Some considerations about IMSI Detach DoS Attack

Gloria Mazzi mazzi.teodolinda.gloria at
Fri Jul 22 15:48:40 UTC 2011

Hi all,

as stated on OsmocomSecurity:
"A malicious attacker knowing the IMSI or TMSI of a victim can thus send
hand-crafted IMSI DETACH messages to a cell, causing the network to assume
the MS is no longer present in the network.This will effectively prevent the
delivery of all mobile-terminated (MT) services, such as SMS, voice calls,
CSD, ...".

Following the theory i've better understood how it works [1]*, but still i
have some questions for you:

- what could happen if i will clone one SIM (Ki, IMSI) and use it to
register on the same network, but on different BTS/LAC, two phones? Which
will be rejected as first? Or both?

- if i will send an IMSI detach with one of them... also the other (that is
phisically in another BTS/LAC) will be disconnected?

- what could happen if i will connect a C123 with ./mobile to the network
using another SIM and then trying to forge IMSI_DET_IND with victim's
IMSI/TMSI and send to the network where the victim is connected (that could
mean the same network, but different BTS/LAC), this DoS will still be

What exactly i would like to know is, if someone already made some
experiments on it (obviously on private networks, with a legal experimental
license.) and eventually if there are any interesting results.

Thank you for attention.



*[1] -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the baseband-devel mailing list