How to spoof a cell phone tower (cell site, base station) -- homemade IMSI-Catcher

Defcon has had a few presentations on this subject. An active attacker can turn off encryption altogether, never mind just changing it.

Also there is an open source program available just for this. I will edit this with the link when I find it.

  • Software: http://openbts.org/
  • Antennas https://www.ettus.com/product/category/Antennas
  • RF Daughterboards https://www.ettus.com/product/category/Daughterboards
  • Video: https://www.youtube.com/watch?v=wjYAAmHvt-g

A recent Blackhat- Europe talk entitled LTE and IMSI catcher myth [Paper], [presentation] was carried out using Yate BTS SatSite. The provided materials hints how to build one such fake base station.


A potentially cheaper option would be to get a femtocell device from an existing mobile provider (which often lend them or sell them cheaper than any SDR you'd need for OpenBTS) and root it.

Once you've got root you can look at what software drives the mobile network interface and modify it/make your own software that would spoof a provider's real BTS and logging the IMSIs.