LTE Phone Number Catcher: A Practical Attack against Mobile Privacy

Phone number is a unique identity code of a mobile subscriber, which plays a more important role in the mobile social network life than another identification number IMSI. Unlike the IMSI, a mobile device never transmits its own phone number to the network side in the radio. However, the mobile network may send a user's phone number to another mobile terminal when this user initiating a call or SMS service. Based on the above facts, with the help of an IMSI catcher and 2G man-in-the-middle attack, this paper implemented a practicable and effective phone number catcher prototype targeting at LTE mobile phones. We caught the LTE user's phone number within a few seconds after the device camped on our rogue station. This paper intends to verify that mobile privacy is also quite vulnerable even in LTE networks as long as the legacy GSM still exists. Moreover, we demonstrated that anyone with basic programming skills and the knowledge of GSM/LTE specifications can easily build a phone number catcher using SDR tools and commercial off-the-shelf devices. Hence, we hope the operators worldwide can completely disable the GSM mobile networks in the areas covered by 3G and 4G networks as soon as possible to reduce the possibility of attacks on higher-generation cellular networks. Several potential countermeasures are also discussed to temporarily or permanently defend the attack.