[Gsmmap] advertisement text/sms in a shopping wall

Luca Melette luca at srlabs.de
Fri Jun 29 11:45:01 CEST 2018

Dear Joe,

Collecting IMSIs is possible using all radio technologies (2G, 3G and 4G).
Being able to deliver an SMS requires a successful location update and that should only with a spoofed 2G network, or being connected to a legitimate 3G/4G network.

What could have happened is that the shopping mall has a contract with mobile operators, and the SMS delivery happens just after you log into one of their indoor cells.
This would be completely legal, and it implies no radio abuse.

Talking about other possibilities, I believe you can achieve the same result simply installing a rogue 2G base station.
The fact that 4G coverage is probably not great inside the shopping mall would facilitate full 2G MITM attacks.
Downgrade is also possible but not really necessary.
And a less likely option, 4G stack implementations in mobiles might allow unsafe 4G network configurations, such as no integrity protection supported on the network side.
This would allow 4G catching, but only for affected mobiles.

If you really want to know, you would have to go back there with Snoopsnitch running and look at the pcap :)
If you still find something unclear, feel free to drop me a private mail.



> Hello forum,
> I received and advertisement text/sms in a shopping wall. My believe
> was, that i was alsways "using" LTE. 
> To my knowledge it's extremly difficult to IMSI-catch LTE connected
> mobile phones...
> - Is this not the case? Did they downgrade me to GSM? If not, how
> could that have happend?
> Thank you very much for your help!
> Best regards,
> Joe
> PSUnfortunaltey my private phone with SnoopSnitch installed was turned
> off :-(

More information about the Gsmmap mailing list