Image Source: Libelium |
Remember Stingrays?
The controversial cell phone spying tool, also known as "IMSI catchers," has long been used by law enforcement to track and monitor mobile users by mimicking a cellphone tower and tricking their devices to connect to them. Sometimes it even intercepts calls and Internet traffic, sends fake texts, and installs spyware on a victim's phone.
Setting up such Stingrays-type surveillance devices, of course, is expensive and needs a lot of efforts, but researchers have now found a new, cheapest way to do the same thing with a simple Wi-Fi hotspot.
Yes, Wi-Fi network can capture IMSI numbers from nearby smartphones, allowing almost anyone to track and monitor people wirelessly.
IMSI or international mobile subscriber identity is a unique 15-digit number used for authentication of a person when moving network to network. The number is stored in the read-only section of a SIM card and with the mobile operator.
Note: Don't confuse the IMSI number with the IMEI number. IMSI is tied to a user, while IMEI is tied to a device.
Stealing your Fingerprints to Track you Everywhere
In a presentation at BlackHat Europe, researchers Piers O'Hanlon and Ravishankar Borgaonkar from Oxford University have demonstrated a new type of IMSI catcher attack that operates over WiFi, allowing anyone to capture a smartphone's IMSI number within a second as the users' pass by.
The attack would then use that IMSI number to spy on the user's every movement.
The actual issue resides in the way most modern smartphones, including Android and iOS devices, in the world connect to Wi-Fi networks.
There are two widely implemented protocols in most modern mobile operating systems:
- Extensible Authentication Protocol (EAP)
- Authentication and Key Agreement (AKA) protocols
These protocols allow smartphones to auto-connect to public WiFi hotspots.
Modern smartphones are programmed to automatically connect to known Wi-Fi networks by handing over their IMSI numbers to log into the network, without owner's interaction.
So, attackers exploiting the WiFi authentication protocols could allow them to set up a "rogue access point" masquerading as a well-known WiFi network and trick smartphones in that range to connect.
Once connected the rogue access point extracts their IMSI numbers immediately. This captured unique identifier of your smartphone would then allow attackers to track your movements wherever you go.
Intercepting WiFi Calling to Steal Your Unique Identity Number
The researcher also demonstrated another attack vector whereby attackers can hijack the WiFi calling feature offered by mobile operators.
This technology is different from voice calling on WhatsApp or Skype app which uses voice over Internet Protocol.
Whereas, WiFi calling, which is supported on iOS and Android devices, allows users to make voice calls over WiFi by connecting to the operator's Edge Packet Data Gateway (EPDG) using the encrypted IP security (IPSec) protocol.
Like the WiFi auto connect feature, the Internet Key Exchange (IKEv2) protocol used for authenticating WiFi calling is also based on identities such as the IMSI number, which are exchanged over EAP-AKA.
EAP-AKA exchanges are encrypted, but the problem is that they are not protected by a certificate.
This issue exposes the feature to man-in-the-middle (MITM) attacks, allowing attackers to intercept the traffic from a smartphone trying to make the call over WiFi and quickly extract the IMSI number in seconds, the researchers said.
The good news is that you can disable the Wi-Fi calling feature on your device, but Wi-Fi auto connect can only be disabled when such a network is in range.
The researchers reported the issues to both the mobile OS companies, including Apple, Google, Microsoft and Blackberry, and the operators such as GSMA, and have been working with them to ensure the future protection of the IMSI number.
Apple, as a result of conversations with the duo researchers, has implemented a new technology in iOS10 that allows handsets to exchange pseudonyms and not identifiers, helping mitigate the threat.
The duo concluded their research [slides PDF] by showing a proof-of-concept system that demonstrates their IMSI catcher employing passive as well as active techniques.