Here's a new danger to your smartphone security: Your mobile device can be hijacked and tracked
without your knowledge.
Remember Stingrays?
The controversial cell phone spying tool, also known as "IMSI catchers," has long been used by law enforcement to track and monitor mobile users by mimicking a cellphone tower and tricking their devices to connect to them. Sometimes it even intercepts calls and Internet traffic, sends fake texts, and installs spyware on a victim's phone.
Setting up such Stingrays-type surveillance devices, of course, is expensive and needs a lot of efforts, but researchers have now found a new, cheapest way to do the same thing with a simple Wi-Fi hotspot.
Yes, Wi-Fi network can capture IMSI numbers from nearby smartphones, allowing almost anyone to track and monitor people wirelessly.
IMSI or international mobile subscriber identity is a unique 15-digit number used for authentication of a person when moving network to network. The number is stored in the read-only section of a SIM card and with the mobile operator.
Note!: Don't confuse the IMSI number with the IMEI number. IMSI is tied to a user, while IMEI is tied to a device.
Stealing your Fingerprints to Track you Everywhere
In a Once connected the rogue access point extracts their IMSI numbers immediately. This captured unique identifier of your smartphone would then allow attackers to track your movements wherever you go.
Intercepting WiFi Calling to Steal Your Unique Identity Number
The researcher also demonstrated another attack vector whereby attackers can hijack the WiFi calling feature offered by mobile operators.This technology is different from voice calling on WhatsApp or Skype app which uses voice over Internet Protocol.
Whereas, WiFi calling, which is supported on iOS and Android devices, allows users to make voice calls over WiFi by connecting to the operator's Edge Packet Data Gateway (EPDG) using the encrypted IP security (IPSec) protocol.
Like the WiFi auto connect feature, the Internet Key Exchange (IKEv2) protocol used for authenticating WiFi calling is also based on identities such as the IMSI number, which are exchanged over EAP-AKA.
EAP-AKA exchanges are encrypted, but the problem is that they are not protected by a certificate.
This issue exposes the feature to man-in-the-middle (MITM) attacks, allowing attackers to intercept the traffic from a smartphone trying to make the call over WiFi and quickly extract the IMSI number in seconds, the researchers said.
The good news is that you can disable the Wi-Fi calling feature on your device, but Wi-Fi auto connect can only be disabled when such a network is in range.
The researchers reported the issues to both the mobile OS companies, including Apple, Google, Microsoft and Blackberry, and the operators such as GSMA, and have been working with them to ensure the future protection of the IMSI number.
Apple, as a result of conversations with the duo researchers, has implemented a new technology in iOS10 that allows handsets to exchange pseudonyms and not identifiers, helping mitigate the threat.
The duo concluded their research [slides PDF] by showing a proof-of-concept system that demonstrates their IMSI catcher employing passive as well as active techniques.
source:thehackernews
COMMENTS