Editors note: This is an excerpt from the book, “COMSEC: Off-the-Grid Communications Strategies for Privacy Enthusiasts, Journalists, Politicians, Crooks, and the Average Joe.”
CHAPTER 1 (CONTINUED): THE INSECURITY OF SMS AND STANDARD VOICE CALLING
Cellular telephone calls and SMS messages are both insecure and non-private. Your calls are accessible to the CSP. The content of all your SMS text messages is fully saved and recorded by your CSP. In addition to the content, all of the metadata about these transactions is recorded and stored, as well. This creates a privacy nightmare that is just waiting to happen.
All it takes to verify this is a quick look at your cellular phone bill. The bill will show a long list of incoming and outgoing calls, incoming or outgoing SMS messages, and in some cases even the city where your phone was located at the time of the event. All of this metadata about your calls and texts, and the content of your texts, is stored for a minimum of five years. This information is consistently abused by CSPs who monetize it.
Verizon: On the counts of collecting and monetizing metadata and failing to provide meaningful protection to calls and messages, Verizon Wireless is perhaps the worst offender of the top-tier CSPs. Verizon sells your location data. While encrypting your calls is standard industry practice, Verizon fails to do so. We don’t mean to imply that any of the major cellular providers are much better; we only mean to point out that Verizon is particularly notorious in this regard.
Government Access: Because your cellular calls are either encrypted poorly or not at all, their content is available to governments. Governments may access the content of your calls and SMS through the application of legal pressure. Governments may also access your calls without the complicity of the CSP through the use of a cell site simulator. A cell site simulator is an electronic device that puts out a very strong signal that your phone will recognize as a cell tower. If you are within its range and your phone assesses its signal to the strongest signal available, your phone will connect to the simulator.
Once your device is connected to the cell site simulator, all of your traffic will flow through the simulator where it is collected. Your only defense against this type of attack is to use strong encryption. Though we are not anti-law enforcement, we do recognize that these types of devices are frequently used without warrants, and they frequently capture the conversations of people other than the intended target. Neither of us are criminals, nor do we condone criminal activity, but neither of us want to be swept up as “incidental collection”.
SS7 Vulnerability: Modern cellular carriers utilize a routing protocol known as Signaling System 7 (SS7). This protocol was designed in the mid-1970s and allows carriers to exchange information between each other. This information is used to pass calls and messages between carriers, and to keep track of billing and usage. It is also used to verify roaming plans before devices are allowed to access other networks. Unfortunately, this protocol has some major systemic vulnerabilities.
Hackers are sometimes able to break into the SS7 system. This provides capabilities similar to those of government actors. Hackers can forward calls and texts silently so that your device will give no indication of an incoming call. This could be used to deny you service, ascertain with whom you are communicating, or capture two-factor authentication tokens sent via phone call or text. Hackers can also view text messages sent via standard SMS between devices and track your location through the exact same protocols that CSPs and government actors do.
Editors note: This is an excerpt from the book, “COMSEC: Off-the-Grid Communications Strategies for Privacy Enthusiasts, Journalists, Politicians, Crooks, and the Average Joe.”
CHAPTER 1 (CONTINUED): THE INSECURITY OF SMS AND STANDARD VOICE CALLING
Cellular telephone calls and SMS messages are both insecure and non-private. Your calls are accessible to the CSP. The content of all your SMS text messages is fully saved and recorded by your CSP. In addition to the content, all of the metadata about these transactions is recorded and stored, as well. This creates a privacy nightmare that is just waiting to happen.
All it takes to verify this is a quick look at your cellular phone bill. The bill will show a long list of incoming and outgoing calls, incoming or outgoing SMS messages, and in some cases even the city where your phone was located at the time of the event. All of this metadata about your calls and texts, and the content of your texts, is stored for a minimum of five years. This information is consistently abused by CSPs who monetize it.
Verizon: On the counts of collecting and monetizing metadata and failing to provide meaningful protection to calls and messages, Verizon Wireless is perhaps the worst offender of the top-tier CSPs. Verizon sells your location data. While encrypting your calls is standard industry practice, Verizon fails to do so. We don’t mean to imply that any of the major cellular providers are much better; we only mean to point out that Verizon is particularly notorious in this regard.
Government Access: Because your cellular calls are either encrypted poorly or not at all, their content is available to governments. Governments may access the content of your calls and SMS through the application of legal pressure. Governments may also access your calls without the complicity of the CSP through the use of a cell site simulator. A cell site simulator is an electronic device that puts out a very strong signal that your phone will recognize as a cell tower. If you are within its range and your phone assesses its signal to the strongest signal available, your phone will connect to the simulator.
Once your device is connected to the cell site simulator, all of your traffic will flow through the simulator where it is collected. Your only defense against this type of attack is to use strong encryption. Though we are not anti-law enforcement, we do recognize that these types of devices are frequently used without warrants, and they frequently capture the conversations of people other than the intended target. Neither of us are criminals, nor do we condone criminal activity, but neither of us want to be swept up as “incidental collection”.
SS7 Vulnerability: Modern cellular carriers utilize a routing protocol known as Signaling System 7 (SS7). This protocol was designed in the mid-1970s and allows carriers to exchange information between each other. This information is used to pass calls and messages between carriers, and to keep track of billing and usage. It is also used to verify roaming plans before devices are allowed to access other networks. Unfortunately, this protocol has some major systemic vulnerabilities.
Hackers are sometimes able to break into the SS7 system. This provides capabilities similar to those of government actors. Hackers can forward calls and texts silently so that your device will give no indication of an incoming call. This could be used to deny you service, ascertain with whom you are communicating, or capture two-factor authentication tokens sent via phone call or text. Hackers can also view text messages sent via standard SMS between devices and track your location through the exact same protocols that CSPs and government actors do.
Unfortunately, there is very little you can to correct the underlying vulnerability. However, you can take steps to mitigate some of the symptoms of this problem. We will discuss these throughout successive chapters of this book.
THE APPLICATION PROCESSOR & APPLICATION PROCESSOR OS (APOS)
Wi-Fi, Bluetooth, and NFC: If you own a modern Smartphone it is almost certainly equipped with Wi-Fi, Bluetooth, and near-field communication (NFC) interfaces. Each of these present more attack surface.
Wi-Fi: Accessing the internet wirelessly opens up a number of dangers. When you connect to a Wi-Fi network you should consider the following threats and threat actors:
Packet Sniffers: Wi-Fi is nothing more than a radio that can transmit and receive data packets. Anyone within range of your radio (Wi-Fi) traffic to and from the router can potentially “listen in” on this traffic. All data packets that you transfer over Wi-Fi are vulnerable in the air-gap between your device and the access point. Hackers with a simple program like Wireshark and a Wi-Fi antenna that can be placed in promiscuous mode may capture all of your packets and exploit them for personal or financial information.
Rogue APs/Evil Twins: Hackers can setup access points whose SSIDs are the same or similar to real APs in the local area. For instance, the legitimate Wi-Fi hotspot SSID at the San Diego Airport is #SANfreewifi while a malicious hotspot might be #SANfreewi-fi (notice the very subtle difference) in hopes of getting some uninformed or inattentive travelers to connect. Alternatively, a hacker may see your device’s probe frame requests for networks it “knows” and will connect to automatically (probe frame requests are discussed in greater detail on page 14 in the section titled “SSID Broadcast”). He or she could then create an ad-hoc network using one of these names and your phone would connect to it, In reality, the hacker could name the network the exact same name: #SANfreewifi. Devices that receive a stronger signal from the malicious AP will connect to it rather than the “real” Wi-Fi unbeknownst to you. The attacker now has the ability to receive and record every packet that is passed through his device.
Hardware Owners: Even if you manage to connect to the correct hotspot at the San Diego airport, your traffic is still routed through hardware you don’t control. This means the network administrator at the airport will have access to all of your packets, as well. It is unlikely that most hardware owners are collecting all of your packets, but they do collect a substantial amount of metadata. This includes your device’s MAC address, the times your connection was initiated and terminated, and the amount of bandwidth used. In many public Wi-Fi hotspots the websites you visit may be recorded, too.
Internet Service Providers: When your traffic reaches the local access point it will go through a process called network address translation (NAT) in preparation for being passed along to the Internet Service Provider (ISP). The ISP will shuttle your traffic to its intended destination and return that traffic back to you. Again, because you are choosing to put that traffic onto someone else’s hardware, the ISP can retain your packets. If you are not using a Virtual Private Network (see Chapter 4) the ISP potentially has access to everything you do online.
Governments: There are no countries in the world where the government does not exert some level of influence over internet service providers. Though some countries have stronger legal protections than others, you should assume that if the government wants to monitor your internet traffic, it can do so by applying legal pressure to the ISP. Additionally, governments have extremely robust offensive digital capabilities. It should be assumed that governments can, by default, inspect your traffic even without the ISP’s consent or complicity.
Location Tracking: Wi-Fi is another mechanism through which your location may be tracked. Doing so requires access to the routers to which your device communicates in some way. This can be an explicit communication, like connecting to the router, or a subtler connection. Routers are capable of monitoring your device’s probe frame requests – the requests that are transmitted when the device is searching for Wi-Fi. Because the set of networks that your device “remembers” is very likely unique to only you, this is a valuable identifier. When you walk around some large department stores Wi-Fi receivers are in place for this very reason – to track your habits in the store.
This model scales very efficiently and can be used to track your movements around a city, as well. This model also scales very efficiently the other way – Wi-Fi can be used to track your movements with extremely levels of accuracy and granularity by a single router. An individual router to which you are connected can measure your signal’s round-trip-time (RTT) between the device and router. With enough data this can be used to map your entire house and tell exactly where you are within it at any given time.
Reverse Location Tracking: The previous paragraphs address Wi-Fi access points that can determine your location through probe frame requests, but this process also works in reverse. Apps that are installed on your device have the potential to see the networks that are within range of your device. By triangulating your position based on the observed networks and their relative strength, your location can be determined with a good degree of accuracy. This data can then be shared with the app developer, hardware manufacturer, and parties that are able to intercept this data in transit.
SSID Broadcast: When your device is not connected to Wi-Fi, it is broadcasting probe frame requests for all of the networks to which it has previously connected. This sets you up for an evil twin attack as described above, but it also reveals information about your day-to-day habits. Using open-source lookup tools like Wigle.net (https://wigle.net), a popular website that crowd-sources data about Wi-Fi hotspots, an attacker can map all the hotspots to which your device connects. This data can then be analyzed to reveal where you live, work, and frequent. You don’t have to be followed around constantly, or even be the target of constant electronic surveillance for an attacker to know where you will be at predictable times.
Bluetooth and NFC: Both of these protocols present some common dangers. Because both emit a very small electronic signal around your device, both can be used for location tracking. This signal is associated with your device’s MAC address, which can be used to identify you.
Bluetooth (or Bluetooth Low Energy, BLE) presents some unique challenges. Because of its versatility, Bluetooth is used for connecting all sorts of devices for all sorts of purposes. The Apple Watch pairs to one’s iPhone via this protocol. Bluetooth is used to connect your phone to your car so music can be shared. It is used in the Airdrop file-sharing protocol, and for connecting hands-free communication devices.
Because such a potentially large volume and wide variety of data is transmitted through Bluetooth, hackers have been hacking it since the moment it was released. Generally, we recommend you avoid using this protocol altogether, or use it only for benign purposes. Connecting your device to a Bluetooth speaker inside your home is relatively low risk but using Bluetooth to carry out sensitive phone calls in public is not. We also strongly recommend you avoid using Bluetooth in conjunction with devices like the Apple Watch. This device receives location data (from maps), text messages, and much more from your phone. Putting this data in transit (if only for a very short range) opens it up to a host of other attack vectors.
Like Wi-Fi, Bluetooth can also be co-opted to capture extremely granular levels of location tracking. Since the signal emitted by Bluetooth is so small, your proximity to a Bluetooth transceiver can be determined with accuracy down to a matter of inches. Tracking one across a larger are obviously requires the area be littered with many Bluetooth transceivers but they are fairly inexpensive and easy to implement. When location data is correlated with your device’s MAC address this location data is correlated with you.
Defeating These Vulnerabilities
Most books, blogs, and lectures on mobile device security focus on protecting the computer portion of mobile devices. Because they are so deeply embedded into our devices, and because we have so little control over them, defeating the baseband modem is extremely difficult. But it is not impossible. The remainder of this book will focus on interventions designed to protect you from the phone’s computer, it’s impressive sensor array, AND the baseband processor and its capabilities. Some of these techniques will seem drastic, but so are the capabilities of the modern mobile phone. Drastic measures are required, and in light of the slew of exploits against mobile devices, we feel they are completely justified. Ultimately it is up to you to choose your path and decide which of these techniques is right for you and your situation.
SUMMARY
By carrying a Smartphone, you are making an enormous privacy compromise. You have chosen to carry a device that marries an incredible sensor array and several radio interfaces with a baseband processor.
When combined, your device is capable of:
- Constantly monitoring and recording your location, even when you have disabled location services and believe the device to be turned off
- Refine your location through Wi-Fi and Bluetooth to a matter of a few feet, and determine your location within a building
- Monitoring your microphone, even when you believe the device to be turned off, remotely activating the camera(s)
- Betraying your standard voice and text data to the cellular service provider, law enforcement and government agencies, and malicious hackers
- Mapping your home, and knowing when you sleep, wake, and your patterns of activity
Intercepting data from “leaky” applications is a tactic that has been used by state surveillance actors for many years. This is another reason to carefully consider the applications to which you give close persistent access by installing them on your device.
ABOUT THE AUTHORS
Justin Carroll is a former Marine, plank-owner in the elite Marine Special Operations Command (MARSOC) and has worked on a contractual basis with another government agency. After completing his last overseas deployment, Justin spent five years teaching digital security and identity management to hundreds of soldiers, sailors, and Marines of the United States Special Operations Command (USSOCOM) and was instrumental in the development of a highly technical surveillance program currently in use abroad by US Special Operations Forces. Justin resides just outside of Nashville, TN and is the author of Your Ultimate Security Guide: Windows 7, and Your Ultimate Security Guide: iOS. He co-authored The Complete Privacy & Security Desk Reference and is the co-host of The Complete Privacy & Security Podcast.
You can follow and contact Justin through his blog: https://operational-security.com
Drew is a Detective in one of our Nation’s largest cities assigned to high profile cases that often require covert investigative skills. He investigates crimes involving narcotics, gangs, adult & child sex crimes, human trafficking, and Internet crimes against children (ICAC Task Force). As an open source intelligence analyst and computer forensics and cyber-security specialist, he utilizes these skills to assist in criminal and private investigations of all types. He is a veteran investigator at his agency, and forever a proud United States Marine with overseas deployment experience. First and foremost, he is a privacy and security advocate with a passion for teaching digital operational security and identity management solutions. His classes are available nationwide to law enforcement, military organizations, and select groups in the private sector.
You can follow and contact Drew through his blog: https://hidingfromtheinternet.com
Pick up your copy of “COMSEC: Off-the-Grid Communications Strategies for Privacy Enthusiasts, Journalists, Politicians, Crooks, and the Average Joe” on Amazon.
COMMENTS
There are on this article.
You must become a subscriber or login to view or post comments on this article.