From Making Sense of Cyber Security by Thomas Kranz
It’s easy to forget that phones are powerful computers in their own right, vulnerable to the same threats as laptops or desktops. Mobile networks also contain many vulnerabilities that attackers can leverage. This article gives an overview of how mobile networks communicate with mobile devices and the threats therein.
Mobile phones, SMS, and 5G
Mobile phones pose a large security problem. Many people still think of their mobile phone as a smaller, portable version of a desk phone – it’s there to make calls. Our mobiles, however, are also portable, powerful computers, running complex applications, and with a constant connection to the Internet. Most mobile phones have more memory than a cheap laptop, and multi-core processors that run as fast as a desktop machine.
My current mobile phone, for example, has more processing power and memory than a Silicon Graphics supercomputer which I installed and operated in the early 2000s.
These mobile computers have all the same problems with malware – and the same solutions – as laptops and desktops. The extra layer of security complexity comes with how a mobile phone communicates with the mobile network.
Let’s have a look at a simple diagram which shows how your mobile connects to your mobile phone provider’s network. We can immediately see how similar a mobile phone network is to a WiFi network. Much like a WiFi network, each cell tower in a mobile network is broadcasting a constant signal “Connect to me” over an area, which is called a cell. (Which is why some people call mobile phones cell phones). Our mobile connects to the nearest tower, and then exchanges some data – the ID of the mobile phone (called the IMEI), the ID of the network, what sort of speed they operate at, and how much bandwidth the cell tower gives to the mobile phone.
Figure 1. A simple view of how a mobile phone network works, showing data connections to the Internet, and voice/SMS connections to another user’s mobile phone.
When we’re in another country, or the nearest cell tower belongs to a different mobile network provider, the connection is slightly more complex. This situation is called roaming – and if you’re unlucky, you’ll have been caught by the harsh charges other networks charge to route your data and calls. The connection takes place, as above, but the cell tower then talks over the network to a cell tower or network device that belongs to your mobile service provider, who then authenticates your device and access.
Figure 2. How our phone connects to a different mobile provider’s network. Note data is still sent out via our ‘home’ mobile network, but that voice/SMS is sent within our roaming network when needed.
All of this introduces a few problems, and with those problems come some security risks.
We have the same problems with malware on a mobile phone as we do on our desktops and laptops, which makes sense when we think of our phones as powerful, portable, always networked computers. Viruses first started appearing on Nokia’s Symbian handsets, back in the early 2000s when Nokia had more than ninety percent of the mobile phone market.
Complex trojans still manage to evade the security scans and software controls of Google and Apple’s app stores, and unless you know what you’re doing, downloading apps from third party websites can be even more risky. As with PCs, the phone vendors are building protection mechanisms into the operating system, and there’s a range of anti-malware software available that can be installed.
5G, the next generation mobile communication protocol, brings us much greater bandwidth to our mobile devices. The downside is that this enables malware to copy and upload larger amounts of our sensitive data before being detected. Again, like with PCs, mobile phones have firewall apps (like Netguard and Blokada) which can be installed to block outgoing traffic. As an added bonus, these also block requests to advertising and tracking websites, enhancing privacy, reducing the amount of data we use, and helping improve the speed of apps and web browsing.
Each modern phone has a unique identifier, a “network identity,” called an International Mobile Equipment Identity (IMEI). Each time our mobile phone connects to a cell tower, it broadcasts the IMEI: a sort of “hey, network, it’s me!”.
Figure 3. A simple example of how IMEI cloning works. If not spotted, the attacker can use our talk time, data, and can send out SMS spam and malware.
This IMEI is broadcast not only from your phone to the nearest tower, but from that tower to other towers. All of this happens in the clear –this data isn’t encrypted. This means that an enterprising attacker can set up relatively cheap equipment to scan for an IMEI, and then clone it by programming the same number into their phone.
IMEI cloning has been going on from when digital GSM mobile phones were first developed, and it’s a way for an attacker to steal your data and talk time. Devices to clone and reprogram IMEIs are cheap and common – this is an easy attack to carry out. Network providers have developed large, complex fraud detection systems to tackle the problem of cloning. These systems are constantly monitoring where and how often an IMEI is being picked up by their network.
If I’m using my IMEI in Milan, and then suddenly the network notices that minutes later, my IMEI has popped up in New York, the provider knows that this is fraud, and the IMEI is locked from the network. In many countries in Europe, IMEI cloning is illegal, with jail time if caught. Network providers, by law, have to lock an IMEI if asked and have to authenticate a user with an ID to unlock the IMEI.
Along with IMEI cloning, another cheap and easy attack is intercepting and spoofing SMS (Short Messaging Service) messages – what most people call texts. Again, the equipment to do this is cheap and freely available, and the problem comes down to how the networks send SMS messages.
Calls and texts use a special protocol called SS7 (Signaling System No.7). Regardless of the data protocol (2G, HSDPA, 5G, etc.) all phone networks support and provide SS7 – it’s the scaffolding across all networks which allows us to call and text someone on the other side of the world.
To make it easy for every network provider to handle and pass on calls and text messages, SS7 has weak encryption and no authentication. SS7 was developed when there were only a handful of state controlled mobile network providers, and trust between networks wasn’t an issue. Because of this, it’s possible to craft SS7 messages to a network that diverts incoming texts to our malicious phone or device, and then forwards spoofed texts to the end user. We can also setup fake cell towers, and intercept all user data that way. This is another example of a Man-In-The-Middle attack, like what can happen on a dodgy WiFi network.
Additionally, an attacker can use SS7 commands to track a specific user, by tracing their mobile phone number as it is broadcast between cell towers. With the density of cell towers in a city, it’s possible to track someone down to where on a street they are at. None of this requires expensive or bulky equipment – we can do this for less than the price of a decent laptop, and carry all the gear needed in a small backpack.
Back in 2014, at the Chaos Communications Congress in Berlin, researchers Tobias Engel and Karsten Nohl presented two different talks that showed how easy it was to track mobile phone users, intercept SMS messages, and even send commands with SS7 to force a user’s phone to dial premium paid numbers – in the background.
SS7 used to be a closed system, and it was difficult for researchers to play with. Because the protocol has been opened up for third parties to provide extra services, we’ve been able to dig into how it all works.
Let’s revisit our diagram showing how our mobile phone communicates when we’re unconnected to our home network:
Figure 4. A reminder of how network roaming works.
Now, let’s look at the two different ways we can cause problems with SS7. The diagram below shows that we can plant a fake cell tower onto the network – by being closer to the user, and broadcasting with more power, the user’s phone automatically connects to it. This is how Stingray interception devices used by law enforcement (and criminals) work. You’ll notice that this works a lot like the malicious WiFi Network Access Point.
Figure 5. How a malicious cell tower – or law enforcement Stingray device – can intercept our mobile network connection.
By taking advantage of the constant messages sent between our mobile phone and cell towers outside our home network (which is legitimate traffic) we can also trick our home network into thinking our mobile has moved somewhere else. This enables us to intercept and spoof SMS messages.
A mobile phone network contains more than cell towers. Special components which are used to track a phone’s location (to make most efficient use of the cell tower bandwidth), that register and authenticate a user on the network, and that decide where and how to route calls and data, exist. An SMS spoofing/interception attack uses three of these devices:
- The Mobile-services Switching Center (MSC): This is the interface between the radio network (the cell towers) and the physical network of servers and services. As the name implies, the MSC’s job is to switch (direct) mobile services like SMS, voice, and data, between the two networks.
- The Home Location Register (HLR): This is a database that contains the details of every mobile phone which is authorized to use the network. Multiple HLRs are on a network, but a user can only be registered on one of them. The HLR is used by the MSC to understand where to route the services to, and our phone can use them.
- The Short Message Service Gateway (SMSC): This is the gateway between the radio network (the cell towers) and the central Short Message Service Centre, which is what processes all SMS messages.
When our phone connects to a network, as well as broadcasting our IMEI, as part of the network authentication process, our mobile number is sent to the network as well. Although it looks like a phone number to us, mobile providers call it the Mobile Station International Subscriber Directory Number (MSISDN). We also have a unique identifier on every single SIM card, which is called an International Mobile Subscriber Identity (IMSI). Together, these two numbers are used to tell the network where are we, and the MSC can properly route calls and SMS messages to us.
Figure 6. A simplified view of the normal sequence of events when we register with the mobile network, and SMS messages get routed to our phone.
So far, so good – if a bit acronym heavy. Let’s summarize the steps in bullet points to make it easy to see where the problem is:
- We register our IMSI and MSISDN with our nearest HLR
- The HRL tells the MSC where we’re located
- The MSC routes all SMS traffic through our nearest SMS-C
- The SMS-C is able to send SMS messages to our closest cell tower
Think back to our malicious WiFi hotspot example, or our IMEI cloning example. Can you spot the step where an attacker can intercept – and spoof – our SMS messages?
The problem lies with registering with the Home Location Register (HLR). The same cheap, easy to setup, and easy to deploy equipment that can sniff IMEI is being broadcast to the network, can also catch IMSI and MSISDN numbers. These numbers are all constantly being broadcast, updating the numerous HLRs on the network as we move around. All our attacker has to do is register our IMSI and MSISDN numbers, and then the Mobile-services Switching Center routes our SMS messages to the attacker. Let’s look at how that could be used in an attack:
Figure 7. How an attacker can intercept our SMS messages. Exactly the same technique allows the attacker to spoof SMS messages, making them appear to be from us.
A lot’s going on in that diagram; let’s list the steps out in bullet point as well, to make the sequence of events clear:
- The attacker uses a fake MSC to register our IMSI and MSISDN with an HLR
- The HRL tells the MSC that ‘we’ are in a new location
- We try to login to our online banking, which uses SMS authentication
- Our bank sends us an SMS message to authenticate our login
- The MSC sends the SMS message to the SMS-C
- The SMS-C asks the HLR where we’re located. The HLR tells the SMS-C the attacker’s location
- And our SMS authentication message ends up with the attacker
Again, this is a powerful attack, and all of the equipment needed is readily available, and costs less than a new Apple laptop. Think of all the online services that use SMS as a secondary authentication method, alongside a username and password:
- Online banking (obviously)
- Cryptocurrency exchanges (Bitcoin)
- And many more …
Also, as SMS messages (and phone calls) from the attacker appear to be coming from us, it allows an attacker to request things like a mobile number or password change on an account. This attack has been used to take over celebrities’ Twitter accounts, and to steal hundreds of thousands of dollars’ worth of Bitcoin from online exchanges. A Forbes article told the sorry tale of a Bitcoin pioneer who had millions of dollars in Bitcoin transferred out of his account, by attackers using these same SMS intercept and spoofing attacks.
As SMS messages are easy to spoof, try to avoid using SMS authentication as the sole means to secure things like your banking or online services accounts. Almost all online services now support more secure – and easier to use – solutions to securing those accounts.
Problems with 5G
No, 5G doesn’t give you COVID-19, and despite the best efforts of conspiracy theorists, 5G cell towers also don’t beam out mind control rays. I’m also going to ignore the ongoing argument about Huawei and their role in providing 5G technology to network providers: all governments use the communication networks to spy on each other, there are no surprises or shocking revelations there.
Some security issues exist with the 5G protocol itself, and they’re down to how the previous mobile communication protocols were developed. 5G is the fifth generation of mobile communication protocols developed globally by industry working groups, the two main ones being the Global System for Mobile Communications Association (GSMA), and the 3rd Generation Partnership Project (3GPP). Here’s what the evolution of these protocols looks like, showing the technologies each uses, and the data transfer rates they are capable of:
Figure 8. How the various mobile technologies have evolved. Note the rapidly increasing data transfer rates.
As a communications protocol, 5G has to be backwards compatible with all the previous protocols – otherwise you wouldn’t be able to, well, communicate. The mish mash of broadcast frequencies and protocols in the US is, frankly, pretty broken, but across the rest of the world, 2G is still used a lot, because it is able to travel longer distances, and can cope with obstacles blocking the signal much better. As the bandwidth made available by each protocol increases, the distance the signal travels becomes shorter, and the greater the number of cell towers are needed. Each generation of protocol makes more efficient use of the broadcast frequency (the spectrum) and each cell tower can give more bandwidth to more users.
Figure 9. Comparing the different mobile protocols.
As we can see from the above two diagrams, 5G provides the most bandwidth, but its signal travels the shortest distance, and it needs more cell towers to provide coverage. 2G, on the other hand, is the opposite – not much bandwidth, but great signal transmission and penetration. All this means that 2G remains popular globally – not only for mobile phones, but for all sorts of devices that need to communicate wirelessly over long distances.
This is why backwards compatibility is important – we still need to make voice calls and send SMS messages to the hundreds of millions of older phones and devices out there.
Because of this backwards compatibility, the full 5G communications protocol still includes all the old communication and authentication methods that make 2G, SMS, and voice calls work – like our friend SS7. This means that the same attacks to clone IMEI numbers, and intercept and spoof SMS messages, still work on 5G.
Making the problem worse, the increase in bandwidth each new protocol generation gave us, created a boom in the number of smart devices that communicate wirelessly.
Out of the following list of devices, which do you think communicate wirelessly over the mobile network?
- Smart electricity/gas meter?
- Electric car charging point?
- Traffic light cameras?
- CCTV cameras?
- Wind turbines?
- Aircraft jet engines?
- A nice new Tesla, BMW, or Mercedes?
If you guess “All of the above”, you’d be correct. They all have some version of mobile communication built into them.
A few years ago, my friend was showing off the text to speech capability of his new BMW. He’d enabled the option to allow you to send an SMS to the car, and it reads out the message for you as you drive. Amazing tech!
I waited until he was out driving with his wife, then spoofed an SMS message to his car, pretending to be his pregnant mistress. Apparently, they didn’t see the funny side, but I laughed for days. Top marks for BMW technology from me.
This huge increase in devices makes it ever more difficult for the companies running the mobile phone networks to spot, and stop, fraud like duplicate IMEIs. We’re in an arms race between manufacturers, service providers, and attackers: with all the speed and coverage increase that 5G brings, this is a problem that will only get worse.
We also have the problem of botnets – malicious networks of compromised machines. As a portable computer, a mobile phone has a decent amount of security either built in, or available to install. Smart meters, wind turbines, and CCTV cameras don’t have that level of security available, because the manufacturer wants to keep the price down for mass production. This means that a lot of these devices are vulnerable to security attacks we thought had been solved decades ago.
For example, CCTV cameras often have no passwords on their admin accounts – and when they do have a password, it’s the same one across thousands of that model. Botnet operators have been busy installing malware across devices like these, providing them with a huge network of devices they can launch attacks from.
Back in 2016, for example, security company Securi uncovered (and stopped) an attack that was launched from a botnet of 25,000 compromised CCTV cameras. Although a simple distributed denial of service (DDoS) attack that was aimed at clogging up a vendor’s website, botnets like this have been used to launch more sophisticated attacks – like fraudulently registering clicks on a website advert, generating income for the attackers from the publishing network.
Unlike a PC, we can’t install some patches across a network of charging stations or CCTV cameras – it’s too time consuming (and therefore expensive) for the operators. In many cases, the manufacturers don’t provide security patches or updates at all. With the increase in the number of devices, and the bandwidth they have available to them, that comes with 5G, we’re going to see this becoming more and more of an issue.
Individually there’s little we can do about the poor level of security on the increasing number of connected, smart devices – the Internet of Things (IoT). We have control over our own mobile phones – our personal portable supercomputers.
Ultimately, you should treat security on your mobile phone the same way you treat security on your laptop:
- Keep your operating system and applications updated
- Don’t install applications from unofficial sources
- Install some anti-malware software, and a firewall, and keep it up to date
Remember our Four Golden Rules of Malware Security:
- Keep our operating system patched and up to date
- Keep our applications patched and up to date
- Install anti-malware software, and a software firewall, and keep them up to date
- Don’t click on email attachments (unless you’re absolutely, positively certain it’s an attached file you were expecting)
That’s all for this article. If you want to learn more about the book, you can preview its contents on our browser-based liveBook platform here.