Skip navigation
CLN bookstore
× You have 2 more free articles available this month. Subscribe today.

Vendors Late to Recognize the Serious Threat of Cell-Site Simulators

by Michael Dean Thompson

Cell-site simulators (“CSS”), also known by the brand name Stingray and more generically as IMSI Catchers, have permitted governments to spy on each other, hackers to install zero-click malware, and stalkers to track the location of their targets. They work by taking advantage of some of the inherent security flaws in the cellular telephony infrastructure.

Although CSSs have been in use for years, our government’s use of them is only just coming to light as they have fought to keep them out of the courts, even to the point of insisting cases be dismissed rather than have the technology fall under court scrutiny. Meanwhile, open-source kits have become available and cases have erupted of people sending spam, engaging in fraud, and using them to stalk others. And, despite the minimal protections in the U.S., cellphone use in another country may leave the user even more vulnerable. 

All cellular technologies are vulnerable but the easiest CSS tactic is to fake a 2G or 3G cell tower. Within the U.S., only one carrier—T-Mobile—has left its 2G and 3G infrastructure up. Nevertheless, while 2G connectivity may be common in some countries—sometimes even necessary—it is not needed in the U.S. That down-level compatibility unnecessarily leaves many domestic phones vulnerable to even the most basic cell-site simulator. Using a fake base station (cell tower) attack over a 2G connection, a CSS user has full access to the communications and can insert zero-click malware like Pegasus into a smart device undetected.

In 2021, Google added a toggle to disable access to 2G networks. If the mobile device user finds themself in a country with only 2G access, they can disable the option. Otherwise, the option should always be enabled. But that merely addresses one small part of the problem.

Google recently added a new feature that allows users to disable “null ciphers.” The more modern technologies try to encrypt conversations between the cellphone and tower. There are times, however, when the conversation cannot be encrypted. However rare, the most critical is when a phone has no SIM card installed but is being used to access emergency services. CSSs use null ciphers to force unencrypted conversations, allowing them to listen to the cellular traffic. Since policing agencies use cell-site simulators under license from the Federal Communications Commission, it is probably best to assume that modern law enforcement CSS devices have their own keys. Setting this option is doubtless still an important step in protecting a device from hackers and stalkers but likely little else. The null cipher toggle is only available on Android 14 or higher and does not appear to be available for generic Android phones.

Apple often makes strong claims about the security of their phones. One security-oriented feature is the Lockdown Mode released in iOS 16. That feature is intended to provide extra protection against malware by blocking major attack vectors. Somehow though, 2G tower connections were not included in that release. iOS 17 now offers that toggle. Even so, Apple still has not offered an option to prevent null cipher attacks. It is a tremendous oversight that needs to be addressed.

There remain many steps available to reduce the risk of base station attacks, including active CSS detection just as malware detectors attempt to sniff out malignant code. Disabling 3G would add yet another step, especially here in the U.S. Meanwhile, makers like Samsung have yet to take advantage of the fact that the 2G toggle is available on the Android Open Source Project and integrate it into their products. In fact, Samsung has so far failed to announce their intention to do so.

No phone can ever be completely secure, but consumers have a right to expect more from vendors to protect them from bad actors and warrantless invasions of their privacy.  

 

Source: EFF.org

As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login

 

 

The Habeas Citebook Ineffective Counsel Side
Advertise Here 4th Ad
BCI - 90 Day Campaign - 1 for 1 Match