We present a new WiFi-based IMSI catcher which operates by exploiting flaws in the way authentication protocols have been deployed in most of the world's smartphones. Being WiFi-based means that the attacks have the potential to be much easier to take advantage than traditional 2-4G based IMSI catchers. We explain how users may be tracked when using smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques. Finally, we present guidelines for vendors, cellular network operators, and users to mitigate the privacy issues that arise.