We introduce a new type of IMSI catcher which operates over WiFi. Whilst existing Stingray type IMSI catchers exploit 24G radio protocols to track movements of mobile subscribers, in this talk, we introduce a two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi. These protocols are now widely implemented in most modern mobile OSes, allowing for the creation of a low cost (<25$) IMSI catcher.
We demonstrate how users may be tracked on range of smartphones and tablets including those running iOS, Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
Finally, we present guidelines for vendors and cellular network operators to mitigate the user privacy issues that arise.