Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet.
The search giant said it's introducing a second user setting to turn off support, at the model level, for null-ciphered cellular connections.
"The Android Security Model assumes that all networks are hostile to keep users safe from network packet injection, tampering, or eavesdropping on user traffic," Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle said.
"Android does not rely on link-layer encryption to address this threat model. Instead, Android establishes that all network traffic should be end-to-end encrypted (E2EE)."
2G networks, in particular, employ weak encryption and lack mutual authentication, rendering them susceptible to over-the-air interception and traffic decryption attacks by impersonating a real 2G tower.
The threat posed by rogue cellular base stations means that it could be weaponized by malicious actors to intercept communication traffic, distribute malware, as well as launch denial-of-service (DoS) and adversary-in-the-middle (AitM) attacks, posing surveillance concerns.
In June 2020, Amnesty International disclosed how a Moroccan journalist was targeted with network injection attacks, likely using a fake cell tower to deliver the Pegasus spyware.
To make matters worse, an adversary could launch a stealthy downgrade attack using advanced cell-site simulators (aka Stingrays) that force the handsets to connect to a 2G network by taking advantage of the fact that all existing mobile devices still feature support for 2G bands.
Google, in an attempt to address some of these concerns, added an option to disable 2G at the modem level with Android 12 in early 2022. As a next logical step, the company is now putting in place a new restriction that prevents a device's ability to downgrade to 2G connectivity.
Also tackled in the upcoming release of the mobile operating system is the risk of null ciphers (non-encrypted mode or GEA0) in commercial networks, which exposes user voice and SMS traffic, including one-time passwords (OTPs) to trivial on-the-fly interception attacks.
The disclosure comes as Google said that it's enabling E2EE for RCS conversations in its Messages app for Android by default for new and existing users, although the company notes that some users may be asked to agree to Terms of Service provided by their carrier network.
It also follows its plans to add support for Message Layer Security (MLS) to the Messages app for interoperability across other messaging services.
While Google has attempted to publicly pressurize Apple into adopting RCS, the iPhone maker appears to be content with iMessage for encrypted messaging. Nor has it expressed any interest in releasing a version of iMessage for Android, forcing users texting between the two operating systems to switch to a third-party messaging alternative, or worse, use unencrypted SMS.
Update
Google, at the Black Hat USA security conference on August 9, 2023, outlined details of a now-patched zero-click attack impacting its Pixel 6 modem stack that could permit an adversary to hijack target devices that fall into the range of a malicious cell tower from as far as three miles away simply by initiating a phone call.
This includes a pair of critical vulnerabilities tracked as CVE-2022-20170 and CVE-2022-20405 (CVSS scores: 9.8), which could be chained together to downgrade a Pixel phone's cellular modem communication to 2G and seize control of the handset using a software radio. The flaws were patched by Google in June and August 2022.
