How Safe Are Your Mobile Calls and Messages?

Mobile phone calls and messages are vulnerable to attack. Many organizations and individuals falsely trust the safety and security of making calls and sending/receiving texts from their mobile devices. However, there are many critical vulnerabilities inherent with cell phones and cellular networks that put our privacy and our organizations’ confidentiality at risk. Understanding and preventing these risks are critical to protecting your business, your employees, your clients, and your customers.

Cellcrypt - mobile carrier fixed-line network

Fake Cell Towers

IMSI Catchers

An IMSI-catcher is a telephone eavesdropping device used for intercepting mobile phone traffic and tracking movement of mobile phone users. They are "fake" cell towers acting between the target mobile phone and the service provider's real cell towers. IMSI Catchers grab International Mobile Subscriber Numbers (IMSI) and the Electronic Serial Numbers (ESM) from targeted mobile phones. They can force a mobile phone connected to it to use no encryption making calls easy to intercept and can intercept both calls and messages.

A threat to Business and Personal Security

While, to date, IMSI catchers – in particular, the Harris Corp. Stingray – have been used mainly for law enforcement purposes, hostile use of IMSI catchers is increasingly likely. Low-cost IMSI catchers are now available for as little as $1400. In September 2015, the International Business Times reported that the Chinese Government spied on airplane passengers using IMSI catchers. This highlights the threat to international business travelers and organizations.

Network Attacks

Cellcrypt - routers

In 3G networks, the traffic is encrypted from the mobile device, through the Cell Tower to the Radio Network Controller, so both the Radio Access Network and the backhaul portions of the network are ‘notionally’ protected. However if a hacker gains access to the Core Mobile Network, the encryption used for GSM and 3G is ineffective.

  • In 2009, hackers computed and published a codebook free on the internet to decrypt calls made over GSM networks
  • In 2010, A Practical-Time Attack on the A5/3 Cryptosystem exposed the weakness of the encryption used in 3G GSM Telephony: http://eprint.iacr.org/2010/013.pdf

In 4G networks, the threat is greater as mandated encryption from the Mobile Phone stops at the Cell Tower (eNB), leaving the IP traffic in the backhaul to the operator unprotected.

Signalling Attacks

Signalling System No.7 (SS7) is Easily Hacked

The vulnerabilities in SS7 allow an an intruder with basic skills to perform numerous attacks including:

  • IMSI Disclosure
  • Intercepting and Redirecting Phone Calls
  • Intercepting SMS Messages
  • Tracking of a Mobile User
  • Block a Mobile User From receiving incoming calls and messages

​SS7 exploits are easily within reach of hostile parties and access to SS7 can be bought from network operators for a few hundred dollars per month.

Cellcrypt - Intercepting SMS Messages

Intercepting SMS Messages

The target is registered with a fake Mobile Switching Center (MSC) and Visitor Location Register (VLR) - meaning that SMS messages can be diverted to an alternative host. This allows the attacker to send fake message received confirmations, and withhold or send new/altered messages. The target sees no interruption of service, and therefore has no reason to suspect anything is amiss. The goal is often to steal passwords for services such as banking, email and social media etc.

Cellcrypt - intercepting calls

Intercepting Calls

As part of a VLR attack, the phone owner’s profile can be manipulated so that when they make a call the billing request and number they are calling are sent to the attacker. This allows the attacker to create a conference call, with themselves unseen, and listen and record the resulting conversation unobserved.

Mobile Threats are not limited to state-actors or high-cost hackers

With nothing more than a browser, an internet connection and maybe a pre-pay debit card, anyone can spoof SMS messages and Caller IDs. The fact that the receiving mobile number recognizes the and displays their name when the call or text arrives is enough for most individuals to trust the authenticity of the message or call.

Combined with basic social engineering, recipients could give up critical information such as passwords etc. More concerning is where a number of organisation use SMS as an emergency alerting procedure, to evacuate buildings or request the location of an employee.

Cellcrypt - fake text messages

The Risks to Organizations and their Employees

With the relative ease for standard mobile communications to be intercepted potential threats include:

Economic Espionage

When employees use their mobile phones for confidential business discussions, particularly when travelling on business, the risk of those texts, images or calls being intercepted is real. If that confidential information is intercepted by competitors or interested third parties, the damage can far-reaching.

Reports on the economic impact of industrial espionage vary, but in the US alone, BlackOps Partners Corporation, which works with Fortune 500 companies on counter-intelligence and protection puts the number at $500 billion in raw innovation stolen every year. As far back as 2012, General Keith Alexander, NSA director and commander of U.S. Cyber Command described economic espionage as “the greatest transfer of wealth in history.”

Crime and Fraud

The criminal targeting of personal cell phones is an increasingly rich area, with scams growing in complexity and reach. Early in 2016, millions of customers of Australia’s biggest banks were targeted in a sophisticated Android attack, using fake log in screens for the banking apps, WhatsApp, Skype, PayPal, eBay and Google services. The malware was used to both intercept log-in details and to steal SMS two-factor authentication codes, meaning the bank’s security measures were bypassed.

Employee and Personal Safety

For businesses with employees travelling and working abroad, the risk of interception may be higher as nation states, competitors, terrorists and kidnappers target business travellers. Cell phones can exponentially increase this risk as eavesdropping and message interception can provide crucial information, while the growing use of IMSI catchers can provide accurate real-time location information.

Ready to take you security seriously?

Try Cellcrypt for free or signup for the paid version now.