the new randomization protection. It does so by implementing "clever cryptographic shortcuts which do not rely on receiving specific messages or plaintext." Oh, and the devices are "extremely power efficient" too.

Channel Ars Technica