For the past few years, hacking methods have exploded in style and substance. Hackers have been developing their skills along with technological advancements, if not at a faster pace. Data breaches and lingering vulnerabilities are constantly in the spotlight, ranging from big-name players like Facebook, Twitter, Equifax, and Sony Pictures to numerous small businesses.
According to Verizon's 2019 Data Breach Investigations Report, more than half of breaches featured hacking while more than two-thirds of the attacks were perpetrated by outsiders. As the report puts it: "No organization is too large or too small to fall victim to a data breach."
This electronic warfare of sorts doesn't exclude smartphones, specifically mobile networks and their cellular base stations. A wide array of software tools such as open-source radio software tools, malware, spyware, and other malicious apps can be used to hack a phone remotely.
For those unfamiliar 'Stingray' is an umbrella term for devices also known as International Mobile Subscriber Identifier (IMSI) Catchers, false base stations (FBS), or rogue base stations (RBS). Essentially, these are fake cell towers impersonating the actual ones in order to trick nearby mobile phones into revealing the IMSI number and thus allow the hacker to gather data about the device's location.
Want to know the most interesting part?
You can do the hacking, without much technical expertise at all.
The technology is easy to master, cheap, and most of all - accessible. In fact, we have come to a point where almost anyone with a few bucks and hours to spare can hack another person's phone. All you need is a laptop (or Raspberry Pi), universal software radio peripheral (type of hardware platform for software-based radio), smartcard reader (a device that reads cards with integrated chips), and the OpenLTE software. That's how easy this is: you buy the equipment on Ebay or Amazon for about $20, learn all the tricks on YouTube, and in minutes you can deploy the Stingray anywhere you want, even on your neighbors!
Stingrays come in different forms, be it a single integrated device or multiple individual components, and aren't novelties in any way. Governments and law enforcement agencies around the globe have been utilizing these tools for some time now to track suspected criminals and quite possibly other citizens of interest, whether permitted or not.
Remember that Dark Knight scene where Batman, along with his CTO Lucius Fox, built and used a mass surveillance system to spy on Gotham City's citizens using video and mobile phone technology? That would be a fair, albeit simplified (or moviefied) representation of Stingrays on a high level.
For a more recent real-world example, the U.S. government found out Israel was most likely responsible for placing cellphone surveillance devices (Stingrays) near the White House, as well as other sensitive locations around Washington.
StingRay use in Washington just goes to show everyone is vulnerable to these fake cell towers, man-in-the-middle, Stingray attacks. These are different and far more dangerous than your typical free and often fake public networks because hackers place themselves between the network you are using and the connection point. As the attacking tool in question, these IMSI catchers exploit security weaknesses in mobile networks by broadcasting the same network identifier as a genuine network would, only with a stronger signal intended to entice users.
If you're thinking the latest 5G improvements in cellular communications will protect you, think again. Research has shown there is a flaw in the 'improved' AKA (Authentication and Key Agreement). It's a security protocol that allows a phone and tower (mobile user and base station) to mutually verify each other's authenticity, as well as establish shared keys to protect future communications.
The discovered vulnerability means an attacker can not only intercept your mobile traffic in the area and monitor your activities (number of outgoing calls or text messages sent) but also offers a new way to track a user's location and attack all versions of the AKA protocol used with 5G. Perhaps the scariest part is the realization that there's a backward capability for 2G, 3G, and 4G standards.
All the Hollywood action, James Bond-like spy stuff? It's actually tame compared to what wannabe and real hackers, as well as all sorts of malicious people, are able to do. You don't need to be a rich playboy/caped crusader or a top agent on Her Majesty's Secret Service to have access or funding. If anything, these movies lack the imagination compared to reality, which mandates anyone can turn into a black hat MacGyver given a small amount of money and an Internet connection.
Sure, a DIY Stingray doesn't have the capability more powerful versions have (e.g. the ability to record phone calls or jam phones to prevent their usage). Nevertheless, its significance and threat are even higher considering there is a larger pool of people involved, both as attackers and victims. The absurdity of availability is a grim notion, and on a global level too.
Let's switch the cynicism and pessimism off, for the moment. These are serious issues that require 'fight fire with fire' approach. However, the carriers don't seem to be in a particular rush to deploy necessary security and privacy systems, leaving the user wondering whether or not they are protected from such attacks.
The first step in facing this problem is to raise awareness about the dangers of Stingrays. Resources like Stop Stingrays do a great job of explaining what Stingray technology is, the damage it does, and where it's being used worldwide.
The second step is beefing up on security. Security technologies offering Stingray Detection, protection of people, IPs, and devices from cellular threats are necessary. Updates, 2FA, or AV apps won't be sufficient - we're beyond those scenarios.
Solutions like FirstPoint Mobile Guard provide protection at the network level (especially relevant for enterprise-level companies with huge amounts of data), bypassing cellular vulnerabilities that allow everything from eavesdropping to data leakage. Always-on network-based security and simple implementation means there is no installation required, just one platform automatically covering all devices.
As mentioned in the beginning, hackers are more powerful than ever before as they continue to routinely find a backdoor into other people's phones. There are no signs the rate of these attacks will slow down in the near future. On the contrary - with the technology being so affordable and accessible, we can expect more of the same. There are some precautionary measures you can take to avoid falling victim. For now, it will have to be enough.
