Mobile Cell Phones & Cellular Networks

Using Mobile Phones and Cellular Networks for Privacy and Anonymity

Using mobile phones and cellular networks for privacy and anonymity is a challenging endeavor due to their inherent design for tracking and monitoring. While a best efforts approach can mitigate some risks, achieving complete privacy and anonymity is nearly impossible with modern smartphones and mobile networks. Always prioritize security and follow best practices to protect your privacy and anonymity.

Key Concepts

1. Inherent Weaknesses:
   • Modern smartphones and mobile networks are designed to track and monitor users, making them inherently insecure for privacy and anonymity.
   • Popular operating systems like iOS and Android offer limited control over the device, and mobile networks are designed to collect data.
2. Best Efforts Approach:
   • While it is difficult to achieve complete privacy and anonymity, a best efforts approach can be taken to mitigate risks.
   • For example, using secure messaging apps like Signal can help protect communications, but the underlying device and network can still be controlled by the provider.

Issues with Mobile Networks

1. Network Provider Concerns:
   • Call Recording: Providers can record voice calls if necessary.
   • Data Traffic Logging: They can log the content of internet data traffic, especially if it is unencrypted.
   • SMS and MMS Logging: Providers can read and store SMS and MMS messages.
   • Silent SMS: Providers can send silent SMS messages to track your geographic location.
   • Software Updates: Some providers can manipulate your phone through software updates, essentially taking control of it.
   • Tower Dumps: Providers can request tower dumps to track and cross-correlate who you know and who might be in the same area.
   • MAC Address Tracking: Providers can track your unique MAC address, which can be linked to your identity if the phone was purchased non-anonymously.
   • Metadata Collection: Providers collect metadata such as call duration, location, callers, receivers, and internet usage.
2. Over-the-Air Issues:
   • IMSI and TMSI: Adversaries can potentially obtain your IMSI (International Mobile Subscriber Identity) and TMSI (Temporary Mobile Subscriber Identity), which can be used to track your call patterns.
   • Location Tracking: Adversaries can use location-based services and triangulation to pinpoint your precise location.
   • Interception: Data, voice, and SMS can be intercepted by adversaries with the right equipment if encryption is weak or non-existent.

Mitigation Strategies

1. Use Secure Messaging Apps:
   • Use end-to-end encrypted messaging apps like Signal to protect your communications.
2. Avoid Sensitive Activities:
   • Avoid conducting sensitive activities on mobile devices, as they are inherently less secure than desktops or laptops.
3. Physical Isolation:
   • Use a separate device for sensitive activities to avoid linking your primary identity to those activities.
4. Encryption:
   • Use VPNs and Tor to encrypt your internet traffic and hide your IP address.
5. Network Awareness:
   • Be aware of the limitations of mobile networks and the potential for surveillance by providers and third parties.

Cellular Network Security Vulnerabilities

IMSI catchers pose a significant threat to cellular network security due to the lack of mutual authentication in GSM. While there are some mitigations and detection tools available, the problem remains largely unresolved. Users should be aware of these vulnerabilities and take appropriate precautions to protect their privacy and security.

2G (GSM) Authentication Issues

1. GSM Authentication Weaknesses:
   • 2G or GSM authentication is a significant security flaw in cellular networks.
   • This vulnerability allows fake mobile towers to be set up, appearing as legitimate network towers.
2. IMSI Catchers:
   • These are fake base stations that exploit the GSM authentication weakness.
   • They can impersonate legitimate networks, tricking mobile phones into connecting to them.

Understanding IMSI

1. International Mobile Subscriber Identity (IMSI):
   • A unique 64-bit number associated with a SIM card.
   • Sent by the mobile phone to identify the user to the network.
2. TMSI (Temporary Mobile Subscriber Identity):
   • A randomly generated number used to replace the IMSI to prevent tracking.
   • The IMSI is sent as rarely as possible to enhance privacy.

Lack of Network Authentication

1. One-Way Authentication:
   • The GSM specification requires the phone to authenticate to the network but does not require the network to authenticate to the phone.
   • This means anyone can set up a fake cellular tower or IMSI catcher and pretend to be a legitimate mobile provider.
2. Automatic Connection:
   • Phones will automatically attempt to connect to fake towers if they have a stronger signal.

Risks and Exploitation

1. Call Encryption Bypass:
   • IMSI catchers can force connected phones to use weak or no encryption (A5/0, A5/1, A5/2 modes).
   • This makes call data easy to intercept and convert to audio, similar to capturing packets in Wireshark.
2. Deployment by Law Enforcement:
   • IMSI catchers are known to be used by law enforcement in various forms:
     • Deployed in planes, drones, and vehicles.
     • Known as “flying dirt boxes” when used in airborne devices.
3. Ease of Creation:
   • Creating an IMSI catcher is not complex.
   • Software-defined radios (SDRs) have made it easier and more affordable to set up IMSI catchers.

Example Setup

1. Components of an IMSI Catcher:
   • Software-Defined Radio (SDR): Such as the USRP B200.
   • Antenna: Like the VRT 900 antenna.
   • Controller: A device like the BeagleBone Black running Debian.
   • Battery: For mobility.
   • Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks.
2. Software Used:
   • OpenBTS: An open-source software that provides the necessary functionality for an IMSI catcher.

Practical Implications

1. Neighborhood Monitoring:
   • An IMSI catcher connected to a VoIP provider and the internet can create a fully functional mobile network.
   • Neighbors unknowingly connect to this network, allowing the operator to monitor their phone usage.
2. Flying Dirt Boxes:
   • Using drones, one can deploy a flying dirt box to monitor mobile usage over a broader area.

Mitigations and Defenses

1. Apps for Detection:
   • Fake Base Station Detector: An app that can help detect fake base stations.
   • Snoop Snitch: An app by a respected security researcher, potentially useful for detecting IMSI catchers.
2. Device Settings:
   • Disable 2G (GSM): Devices that support it can be configured to only connect to 3G and 4G networks, which do not have the same authentication issues.
   • Disable Roaming: If not traveling, disabling roaming can help prevent connection to fake towers outside the carrier’s service area.

Signaling System Number 7 (SS7) Security Vulnerabilities

SS7 vulnerabilities pose a significant threat to the security and privacy of mobile network users. The lack of authentication and the ease of exploitation make it a prime target for attackers. While some mitigations are being implemented by network operators, users should also take proactive steps to protect their communications by using secure applications and being aware of the risks associated with mobile networks.

Cellular Privacy, SS7 Security Shattered at 31C3 | Threatpost

Signalling System No. 7 – Wikipedia

Overview of SS7

1. Purpose of SS7:
   • SS7 is a set of protocols designed to connect networks together and route calls between switching centers.
   • It enables the exchange of information for passing calls and SMS messages between networks.
   • It also facilitates billing and roaming when users travel outside their home network.
2. Historical Context:
   • SS7 was designed with the assumption that it would be a closed system where networks could be trusted.
   • This assumption has proven to be incorrect, leading to significant security vulnerabilities.

Security Issues with SS7

1. Lack of Authentication:
   • The Mobile Application Part (MAP) and Customized Applications for Mobile Network Enhanced Logic (CAMEL) protocols within SS7 have no authentication mechanisms.
   • This lack of authentication allows adversaries to exploit the system easily.
2. Exploitation Capabilities:
   • An adversary with access to SS7 and a target’s phone number can:
     • Read all text messages.
     • Listen to all phone calls.
     • Track the target’s location from anywhere in the world.
     • Perform denial of service (DoS) attacks.
3. Global Reach:
   • These vulnerabilities are not limited by geographical boundaries.
   • Anyone with access to SS7 can exploit these weaknesses, regardless of their physical location.

Real-World Implications

1. Access to SS7:
   • Access to SS7 can be purchased from mobile telcos and network operators, often through unofficial channels.
   • Vendors are actively selling products designed to exploit SS7 vulnerabilities.
2. Trust Issues:
   • While some companies claim to offer SS7 access only to law enforcement and government agencies, the lack of transparency raises concerns.
   • Many governments, especially in less transparent countries, cannot be trusted with such powerful surveillance capabilities.

Personal Vulnerability

1. Every Communication is at Risk:
   • Every SMS, text message, picture message, and phone call made using a mobile network is vulnerable to SS7 exploitation.
   • Users can be tracked, their communications intercepted, and their services disrupted with minimal effort.
2. Ease of Exploitation:
   • An attacker only needs the target’s phone number and access to SS7 to carry out these attacks.
   • This means that anyone with the right resources can potentially track and monitor individuals globally.

Mitigations and Defenses

1. Operator Mitigations:
   • Some network operators have implemented firewalls and proxies to intercept and filter suspicious messages, helping to mitigate SS7 vulnerabilities.
   • European operators, in particular, are known to be implementing these controls.
2. End-to-End Encryption:
   • Using third-party applications like Signal and LinFone for voice calls and text messages can mitigate SS7 vulnerabilities.
   • These applications support end-to-end encryption and authentication, ensuring that communications are secure even if the underlying network is compromised.
3. Awareness and Education:
   • Users should be aware of the risks associated with SS7 vulnerabilities and take appropriate precautions.
   • Using secure communication tools and being mindful of the network’s security can help protect privacy and data.

Taking up the Gauntlet – SS7 Attacks in Ukraine | Enea

Mobile Phone Security and Privacy Issues

Maintaining security, privacy, and anonymity on mobile devices is extremely challenging, especially against well-resourced adversaries. While there are some mitigations available, such as disabling unnecessary features, using burner phones, and opting for security-focused operating systems, the overall landscape remains fraught with risks. Users should be vigilant and take all possible precautions to protect their data and privacy.

Baseband Radio Processors

1. Baseband Overview:
   • The baseband radio processor is a chip that manages all antenna radio functions.
   • It typically uses its own RAM, firmware, and proprietary software.
2. Security Vulnerabilities:
   • The code in baseband processors is often not security-tested.
   • Security researchers have found vulnerabilities that allow remote access and modification of data on the phone.
   • For example, the Replicant project discovered a backdoor in the baseband software of Samsung Galaxy phones, enabling remote access to user data.

Auto-Updates

1. Potential Risks:
   • Auto-updates can install malware, backdoors, trojans, or keyloggers.
   • Bad actors can force updates through coercion or legal means, targeting specific devices or individuals.
   • iOS updates, for instance, are device-specific, allowing Apple to send malicious updates to targeted users.
2. Mitigation:
   • While auto-updates are important for security, they also pose a significant risk.
   • Users should be cautious about the source and content of updates.

Wi-Fi and Bluetooth Tracking

1. Tracking via MAC Address:
   • Wi-Fi and Bluetooth devices broadcast a unique MAC address, which can be tracked by nearby access points.
   • Corporations and nation-states use networks of access points to track mobile phones as users move from one location to another.
2. Mitigation:
   • iOS 8 and above randomize MAC addresses to reduce tracking.
   • Disabling Wi-Fi and Bluetooth when not in use is the best mitigation, though it can be inconvenient.

Location Data Leaks

1. Methods of Location Tracking:
   • Phones determine their location using GPS, cell tower information, and Wi-Fi networks.
   • Apps can access and transmit location data, which can be intercepted or recorded by third parties.
2. Mitigation:
   • Avoid installing apps that require excessive permissions.
   • Disable GPS and Wi-Fi when not in use.

Burner Phones

1. Purpose and Usage:
   • Burner phones are temporary prepaid phones used for anonymity and separating aliases.
   • In some countries, SIMs and prepaid phones can be purchased anonymously, but this is becoming more regulated.
2. Limitations:
   • Even with burner phones, nation-states can cross-correlate data to build profiles of users.
   • Calling patterns and metadata can reveal associations and behaviors, linking burner phones to other devices.

Metadata and Profiling

1. Metadata Analysis:
   • Metadata, such as when and where a phone is switched on or off, can provide information about user activities.
   • Nation-states and corporations use sophisticated systems to analyze metadata and build profiles of individuals.
2. Mitigation:
   • Switch off phones before reaching sensitive locations.
   • Use burner phones cautiously, considering the limitations of metadata analysis.

Operating System Alternatives

1. Security-Focused OS:
   • Consider using alternative operating systems like CyanogenMod, Ubuntu, Replicant, Copperhead OS, or Omnirom for enhanced security and privacy.
   • These systems are more focused on security, privacy, and anonymity compared to standard mobile OS.
2. Android Risks:
   • Android devices are particularly vulnerable to malware due to their large market share.
   • Users should consider avoiding Android devices if possible, based on the high malware statistics.

Nation-State Threats

1. Hacking and Surveillance:
   • Nation-states have hacked mobile operator systems to gain secret access to user data.
   • They use IMSI catchers, SS7 vulnerabilities, and other techniques to monitor and track users.
2. Mitigation:
   • Be aware of the risks and take proactive steps to protect privacy, such as using burner phones and alternative operating systems.

DeepSec 2010: All your baseband are belong to us by Ralf Philipp Weinmann

The Problem with Mobile Phones | Surveillance Self-Defense

ICREACH: How the NSA Built Its Own Secret Google

Using Cellular Networks for Internet Access

Maintaining privacy and anonymity on cellular networks requires comprehensive operational security practices and the use of secure, anonymizing technologies. Always be aware of your operational environment and adjust strategies to mitigate potential threats.

1. Devices and Setup:
   • Utilize a laptop with a 3G/4G dongle or burner phone.
   • Opt for a secure operating system like Qubes OS with Whonix or Debian for enhanced privacy.
2. Connection Options:
   • Connect a burner phone to your laptop via cable.
   • Use a laptop with built-in cellular internet capability.
   • Deploy a portable router with a 3G/4G dongle connected via Ethernet.

Privacy and Anonymity Measures

1. Anonymity Best Practices:
   • Purchase SIMs and devices anonymously; never reuse SIM cards or devices.
   • Use separate devices for different aliases and avoid carrying multiple devices together.
2. Communication Security:
   • Prefer secure messaging and VoIP apps over SMS and voice calls.
   • Assume SMS and calls are monitored; use end-to-end encryption.
3. Operational Security:
   • Turn devices on/off in non-sensitive areas.
   • Avoid creating physical or usage associations between aliases and devices.

Network Security

1. Anonymizing Services:
   • Use encrypted tunnels, Tor, VPNs, and SSH to mask IP and location.
   • These services add layers of abstraction to protect your identity.
2. Hardware and Network Setup:
   • Buy routers and devices with cash; disable built-in Wi-Fi.
   • Use Ethernet connections over wireless ones and avoid Windows or macOS for OS.

Additional Precautions

1. Location and Timing:
   • Connect from busy areas, varying times and locations to avoid patterns.
   • Consider using voice changers and avoiding CCTV if necessary.
2. Geolocation and Surveillance Avoidance:
   • Keep moving or change locations periodically to prevent tracking.
   • Position yourself in public places where you can monitor surroundings.

How to Intercept a Conversation Held on the Other Side of the Planet | PPT

NSA tracking cellphone locations worldwide, Snowden documents show – The Washington Post

Geolocation via Mobile Networks

Understanding how mobile networks can track you is essential for maintaining privacy. By disabling unnecessary wireless technologies, using dongles over phones, and employing strategies like repeaters, you can significantly enhance your anonymity and privacy in the mobile network space.

Tracking Methods

1. Wi-Fi and MAC Address:
   • Wi-Fi access points can be used for geolocation if your MAC address is known.
   • Changing or randomizing your MAC address can help prevent this.
2. Cellular Network Tracking:
   • Cell Identification: Least accurate, places you in a general cell area.
   • Triangulation: Uses signal strength from three towers to locate you more accurately.
   • Forward Link Timing: The most accurate method using timing of signals.
3. Silent SMS:
   • Can be sent by operators to determine your location via connected towers.
4. Device-based Tracking:
   • If malware or software is installed, it can use cell ID, signal strength, and GPS (on phones, not dongles) for precise location.
5. Hybrid Systems:
   • Combine data like signal strength and GPS to pinpoint location, similar to Google Maps.

Privacy Protection Strategies

1. Disable Wireless Technologies:
   • Turn off Wi-Fi, Bluetooth, and GPS on your devices.
2. Using Dongles:
   • Prefer routers with 3G/4G dongles over phones to avoid embedded GPS.
3. Avoiding GPS Tracking:
   • GPS satellites don’t track; it’s the devices that transmit their location.
4. Use Repeaters:
   • Connect through repeaters to create a separation and mitigate direct geolocation.
5. Movement and Variation:
   • Constantly changing your location and moving can make it harder to pinpoint your position.

Get the last known location  |  Sensors and location  |  Android Developers

Conclusion

Mobile phones and cellular networks pose significant privacy and anonymity challenges due to their design for tracking and monitoring. While using secure messaging apps, VPNs, and being aware of network vulnerabilities can mitigate some risks, complete privacy on modern smartphones is nearly impossible. Users should take proactive steps, such as using burner phones and alternative OS, to protect their communications and data.