I sometimes notice that my connection has been downgraded to 3G despite being in an area that regularly has full 4G coverage. Should I be suspicious of an attack? Is there any way to protect oneself from this type of attack?
> There are more reliable hardware options available for detecting IMSI catchers, which make sense when protecting multiple smartphone users in a single site, like a corporate headquarters or military base. Typically, such a setup involves a fixed, embedded system containing sensor hardware and a cellular modem for continuously monitoring the broadcast signals of the surrounding base stations, along with a database to which data is uploaded for analysis. When an IMSI catcher is detected, alerts can then be sent to all of an organization’s smartphone users.
Phones should allow users to define a whitelist of known-good cell tower IDs, which could be loaded for a known geo-location.
Why don't cell towers have the equivalent of an SSH host key, so that unknown cell towers trigger a warning before connection?
Turning off the phone isn't a solution though. The concern with the attack is that someone is snooping on my connection while I use it. If I can't use my phone confidently knowing no one is watching, then my only other option would be not to trust the phone at all.
Since most phones no longer have power-off, a faraday bag is needed to block all RF (cellular, wifi, bluetooth) radios on the phone from communicating with nearby radios.
> The concern with the attack is that someone is snooping on my connection while I use it. If I can't use my phone confidently knowing no one is watching, then my only other option would be not to trust the phone at all.
This is sadly the case today. It will only change with greater participation of civil society in technology standard-setting, open-source "cyber" defense and security research.
In addition to reducing usage of untrustworthy phones and radio bands, reduce funding of untrustworthy telcos by subscribing via lower-cost prepaid MVNOs.
LTE does perform authentication of the tower, it's one of the reasons cell site simulators are becoming less useful---phones that refuse a downgrade to 3G will refuse to fully associate with a simulated site, so only limited information about the phone (some identifiers) can be obtained.
> IMSI Catcher attacks are really practical for the state-of-the-art 4G/LTE mobile systems too. Our IMSI Catcher device acquires subscription identities (IMSIs) within an area or location within a few seconds of operation and then denies access of subscribers to the commercial network. Moreover, we demonstrate that these attack devices can be easily built and operated using readily available tools and equipment, and without any programming. We describe our experiments and procedures that are based on commercially available hardware and unmodified open source software.
Supposing cell towers don't currently have a key; if they did your cell provider would certainly have a way to push new ones to your phone, and under government warrant they'd simply push the key of the stingray to your phone as well, or give the stingray the key of an existing tower.
If your cell provider is going to help stingrays connect to your phone, the government might as well just install the wiretap at the provider and none of this matters.
Governments and law enforcement would be the best-case scenario for telco monitoring and phone/endpoint hacking via NSO et al, because there would at least be some legal framework for narrowly targeted lawful intercept.
The risk of insecure-by-design telco standards, radio networks and untrustworthy phones is that zero-day and unfixable vulnerabilities could be abused for targeted and mass surveillance by networks of criminal, corrupt or non-state actors.
If Clearview AI can scrape billions of human images from public social networks, for commercial facial recognition services, imagine the per-geo economic value of passive radio signal collection and retroactive footprint analysis by AI.
Sure, but the point is that if we assume that the telco is malicious none of LTE's security matter or could ever matter. They are the party you are encrypting the data for, so they always by definition can log/sniff/whatever it.
There's no point in designing telco standards for cases where the telco is a malicious party.
> This feature is not intended to improve the confidentiality of traditional calls and texts, but it might somewhat raise the bar for some forms of interception. It's not a substitute for end-to-end encrypted calls / texts or even transport layer encryption. LTE does provide basic network authentication / encryption, but it's for the network itself. The intention of the LTE-only feature is only hardening against remote exploitation by disabling an enormous amount of both legacy code (2G, 3G) and bleeding edge code (5G).
Very odd. I wonder what could account for that. Some kind of legacy 3G initial handshake that particular modem needs before it negotiates an LTE connection? I am completely making that up, but something along those lines.
Tunnel everything on your phone over Wireguard back to a trusted location, and don’t use phone or SMS; stick to VoIP over the VPN tunnel. Any kind of stingray is effectively rendered useless in this scenario.
