How to Catch an IMSI Catcher 

IMSI catchers, or fake antennas, are a common cell phone surveillance method. The FADe project helped local NGOs in Latin America detect and document these devices.
Fri, 2024-02-23 22:06

Civil Society Needs Help Catching IMSI Catchers 

Law enforcement, criminals, and repressive governments monitor cell phone signals for the purpose of counter-terrorism, espionage, or political persecution. One common surveillance method is the placement of fake antennas—or IMSI catchers—which imitate legitimate cell towers in order to track individual mobile subscribers, monitor their communications, or even disable their network connections.

In a high-profile example, a Guatemalan investigation revealed large-scale illegal spying targeting “activists, entrepreneurs, politicians, journalists, diplomats, and social leaders.” Many governments engage in similar practices, often without any meaningful oversight or accountability. 

The battle against authoritarian or illegal spying demands a range of methodologies—from legal policies and telecommunications regulations to physical interventions like “Faraday bags,” which shield devices in a casing that blocks electromagnetic transmissions. But the fight between eavesdroppers and victims (often human rights defenders) is not an even one. Most civil society organizations lack the equipment or expertise to effectively monitor phone surveillance.

Equipping Civil Society with Resources to Expose Surveillance

To help Latin American NGOs level the playing field, South Lighthouse created the Fake Antenna Detection project (FADe), with support from Open Technology Fund’s Internet Freedom Fund. The project’s primary focus was detecting and documenting IMSI catchers—surveillance devices that imitate legitimate cell towers in order to track individual mobile subscribers, monitor their communications, or even disable their network connections.

The FADe team provided training, equipment, and other support to enable local partners to scan for IMSI catchers, analyze their findings and, ideally, make use of the results for advocacy. “A fundamental principle of the program has been partnership and capacitation,” says Andrés Schiavi, Executive Director of South Lighthouse.

FADe’s technology coordinator, Carlos Guerra says, “We wanted to open up a discussion for NGOs about how cell technology works and about how it should work to ensure optimal benefits to people’s safety and people’s rights.” 

Using methods initially developed by the SEAGLASS project at the University of Washington and the Electronic Frontier Foundation (EFF), FADe partners assembled simple sensors using a few off-the-shelf electronics, a smartphone, and a “feature phone” (a basic device resembling an early mobile phone that is usually more affordable and durable than a smartphone). The sensor setup sits in a moving vehicle and collects signal information over several weeks from local cell towers.

From 2019 to 2022, FADe worked with partners in nine different countries, documenting signals from almost 9,000 antennas, catching more than 150 likely IMSI catchers.

By analyzing the resulting data, groups can differentiate between signals consistent with legitimate cell towers and signals showing anomalous behaviors, such as a “tower” that changes locations (see animation below); or only operates during certain times; or uses frequencies or signal parameters not used anywhere else in the network. Another common warning sign is suspicious instructions sent to a device, such as a request to disconnect from all other towers, or a command to downgrade from 3G or 4G to a 2G network, which will make the device more vulnerable to surveillance.

A specific cell tower physically moving among different locations is one of the anomalous behaviors that can help identify an IMSI-catcher.

But analysis of these signals can be tricky, says Guerra. “There is no cookie-cutter method,” he says. The data is “noisy,” and cell providers configure their towers differently. It takes many days of monitoring to set a baseline that helps distinguish between legitimate and fake antennas. 

The FADe team began working with local organizations in 2018. To mitigate technical and security risks, Schiavi says the first FADe partners were drawn from among South Lighthouse’s network of Latin American organizations. But interest grew rapidly, he says, in part because nothing comparable to the FADe/SEAGLASS approach had ever been available to these organizations. From 2019 to 2022, FADe worked with partners in nine different countries, documenting signals from almost 9,000 antennas, catching more than 150 likely IMSI-catchers. 

One of FADe’s local partners, a digital security specialist from Nicaragua, says he was familiar with FADe in 2018 when he read the bombshell reports about Guatemalan surveillance. “The media found the police were using an IMSI-catcher,” he says. “We have known about methods like this in Central America, but we never had the evidence. I said, ‘We need to monitor that. I need to bring this to Nicaragua.'” 

Some of the Findings

The results in Nicaragua revealed 23 antennas around Managua with anomalies that indicated the presence of an IMSI catcher. The local partner (who is remaining anonymous for security reasons) says the findings informed a wider discussion in Nicaragua about telephone eavesdropping. Although it was common knowledge that the government had an “open door” from the national ISP to eavesdrop online, the FADe data drove new public scrutiny and media coverage about the use of fake antennas. 

Among the other FADe sites, Mexico and Venezuela recorded an especially high number of fake antennas, as experts from PODER recounted in the Washington Post (ES). Data from Caracas, Venezuela, showed 33 different devices with irregular readings that could indicate IMSI-catchers. In Buenos Aires, Argentina, out of 1,000 cell towers monitored, suspicious patterns were found in 17 antennas, with most concentrated around the downtown and university areas. Notably, the suspicious antennas found in Buenos Aires were all on the 2G network, with no irregularities seen in the smaller group of devices on the 4G network, which is known to be harder to surveil. For summaries of the observations in all locations, see the project’s results section

Project Limitations

One limitation of the FADe data, Guerra says, is that the findings alone cannot establish who is behind a fake antenna. In the case of Venezuela, local media groups were able to combine FADe data with their own analyses to compile a bigger narrative about surveillance (including antenna anomalies around a local military base that Guerra says may have presaged the failed military uprising in 2019). 

Guerra, Schiavi, and the FADe partners refined their tools and trainings over three project cycles, as the variety of challenges, contexts, and “chaotic circumstances” prompted adaptations and lessons learned. In some countries, the absence of strict standards governing the cellular network made it harder to differentiate between suspicious patterns and harmless variations. In some sites, including Nicaragua, the FADe team helped groups acquire missing hardware when it was safer or easier than making a local purchase. While the Venezuelan partners had the resources (and sufficient political cover) to use their data in media outreach, others were unable to enlist their findings in a push for accountability. 

“The biggest caveat to a completely independent approach,” says Schiavi, “is knowing how to analyze the data once gathered.” In several cases, the extraction and initial collation of the raw results was conducted with assistance from the SEAGLASS team at the University of Washington. 

Lessons Learned

Schiavi and Guerra say the work across different national contexts provided a number of lessons, which helped them adapt the approach, and which they say can directly inform future work by NGOs in the fight against illegal and repressive phone surveillance:

  • Plan for Power & Expertise Asymmetries

Schiavi says success depends on “addressing two kinds of asymmetries: the power imbalance between governments or cartels and local organizations, and the imbalance of expertise” between groups like FADe or the University of Washington and the local groups that conduct the monitoring. 

The challenges of hardware deployment, data analysis, or basic local infrastructure issues like power outages, revealed the “assumptions and limitations in project design,” Schiavi says, and helped the FADe organizers to better anticipate the realities of local implementation.

  • Detecting Anomalies is Only the Beginning: Data Analysis & Advocacy are Key 

The FADe project was always designed as a cycle of activities, from hardware acquisition and deployment, data collection and processing, to analysis, and—where feasible—responsible dissemination of the findings. But the latter stages of the cycle provided especially important lessons to support future work. 

“The elements needed beyond the hardware are not always present,” says Schiavi, “and in different ways” from site to site. After mobile sensor data was collected from cell towers, for example, local groups had varying degrees of in-house expertise to analyze the processed results, or conduct wider public advocacy or public storytelling. 

  • Know the Risks Involved with Surveillance Tracking

In some countries, the publication of FADe findings could jeopardize the existence of the group releasing the information. And while the FADe sensors themselves leave no trace of their monitoring, the partner in Nicaragua emphasizes that the “personal risk” of being investigated is very real for any group tracking surveillance in a politically closed environment. 

Therefore, says Schiavi, another essential step for security is an informed assessment of whether to undertake a project like FADe in the first place. Every organization considering such work needs to have not only sufficient technological capacity, but sufficient understanding of the risks involved. This means organizers and trainers must be sure to “translate” all the risks and requirements for potential partners with different levels of technology expertise.

Future Work

For groups seeking to build on the lessons from FADe, Schiavi says the next step toward accessible tools would be an app that worked on any cell phone. He envisions a system that collects data about nearby antennas, “then aggregates the results in a central database, similar to monitoring tools like OONI (Open Observatory of Network Interference).” Not only would an app on a phone eliminate the multi-device setup, Schiavi says, but it would also be easier to conceal physically, be safer in riskier environments, and could function over any network from 2G to 5G.

The primary mission of FADe was to make the technology and the methods for detecting surveillance as available as possible. Schiavi says the findings from the sites, and the lessons from the process itself, can be a roadmap for the full cycle of activities needed to mobilize the tools for accountability.

Learn More