Is someone listening in on your confidential calls?
The rogue cell/IMSI catcher hack and how 4G won’t necessarily solve the problem
You’re travelling, working on a new deal that’s just about to close. You’re involved in the final negotiations. You need to check a few points with colleagues back at base. You call them from a quiet place, away from eavesdroppers, from your mobile. But what about electronic eavesdroppers?These days a voice call is just another piece of data, and it can be easily intercepted, and you’d never know.
The services and apps you use might claim to be encrypted, but what does that mean? Exactly what is encrypted? Do you have control of your data/voice call and can you guarantee its integrity through to the receiving end?
How can you prevent it being intercepted by an IMSI-catcher attack, for example?
An IMSI catcher or a rogue cell as it is sometimes referred to, hoovers up details of callers’ International Mobile Subscriber Identity, hence the name. IMSI catchers are used by legitimate law enforcement to catch serious criminals and terrorists, as well as by criminals for malicious purposes.
IMSI catcher – The way it works
One of the issues with the original GSM network (often referred to as 2G) specification is that it required the handset to authenticate to the network but not vice versa. This meant that it was relatively easy to set up a base station pretending to be the network for nefarious reasons. There are various terms for this including Stingray, as US term, IMSI is more generally used, and the term rogue cell which can cover a wide range of things.
The IMSI catcher attracts mobile phones in close proximity to connect to it, thinking that it is a legitimate base station. It then logs the mobile’s details and location by use of the International Mobile Subscriber Identity. If the IMSI catcher has its own SIM, it can log into the network which enables it to do much more. For example, it can listen into or record calls by breaking the much weaker encryption used by the GSM network.
There are three modes of encryption for a GSM/2G network, A5/0 – which is no encryption, or A5/1 and A5/2. Both of the latter two cyphers were reverse engineered as early as 1999. Which means that even without an IMSI catcher, it is, in theory at least, possible to listen in to calls in real time. As commercially available processing power has become exponentially greater, real time decryption of calls has been demonstrated on a number of occasions.
A 3G network offers better encryption, but the IMSI catcher base station forces the mobile back to 2G, negating the stronger 3G encryption.
How might 4G help and why doesn’t it?
Given the many years of development of telecoms networks and huge investment of time and experience it has taken to agree the specification for the 4G networks internationally, it has been assumed that there would be much better protection of privacy. To some degree there is. However, the 4G network is based on a complex set of standards and protocols, and as with any computer system, there are going to be security holes; there always are, hence the advent of Patch Tuesday.
4G uses mutual authentication between the base station and the mobile handset. So in theory it is more secure as it is supposed to hide your IMSI, using a temporary IMSI during a call. However, in order to first connect to the base station, the phone has to give its real IMSI, so the real IMSI is always transmitted at least once and a fake base station can make use of that. Since 4G mobiles have to support 3G and 2G for areas lacking full 4G coverage, once the call has been intercepted, it can be forced back to 2G technology, and so again, the call is compromised.
Additionally, not every operator provides the same security, as the original 4G specification left it up to the service provider to decide which elements of security it implemented. This means that 4G/LTE networks cannot guarantee your calls will be transmitted safely with no interception.
Another point to keep in mind, is that we are assuming that the carrier wants to protect your call. When travelling abroad this may not be the case. Some regions are more prone to malicious attacks either by state actors or criminals; therefore you can’t afford to trust mobile networks when travelling, particularly if you are going to be discussing business deals or intellectual property.
Easy to set up and easy to conceal
These days, IMSI catchers can be set up for less than £1000, and they are small, so they are very portable. Someone could conceal an IMSI catch under clothes, with any larger components hidden in a back pack. They can be mounted on a drone, or a light aircraft or helicopter, which leaves even the most innocent-seeming locations potentially vulnerable.
As an ordinary mobile user, you would never know if your calls had been intercepted by an IMSI catcher. There is technology to enable you to check which base station you are connected to, but generally speaking they require a technically knowledgeable user and so would only really be used by law enforcement agencies.
It’s not just the secret services that suffer from these type of attacks. Misuse of base stations by oppressive governments can affect journalists or law enforcement may need to protect their operational data from the felons they wish to apprehend. Criminals may target a specific company to steal industrial secrets, commercially sensitive information, intellectual property, or to eavesdrop on private conversations. Financial details and medical records could be compromised, and so too could high profile celebrities.
How can you keep your conversations private and secure?
There is Government certified technology available that can help mitigate this type of hack. A secure communications platform can protect against an IMSI catcher attack by securing calls and texts between two endpoints, which could be a mobile phone and a desk phone, for example. It does this by using software installed on the phone that does the encryption and decryption. Whatever is sent from the mobile using the software, be it a call, text, attachment such as a video or photo, is completely encrypted end-to-end, and therefore protected.
This type of secure platform can be integrated with existing phone systems, so that calls can be protected both inside the organisation and outside.
After our article was published, much-respected cryptography expert Bruce Schneier recognised these same risks in his blog
About Andy Lilly
Andy Lilly is Director and Co-Founder of Armour Communications. He has a proven track record of delivering challenging, leading-edge research and development solutions into global markets, having held leadership positions at multi-national organisations as well as VC-funded start-ups. Andy has been instrumental in delivering military-grade secure communications systems as well as solutions suitable for use in commercial environments for over 25 years.
About Armour Comms
Armour Communications Limited is a UK based company supplying market leading technology for secure communication via 3G, LTE (4G), WiFi and satellite for voice, video, messaging and data on Android or iOS platforms. Armour Mobile also features in-built secure conferencing (audio or video) between multiple callers.
Armour Mobile is available as a Cloud or an On-Premise solution, and by using the optional Armour Connect Gateway, integration to a customer’s PBX and standard office desk phones is possible.
All solutions are FIPS, NATO and CPA approved up to OFFICIAL-SENSITIVE, with additional security layers to mitigate threats up to SECRET.