IMSI-Catcher of the new generation:
Also known as: Hailstorm’s “Stingray”, Rayzone’s “Piranha” They all have the GSM IMSI-Catcher features, plus new SS7, UMTS/LTE features
I want to compare the two devices and find out if there is a alternative method for all modes of operation with a 2.0 catcher.
1. The catching of IMSIs is much easier with LTE and so is the rest of the methods that are used.
2. The GSM features remain as a fall back, if the SS7 attack doesn’t work for example.
3. The possibilities of manipulating the firmware are more advanced than in 2G.
Sources and Papers about the topic 5G / LTE /
UMTS surveillance and security:
 LTE & SS7 Security  http://arxiv.org/pdf/1510.07563v2.pdf
 Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information https://www.ndss-symposium.org/wp-content/uploads/2018/03/NDSS2018_02A-3_Hussain_Slides.pdf
Practical Attacks against Privacy and Availability in 4G/LTE Mobile Communication Systems http://arxiv.org/pdf/1510.07563v2.pdf
 aLTEr Attack (MITM, DNS Spoofing on LTE): imsi-catcher is also transmitting a signal to the phone. It tries to manipulate the DNS to redirect all data that is send from/to the mobile device. It uses 2 attack vectors Paper: breaking_lte_on_layer_two.pdf (pre-paper 7-2019) https://alter-attack.net/#paper
Details about SS7 requests and messages. TS 29.338 Section 6.3.2 TS 29.305 Section A220.127.116.11
Other papers and projects about next generation surveillance:
5G Is Here—and Still Vulnerable to Stingray Surveillance
Touching the Untouchables: Dynamic SecurityAnalysis of the LTE Control Plane https://syssec.kaist.ac.kr/pub/2019/kim_sp_2019.pdf
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (Protocol Layer) http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_02A-3_Hussain_paper.pdf
IMSI Catcher 2.0 and LTE fake base stations: – Hackday: lte-imsi-catcher