Can mobile phone data be intercepted or compromised?

Question

I was reading this question today: Does KRACK mean that wifi cafes will never be safe again? and thought to myself.. OK I will just use mobile data instead of public wifi's.

But then my next question was, how can I guarantee that my mobile data cannot be intercepted.

Doing a bit of internet searching I found articles such as this one: HACKER SPOOFS CELL PHONE TOWER TO INTERCEPT CALLS

which says things like:

The device tricks the phones into disabling encryption and records call details and content before they're routed on their proper way through voice-over-IP.

But this talks about calls in particular.

Can the same be done to data?

i.e. HTTPS and E2EE messages?

E.g.

I visit https://www.WebsiteThatRequiresaPassword.com on my mobile via mobile data and type my username and password in, can someone intercept and read my password?

Answer 1

First of all KRACK is only at the WiFi level. An attacker gets no more access to data than the operator of the wireless access point would. You probably shouldn't be trusting random cafes more than the average stranger. HTTPS even over a compromised router should still be secure.

Now, on a mobile connection. The short answer is yes - data that is not sent encrypted at a higher level (i.e https) can be read.

• The easy option for a false base-station is force your phone to 2G which isn't encrypted.
• 3G encryption has multiple known weaknesses.
• 4G encryption should be OK. But its only from the phone to the basestation. A malicious carrier (either themselves or by allowing access to other actors) or someone who manages to read data from the carriers backbone network can get just as much as with KRACK.

I visit https://www.WebsiteThatRequiresaPassword.com on my mobile via mobile data and type my username and password in, can someone intercept and read my password?

As long as the username and password is sent over HTTPS (the fact the inital page load was over HTTPS does not guarantee this although some browsers would now warn you if it didn't) and you trust all CAs for which your device has stored root certificates then no they cannot intercept it. The fact it was sent over mobile data is irrelevant.

Answer 2

The larger question is: how paranoid are you? We joke around that "sure we're paranoid - but are we paranoid enough?"

Anything can be intercepted and cracked given enough resources. Wifi cafes were never that safe to begin with - look up 'youtube airsnort wifi hotspot" and there are over 2 million results. We also know that various police departments are using Stinger to sweep up wifi/cellular communications (I won't go into a discussion of the legality of that here...)

HTTPS is a communication means between your browser and the host. That traffic goes through something, meaning it can be intercepted. Depending on whether SSL or TLS is used, there is a varying degree of difficulty to compromise that traffic. So it may be intercepted, but difficult to read.

How do you guarantee that it won't be intercepted? Deliver it manually to its recipient. Otherwise there's no guarantee. Letters can be intercepted, opened, and re-sealed. Network traffic can be, and regularly is, intercepted. Can someone intercept the password? Yes. Can they read it? It depends on the website and level of encryption being used. Most places use some level of encryption, but it amazes me that some still transmit passwords in clear text.

Now, before you walk away feeling "I'm screwed", keep in mind that some good practices can help you. Use common sense when in public. Don't trust wifi hotspots. Only connect to banking, etc when at home or a place you know you can trust. Use a different password for banking than you do for anything else, and only use it for one banking website. Do that, and you should be OK.