Image Source: Libelium |
Remember Stingrays?
The controversial jail electrochemical cell telephone spying tool, also known equally "IMSI catchers," has long been used yesteryear law enforcement to rails in addition to monitor mobile users yesteryear mimicking a electrochemical cell tower in addition to tricking their devices to connect to them. Sometimes it fifty-fifty intercepts calls in addition to Internet traffic, sends faux texts, in addition to installs spyware on a victim's phone.
Setting upward such Stingrays-type surveillance devices, of course, is expensive in addition to needs a lot of efforts, but researchers bring at nowadays flora a new, cheapest means to produce the same affair amongst a elementary Wi-Fi hotspot.
Yes, Wi-Fi network tin post away capture IMSI numbers from nearby smartphones, allowing most anyone to rails in addition to monitor people wirelessly.
IMSI or international mobile subscriber identity is a unique 15-digit number used for authentication of a individual when moving network to network. The number is stored inward the read-only department of a SIM carte du jour in addition to amongst the mobile operator.
Note: Don't confuse the IMSI number amongst the IMEI number. IMSI is tied to a user, spell IMEI is tied to a device.
Stealing your Fingerprints to Track y'all Everywhere
In a presentation at BlackHat Europe, researchers Piers O'Hanlon in addition to Ravishankar Borgaonkar from Oxford University bring demonstrated a novel type of IMSI catcher assault that operates over WiFi, allowing anyone to capture a smartphone's IMSI number inside a minute equally the users' overstep by.
The assault would in addition to hence operate that IMSI number to spy on the user's every movement.
The actual number resides inward the means most modern smartphones, including Android in addition to iOS devices, inward the globe connect to Wi-Fi networks.
There are 2 widely implemented protocols inward most modern mobile operating systems:
- Extensible Authentication Protocol (EAP)
- Authentication in addition to Key Agreement (AKA) protocols
These protocols let smartphones to auto-connect to world WiFi hotspots.
Modern smartphones are programmed to automatically connect to known Wi-Fi networks yesteryear handing over their IMSI numbers to log into the network, without owner's interaction.
So, attackers exploiting the WiFi authentication protocols could let them to laid a "rogue access point" masquerading equally a well-known WiFi network in addition to flim-flam smartphones inward that hit to connect.
Once connected the rogue access signal extracts their IMSI numbers immediately. This captured unique identifier of your smartphone would in addition to hence let attackers to rails your movements wherever y'all go.
Intercepting WiFi Calling to Steal Your Unique Identity Number
The researcher also demonstrated or hence other assault vector whereby attackers tin post away hijack the WiFi calling feature offered yesteryear mobile operators.
This technology is dissimilar from vocalisation calling on WhatsApp or Skype app which uses vocalisation over Internet Protocol.
Whereas, WiFi calling, which is supported on iOS in addition to Android devices, allows users to brand vocalisation calls over WiFi yesteryear connecting to the operator's Edge Packet Data Gateway (EPDG) using the encrypted IP security (IPSec) protocol.
Like the WiFi auto connect feature, the Internet Key Exchange (IKEv2) protocol used for authenticating WiFi calling is also based on identities such equally the IMSI number, which are exchanged over EAP-AKA.
EAP-AKA exchanges are encrypted, but the employment is that they are non protected yesteryear a certificate.
This number exposes the characteristic to man-in-the-middle (MITM) attacks, allowing attackers to intercept the traffic from a smartphone trying to brand the telephone telephone over WiFi in addition to apace extract the IMSI number inward seconds, the researchers said.
The proficient tidings is that y'all tin post away disable the Wi-Fi calling characteristic on your device, but Wi-Fi auto connect tin post away exclusively endure disabled when such a network is inward range.
The researchers reported the issues to both the mobile OS companies, including Apple, Google, Microsoft in addition to Blackberry, in addition to the operators such equally GSMA, in addition to bring been working amongst them to ensure the hereafter protection of the IMSI number.
Apple, equally a number of conversations amongst the distich researchers, has implemented a novel technology inward iOS10 that allows handsets to telephone commutation pseudonyms in addition to non identifiers, helping mitigate the threat.
The distich concluded their query [slides PDF] yesteryear showing a proof-of-concept organisation that demonstrates their IMSI catcher employing passive equally good equally active techniques.