Cell-site simulators (CSS)—also known as IMSI Catchers and Stingrays—are a tool that law enforcement and governments use to track the location of phones, intercept or disrupt communications, spy on foreign governments, or even install malware. Cell-site simulators are also used by criminals to send spam and engage in fraud. We have written previously about the privacy implications of CSS, noting that a common tactic is to trick your phone into connecting to a fake 2G cell tower. In the U.S. every major carrier except for T-Mobile has turned off their 2G and 3G network. 1
But many countries outside of the U.S. have not taken steps to turn off their 2G networks yet, and there are still areas where 2G is the only option for cellular connections. Unfortunately almost all phones still support 2G, even those sold in countries like the U.S. where carriers no longer use the obsolete protocol. This is cause for concern; even if every 2G network was shut down tomorrow the fact that phones can still connect to 2G networks leaves them vulnerable. Upcoming changes in iOS and Android could protect users against fake base station attacks, so let's take a look at how they'll work.
In 2021, Google released an optional feature for Android to turn off the ability to connect to 2G cell sites. We applauded this feature at the time. But we also suggested that other companies could do more to protect against cell-site simulators, especially Apple and Samsung, who had not made similar changes. This year more improvements are being made.
Google's Efforts to Prevent CSS Attacks
Earlier this year Google announced another new mobile security setting for Android. This new setting allows users to prevent their phone from using a “null cipher” when making a connection with a cell tower. In a well-configured network, every connection with a cell tower is authenticated and encrypted using a symmetric cipher, with a cryptographic key generated by the phone's sim card and the tower it is connecting to. However, when the null cipher is used, communications are instead sent in the clear and not encrypted. Null ciphers are useful for tasks like network testing, where an engineer might need to see the content of the packets going over the wire. Null ciphers are also critical for emergency calls where connectivity is the number one priority, even if someone doesn't have a SIM card installed. Unfortunately fake base stations can also take advantage of null ciphers to intercept traffic from phones, like SMS messages, calls, and non-encrypted internet traffic.
By turning on this new setting, users can prevent their connection to the cell tower from using a null cipher (except in the case of a call to emergency services if necessary,) thus ensuring that their connection to the cell tower is always encrypted.
We are excited to see Google putting more resources into giving Android users tools to protect themselves from fake base stations. Unfortunately, this setting has not been released yet in vanilla Android and it will only be available on newer phones running Android 14 or higher,2 but we hope that third-party manufacturers—especially those who make lower cost Android phones—will bring this change to their phones as well.
Apple Is Taking Steps to Address CSS for the First Time
Apple has also finally taken steps to protect users against cell site simulators after being called on to do so by EFF and the broader privacy and security community. Apple announced that in iOS 17, out September 18, iPhones will not connect to insecure 2G mobile towers if they are placed in Lockdown Mode. As the name implies, Lockdown Mode is a setting originally released in iOS 16 that locks down several features for people who are concerned about being attacked by mercenary spyware or other nation state level attacks. This will be a huge step towards protecting iOS users from fake base station attacks, which have been used as a vector to install spyware such as Pegasus.
We are excited to see Apple taking active measures to block fake base stations and hope it will take more measures in the future, such as disabling null ciphers, as Google has done.
Samsung Continues to Fall Behind
Not every major phone manufacturer is taking the issue of fake base stations seriously. So far Samsung has not taken any steps to include the 2G toggle from vanilla Android, nor has it indicated that it plans to any time soon. Hardware vendors often heavily modify Android before distributing it on their phones, so even though the setting is available in the Android Open Source Project, Samsung has so far chosen not to make it available on their phones. Samsung also failed to protect its users earlier this year when for months it did not take action against a fake version of the Signal app containing spyware hosted in the Samsung app store. These failures to act suggest that Samsung considers its users’ security and privacy to be an afterthought. Those concerned with the security and privacy of their mobile devices should strongly consider using other hardware.
We applaud the changes that Google and Apple are introducing with their latest round of updates. Cell-site simulators continue to be a problem for privacy and security all over the world, and it’s good that mobile OS manufacturers are starting to take the issue seriously.
We recommend that iOS users who are concerned about fake base station attacks turn on Lockdown Mode in anticipation of the new protections in iOS 17. Android users with at least a Pixel 6 or newer Android phone should disable 2G and disable null ciphers as soon as their phone supports it.