How can device and identity tracking be performed against LTE, and what defends against it?
The IMEI and IMSI can be intercepted and used to track a phone or user — rogue base stations perform a MitM attack by forcing UEs to connect at high power, capturing the IMEI/IMSI sent while attaching. Mitigations: use temporary identities and never transmit them unencrypted; IMSI-catcher-catchers.
* Identity tracking: a rogue cell forces attach to harvest IMEI/IMSI. *
The threat:
- The IMEI (device identity) and IMSI (subscriber identity) can be intercepted and used to track a phone and/or user
- A rogue base station performs a MitM attack by forcing UEs to connect to it by transmitting at high power level
- The phone may transmit its IMEI or IMSI while attaching or authenticating — exactly when the catcher harvests it
The mitigations:
- UEs should use temporary identities and not transmit them (the permanent IDs) over unencrypted connections
- IMSI-catcher-catcher — a detector that spots the tell-tale behavior of a fake base station (e.g., a too-strong cell that asks for IMSIs)
The persistent problem: even in LTE, there are moments (initial attach, certain authentication steps) where a permanent identity must be exposed. The defense is to minimize those moments and protect them — but it's an arms race, hence "IMSI-catcher-catchers."
Tip: This is the LTE-era survival of the classic GSM IMSI catcher — mutual authentication stops fake call delivery, but identity harvesting at attach time is harder to fully eliminate.
Go deeper:
Cell-Site Simulators / IMSI Catchers (EFF) — how a high-power fake tower makes phones attach and transmit their IMSI/IMEI, and the limits of defending.