Researchers from the University of Oxford have revealed that they have discovered two significant privacy flaws in the currently deployed mobile networks, which would reportedly allow anyone to track a mobile phone with a minimum amount of cost and effort.
According to the researchers, the flaws relate to the International Mobile Subscriber Identity (IMSI), which is a globally unique identifier stored on the SIM card.
IMSI identifies and allows for authentication of a mobile subscriber on the mobile network, making it a significant and important private identifier. It is designed to be seen only by the mobile operator and stored in their subscriber database.
An IMSI catcher is a piece of technology that allows for tracking of specific mobile subscribers based on their IMSI – in a mobile phone, tablet, car or other mobile connected device. These catchers have previously been built for specialist uses such as law enforcement.
The new approach uses different techniques, which operate in the WiFi bands. These do not need a licence, which therefore enables anyone to make an IMSI catcher using nothing more complex than an ordinary laptop, or any other WiFi device.
Using that laptop, and software based on an approach described by the researchers, someone could set up a ‘rogue access point’ masquerading as a well-known auto WiFi network (such as the WiFi available in tube stations), and so lure smartphones in range to connect. Once connected the rogue access point extracts their IMSI.
According to the researchers, the flaws exposed by the research are present in most current smartphones, but their exploitation depends upon their operator configuration.
The IMSI flaw should prompt device users and owners to consider mobile device management. This is particularly true for businesses that provide devices such as smartphones and tablets to employees.