How Safe Are Your Mobile Calls and Messages?
Mobile phone communications, including calls and messages, face potential security threats.
Organizations and individuals often mistakenly assume that their mobile devices provide a secure environment for voice and data transmissions. Unfortunately, inherent vulnerabilities within cellular devices and networks expose users to risks that could compromise privacy and organizational confidentiality.
Gaining insight into and mitigating these hazards are crucial for safeguarding businesses, employees, clients, and customers.
Fake Cell Towers
IMSI Catchers
An IMSI catcher, also known as a Stingray or cell-site simulator, is a device used to intercept and track mobile phone communications.
IMSI stands for International Mobile Subscriber Identity, a unique number assigned to each mobile phone user and stored on the SIM card. IMSI catchers work by impersonating legitimate cell towers and tricking nearby mobile phones into connecting to them.
Once connected, the IMSI catcher can collect various types of information and even intercept phone calls, text messages, and data traffic.
Here's a simplified explanation of how an IMSI catcher works:
-
The IMSI catcher is set up in a specific location and emits a strong signal to appear as a legitimate cell tower. It is usually configured to support the same frequency bands and network technology (e.g., GSM, CDMA, LTE) used by the targeted mobile network.
-
Mobile phones in the vicinity will automatically connect to the IMSI catcher, which is designed to seek out the strongest signal for the best connection.
-
Once connected, the IMSI catcher can request the IMSI number from the mobile phone, allowing it to identify and track the device. This process is often done without the user's knowledge or consent.
-
Once the connection is established, the IMSI catcher can intercept voice calls, text messages, and data traffic or even inject false information, such as fake SMS messages. It can also force mobile phones to downgrade to less secure communication protocols, making it easier to decrypt intercepted data.
Network Attacks
Cellular networks have evolved from 3G to current 5G networks, and so have the attacks possible against them.
In 3G networks, the traffic is encrypted from the mobile device, through the Cell Tower to the Radio Network Controller. Hence, both the Radio Access Network and the backhaul portions of the network are ‘notionally’ protected. However, if a hacker gains access to the Core Mobile Network, any encryption used for GSM and 3G is ineffective.
In 4G networks, the threat is greater as mandated encryption from the Mobile Phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul to the operator unprotected.
Security has improved in 5G networks compared to previous generations; however, potential vulnerabilities and threats still persist. 5G networks have introduced enhanced security features such as stronger encryption, improved authentication methods, and better protection of user privacy. Despite these advancements, concerns around network attacks remain.
One notable change in 5G networks is the use of a Service-Based Architecture (SBA), which employs network function virtualization and software-defined networking. While this increases flexibility and scalability, it may also expose the network to potential attacks targeting the software and virtualized infrastructure.
Furthermore, the widespread deployment of small cells in 5G networks increases the risk of physical attacks on infrastructure, as these compact, low-powered base stations are often located in easily accessible public spaces.
Signalling Attacks
Signalling System No.7 (SS7)
Signaling System 7 (SS7) is a set of telephony signaling protocols that enable the worldwide connection of mobile networks. It has been used since the 1970s and was not initially designed with modern security concerns in mind. As a result, SS7 is known to have vulnerabilities that attackers can exploit.
These vulnerabilities in SS7 allow an intruder with basic skills to perform numerous attacks, including:
-
SMS Interception
Attackers can potentially intercept SMS messages by exploiting the SS7 protocol's weaknesses. This is a concern because SMS is often used for two-factor authentication (2FA), and intercepting these messages could allow unauthorized access to sensitive accounts.
-
Call Interception:
Like SMS interception, attackers can tap into phone calls, enabling unauthorized eavesdropping on conversations.
-
Call Redirection:
By exploiting weaknesses in the SS7 protocol, attackers can redirect phone calls to a different destination without the knowledge or consent of the original caller or recipient. This can lead to unauthorized eavesdropping, loss of sensitive information, or disruption of essential communications.
-
Location Tracking:
Attackers may exploit SS7 vulnerabilities to track a target's real-time location through their mobile devices without their knowledge or consent.
Mobile Threats are not limited to state-actors or high-cost hackers
With nothing more than a browser, an internet connection and maybe a pre-paid debit card, anyone can spoof SMS messages and Caller IDs. The fact that the receiving mobile number recognizes them and displays their name when the call or text arrives is enough for most individuals to trust the authenticity of the message or call. Combined with basic social engineering, recipients could give up critical information such as passwords, etc. More concerning is that a number of organisations u to evacuate buildings or request the location of an employee.