LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the IMSI catcher, and what two capabilities does it have (passive vs. active)?

An IMSI catcher exploits GSM's one-sided authentication by impersonating a base station. Passively (GA 090) it forces phones to send their IMSI instead of TMSI to determine a subscriber's identity; actively (GA 900) it has its own SIM and sits as a man-in-the-middle to also intercept outgoing calls.

Photograph of a portable IMSI-catcher surveillance device.

* A real IMSI-catcher device. — 1971markus, CC BY-SA 4.0, via Wikimedia Commons. *

Why it works: GSM authenticates only the phone, not the base station — and a phone always attaches to the strongest signal. So a fake base station with a strong signal will be trusted.

Two capability levels:

Mode Capability
Identity catching (GA 090) Forces the phone to transmit its IMSI instead of the TMSI → reveals the subscriber's identity. The catcher poses as a base station the phone must (re-)identify to
Call interception (GA 900) The catcher has its own SIM, poses as a BS toward the phone and as a MS toward the real BS → full man-in-the-middle, monitoring outgoing calls

The enabling downgrade: since the catcher controls the "network" side, it can also tell the phone to use A5/0 (no encryption) — a downgrade attack — so calls are trivially readable.

Tip: The IMSI catcher is the practical payoff of two GSM design flaws working together: one-sided authentication (lets you fake a BS) + downgrade capability (lets you strip encryption). Mutual authentication in UMTS/LTE is the direct fix.

Go deeper:

From Quiz: MOBINFSEC / GSM & LTE Security Infrastructure | Updated: Jul 14, 2026