1

Nearly all mobile phones are vulnerable to IMSI catcher attack's fake mobile networks. They can access storage, inject rootkits/backdoors, turn the microphone on view internet traffic even with a VPN in use. Conduct MITM attacks.

They all have bad modem isolation, allow IMSI catcher direct access to hardware components that allow for compromise. Some phones have good modem isolation there all old phones.

This explains it: https://replicant.us/freedom-privacy-security-issues.php

Just to be clear the phones with good modem isolation prevent remote attacks on phones IMSI catchers can do. Or there wouldn't be a threat model for it. So the phones on that site prevent it.

I want to no about 4G portable hotspots separate from phones, since there seems some doubt about IMSI catchers. Here's an article from electronic frontier foundation about them, why phones in general have bad security.

https://ssd.eff.org/en/module/problem-mobile-phones

I'm considering if buying a portable 4G portable hotspot would be safe from IMSI catcher if a phone with no sim cards at all was connected to the portable 4G hotspot.

What effects could a IMSI catcher have? I'm thinking as its separate from the phone itself it obviously stops access to phones hardware components. But what hardware it can see and access on the portable 4G hotspot itself is a question? it might be able to backdoor, compromise it's security.

I don't know if there are any 4G portable hotspots that have good modem isolation. The article explains if you use a VPN on a phone with bad modem isolation, then an IMSI catcher can see the all traffic unencrypted.

So if using a VPN on a phone with no sim cards at all that's connected to a portable 4G hotspot, will the IMSI catcher get unencrypted access to all traffic? or is good modem isolation needed for the portable 4G hotspot itself, to prevent that as it is on a phone?

Maybe this would be the same for home wireless mobile broadband? They plug into power source but are also 4G but closer to a traditional router.

Alister
  • 77
  • 3
  • 14
  • 3
    The article you point to has nothing about IMSI catchers or VPN in it. An IMSI catcher basically just simulates a cell tower. *"They can access storage, inject rootkits/backdoors, turn the microphone on view internet traffic even with a VPN in use."* - they could trigger code execution into the mobile stack of your phone if your phone has a bug - but otherwise these things are not possible. And none of this is claimed in the article you refer to. – Steffen Ullrich Nov 10 '18 at 21:01
  • No it doesn't directly say IMSI catchers, it does clearly explain why all phones are insecure, phone modems, basebands are written in 1990's code insecure can't be audited has bugs closed source. All phones inherently trust whatever network there connected to, like a fake cell tower that article shows what can happen with bad isolation that's exactly the types of things a IMSI catcher will do why there so effective. It is talking about IMSI catchers anything remotely turning microphone on is that. – Alister Nov 10 '18 at 21:27
  • https://replicant.us/about.php#faq – Alister Nov 10 '18 at 21:28
  • Is my data safe when stored on a device running Replicant? Are my communications safe when using a device running Replicant? Read those it doesn't say VPN does say unencrypted traffic you can find videos on YouTube of people attacking baseband, modem security researchers ect – Alister Nov 10 '18 at 21:33
  • Attacking the Baseband Modem of Mobile Phones to Breach the Users’ Privacy and Network Security: https://www.youtube.com/watch?v=I99VHVi0mXs&pbjreload=10 plenty of others on there. – Alister Nov 10 '18 at 21:44

1 Answers1

2

IMSI catchers essentially simulate cell towers. Nearby phones will try to use these fake towers in order to provide connectivity. But while normal cell towers usually act in the interest of their users fake cell towers might in theory misuse protocol features or send malformed protocol data in order to trigger bugs in the phones modem. Given that the modem driver usually runs with kernel permissions in current mobile OS a bug in the modem firmware and driver might give the attacker kernel level privileges which effectively would allow to control the whole phone.

With 4G hotspots the situation is not much different, only that the initial attack target would be the hotspot and not the phone. Once the attacker has taken over the hotspot it can intercept any connections and unless these connections are specifically protected with HTTPS or by using a VPN the attacker could also modify the traffic. But even if the phone protects itself well against such traffic MITM with a VPN or HTTPS it still leaves communication at the lower level, for example attacking the phone with malformed DHCP or attacking it through malformed Wifi.

Note that all of these attacks require bugs in the phones and hotspots software and firmware. But specifically at the lower network layers (i.e. 4G modem, Wifi firmware, Bluetooth firmware, DHCP) attacks are less expected and thus the software/firmware is usually not designed to be robust against attacks. And 4G hotspots usually have a similar shoddy security as known from cheap (and sometimes expensive) WiFi routers.

To summarize: using a 4G hotspot will make it harder for an attacker since there are more protections to bypass. But, if there are vulnerabilities at the various stages then attacking the phone connected to the hotspot can be done too. Note that most of the attacks would need a very knowledgeable attacker though which makes it less likely to get attacked unless specifically targeted. And if one is specifically targeted then the attacker might also choose a completely different path for attacks since this might be easier, so don't just try to protect the phone communication.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • article about IMSI in my post now, so do you agree good modem isolation on phones protects them? if yes does simply using a portable separate hotspot not a phone achieve the same thing? so long as a device connected to it doesn't use sim cards and a VPN is been used? would specific hardware for portable 4G hotspot matter? Brands would good bad isolation matter for a portable hotspot as it doesn't have access to as much private hardware that a phone does. Microphone, camera storage ect an IMSI targets everyone close to one you don't need to be targeted as an individual not my concern. – Alister Nov 11 '18 at 08:02
  • @Alister: current phones provide no real isolation of the modem: the driver is run inside the kernel and thus exploits result in gaining kernel privileges - which ultimately might allow full control of the device (Microphone, Storage, apps...) . Using a G4 hotspot adds some isolation since kernel privileges on the hotspot don't mean kernel privileges at the phone but additional attacks would be required to attack the phone from the hotspot. – Steffen Ullrich Nov 11 '18 at 08:10
  • Is a g4 hotspot just a portable one? Haven't heard of g4 don't no if its any different or if just means pocket 4G WiFi? A g4 hotspot data internet could be seen via fake cell tower so VPN would help. But... can a kernel exploit against it infect it with a backdoor, rootkit in which case VPN would be defeated? Why a phone with poor modem isolation and VPN isn't good if a rootkit is on the phone. I saw an article IMSI catcher exploit can make phone crash restart and installs a rootkit to the phone. My plan is to use one of those phones, with good modem isolation, VPN on that will be fine. – Alister Nov 11 '18 at 09:44
  • Plan to use second phone with no sim cards with g4 hotspot and laptop ect I currently use a phone with poor isolation, and use it as a hotspot and that hotspot is a VPN so all would be protected in theory, except an IMSI could still see the VPN unencrypted? I'm not sure if that's accurate, but if it access's the phones storage or rootkit ect could get the keys to decrypt the VPN data or just monitor phone itself directly. – Alister Nov 11 '18 at 09:48
  • @Alister: G4 was a typo, meaning 4G (i.e. LTE). An exploit against this hotspot could not be used directly to compromise a VPN starting from the phone, but it would affect a VPN where the endpoint is the hotspot. But like I said, other attacks (which do not involve the modem in the phone) might be used to compromise the phone from the hotspot and then the VPN from the phone is not much help anymore. – Steffen Ullrich Nov 11 '18 at 10:45
  • If the phone is compromised from external hotspot, then this is the same result if a phone with bad modem isolation is compromised also, rootkits/backdoors full phone access. What would kernel privileges against the hotspot allow? guess phone compromise is a given wonder how much more secure more difficult this would be to do, as opposed to directly doing it to a phone with bad modem isolation. Think you said it would have to be very targeted skill set of a person by that stage. I wonder if certain 4G hotspots are more "secure" then others just like those phones with good modem isolation? – Alister Nov 11 '18 at 14:44
  • Does make me think what's more secure at that, point one of those phones with good modem isolation, which might prevent compromise alltogether or the external 4G hotspot, those phones hardware is less then appealing tho. Also external hotspot will be connected to laptops running vpn also possible the hotspot could be used to attack the computer the same as the phone? – Alister Nov 11 '18 at 14:47
  • @Alister: There are probably more secure and less secure hotspots but I could not do any recommendations. And yes, a compromised hotspot could attack "normal" computers the same way as mobile computers (i.e. phones), the attack surface of the software stack is not so much different. From the security perspective the best would be some system with a minimal and robust API to the modem, preferable open source so it can be audited. This could be a phone or a hotspot. – Steffen Ullrich Nov 11 '18 at 14:59
  • So in your opinion is a phone with no sim cards connected to a external 4G hotspot, with vpn on both the phone and laptop probably safer then a phone with bad modem isolation? at least minimize chances of issues with fake cell tower? or is the most secure way using one of those 13 phones that have good modem isolation itself as a wireless hotspot with a vpn? tho that replicant project disables wireless, bluetooth possible to turn it back on, may be limited to 3G speeds https://hologram.io/nova/ was all i could find, i don't think i'm going to find open source portable 4G hotspot unfortunately. – Alister Nov 11 '18 at 15:30
  • @Alister: there are some USB 4G modems like Huwaei E3372 which could be used together with a minimal router like TP-Link TL-MR3020. While the USB modem has a closed source firmware the router can run the open source DD-WRT. This together might provide the level of isolation and trust (since essential part is open source) you require. – Steffen Ullrich Nov 11 '18 at 15:45
  • Interesting, i already own a tp-link router with dd-wrt, i could host a hotspot on my phone use the router to connect to hotspot and create my own wireless network on the router, that should be isolated from the phone, possible to configure vpn on the router and connect the laptop to it that way. Tho given the usb modem you suggest is still using buggy modem to communicate 4G wouldn't imsi catchers and all that still be a problem regardless? or does it just make it more it would have to exploit the dongle stick to attack the ddwrt router to stop it been able to compromise the phone laptop? – Alister Nov 11 '18 at 16:04
  • @Alister: Lack of isolation means that it is possible to compromise the host from inside a compromised modem. The 4G USB modems either use a tty interface (i.e. serial line over USB) and can be controlled via AT commands (like in the old days) or newer devices use CDC (Ethernet over USB, i.e. simulate an ethernet network card). These are the kind of interfaces which are controlled by the host and where the modem (even if compromised) cannot just get access to the hosts resources. – Steffen Ullrich Nov 11 '18 at 16:38
  • Still little hard for me to grasp but couldn't that usb compromise the ddwrt router and then compromise any devices connected to it? i no the non isolated modem is inside the usb itself. Just wonder how the router itself stops it getting further. – Alister Nov 12 '18 at 20:49
  • Looked at a lot about fake cell site towers, can turn microphone, cameras on as bug location, texts calls, metadata install malware direct to phone maintain access when imsi catcher isn't around, also when you plug phone into computer it can infect computer with malware, or over hotspot from phone. Would the phones with good modem isolation itself prevent all this imsi catcher stuff? i no the modem gives access to hardware, how much of this stuff works even when using good modem isolation https://replicant.us/supported-devices.php i'm not sure if these phones need replicant installed for good – Alister Nov 12 '18 at 20:58
  • modem isolation to work like they made software changes to help it work, and they disabled the proprietary drivers for bluetooth and wireless i assume if i use replicant on these phones and use the wireless driver and use the phone as a hotspot with vpn running on phone and protecting the hotspot connection also this should help? phone shouldn't be able to be compromised with malware or remotely accessed? thanks for all advice i read all articles on here doesn't seem many people ask this specifically. – Alister Nov 12 '18 at 21:01
  • Can also set preferred network to 4G or 3G only supposedly this stops them been able to downgrade you to 2G or a lower level. 2G is worst but 3G and 4G both compromised anyway, so even if you could do all texts, calls only on 4G not sure it would help, on phones with bad isolation would be pointless also i think... – Alister Nov 12 '18 at 21:08
  • An attacker that has taken control over the baseband side of a telephone can monitor a user completely transparently without visibility of the compromise from the side of the application CPU. Merely coming into the proximity of a malicious base station is is sufficient to take over any vulnerable handset no user interaction is required by the bugs we have outlined above. https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf – Alister Nov 14 '18 at 18:40
  • @Alister: I'm not sure why you are adding more comments to this answer. The last one only shows again why proper isolation is needed. As for your previous comments, I'm not sure if you just add some of your thoughts or if you ask something. – Steffen Ullrich Nov 14 '18 at 20:05