How Safe Are Your Mobile Calls and Messages?
Mobile phone communications, including calls and messages, face potential security threats.
Organizations and individuals often mistakenly assume that their mobile devices provide a secure environment for voice and data transmissions. Unfortunately, inherent vulnerabilities within cellular devices and networks expose users to risks that could compromise privacy and organizational confidentiality.
Gaining insight into and mitigating these hazards are crucial for safeguarding businesses, employees, clients, and customers.
Fake Cell Towers
IMSI Catchers
An IMSI catcher, also known as a Stingray or cell-site simulator, is a device used to intercept and track mobile phone communications.
IMSI stands for International Mobile Subscriber Identity, which is a unique number assigned to each mobile phone user and stored on the SIM card. IMSI catchers work by impersonating legitimate cell towers and tricking nearby mobile phones into connecting to them.
Once connected, the IMSI catcher can collect various types of information and even intercept phone calls, text messages, and data traffic.
Here's a simplified explanation of how an IMSI catcher works:
-
The IMSI catcher is set up in a specific location and emits a strong signal to appear as a legitimate cell tower. It is usually configured to support the same frequency bands and network technology (e.g., GSM, CDMA, LTE) used by the targeted mobile network.
-
Mobile phones in the vicinity will automatically connect to the IMSI catcher, as they are designed to seek out the strongest signal for the best connection.
-
Once connected, the IMSI catcher can request the IMSI number from the mobile phone, allowing it to identify and track the device. This process is often done without the user's knowledge or consent.
-
With the connection established, the IMSI catcher can intercept voice calls, text messages, and data traffic, or even inject false information, such as fake SMS messages. It can also force mobile phones to downgrade to less secure communication protocols, making it easier to decrypt intercepted data.
Network Attacks
As cellular networks have evolved from 3G through to current 5G networks, as have the attacks possible against the network.
In 3G networks, the traffic is encrypted from the mobile device, through the Cell Tower to the Radio Network Controller. Hence, both the Radio Access Network and the backhaul portions of the network are ‘notionally’ protected. However, if a hacker gains access to the Core Mobile Network, any encryption used for GSM and 3G is ineffective.
In 4G networks, the threat is greater as mandated encryption from the Mobile Phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul to the operator unprotected.
In 5G networks, security has been improved compared to previous generations; however, potential vulnerabilities and threats still persist. 5G networks have introduced enhanced security features such as stronger encryption, improved authentication methods, and better protection of user privacy. Despite these advancements, concerns around network attacks remain.
One notable change in 5G networks is the use of a Service-Based Architecture (SBA), which employs network function virtualization and software-defined networking. While this increases flexibility and scalability, it may also expose the network to potential attacks targeting the software and virtualized infrastructure.
Furthermore, the widespread deployment of small cells in 5G networks increases the risk of physical attacks on infrastructure, as these compact, low-powered base stations are often located in easily accessible public spaces.
Signalling Attacks
Signalling System No.7 (SS7)
Signaling System 7 (SS7) is a set of telephony signaling protocols that enable the worldwide connection of mobile networks. It has been in use since the 1970s and was not initially designed with modern security concerns in mind. As a result, SS7 is known to have vulnerabilities that can be exploited by attackers.
These vulnerabilities in SS7 allow an intruder with basic skills to perform numerous attacks, including:
-
SMS Interception
Attackers can potentially intercept SMS messages by exploiting the SS7 protocol's weaknesses. This is a concern because SMS is often used for two-factor authentication (2FA), and intercepting these messages could allow unauthorized access to sensitive accounts.
-
Call Interception:
Similar to SMS interception, attackers can tap into phone calls, enabling unauthorized eavesdropping on conversations.
-
Call Redirection:
By exploiting weaknesses in the SS7 protocol, attackers can potentially redirect phone calls to a different destination without the knowledge or consent of the original caller or recipient. This can lead to unauthorized eavesdropping, loss of sensitive information, or disruption of important communications.
EXAMPLE 1 – Intercepting SMS Messages
EXAMPLE 2 – Intercepting Calls
-
Location Tracking:
Attackers may exploit SS7 vulnerabilities to track a target's real-time location through their mobile devices without their knowledge or consent.
Mobile Threats are not limited to state-actors or high-cost hackers
With nothing more than a browser, an internet connection and maybe a pre-pay debit card, anyone can spoof SMS messages and Caller IDs. The fact that the receiving mobile number recognizes the and displays their name when the call or text arrives is enough for most individuals to trust the authenticity of the message or call. Combined with basic social engineering, recipients could give up critical information such as passwords etc. More concerning is where a number of organisation use SMS as an emergency alerting procedure, to evacuate buildings or request the location of an employee.
