The Next Generation of Cell-Site Simulators is Here. Here’s What We Know.

down daemon@lemmy.ml · 18 days ago

The Next Generation of Cell-Site Simulators is Here. Here’s What We Know.

Akip · 17 days ago

Right, that’s what I understood. So using a VPN, a CSS will be able to identify that my phone is active, but not the content I’m accessing, or who I am accessing it from, correct?

From my understanding your statement seems correct, but it’s also lacking a bit. Unless you also randomize your mac address (grapheneOS does this) they can still map your position and visiting times. Additionally not all of your phones data goes through the VPN, something like a phone call/SMS isn’t encrypted unless you’re using an app to make the call.

The previous comment said VPNs do nothing against this type of attack- were they just referring to identifying your device?

Yes, they are thinking of a VPN as a privacy tool, not strictly as a security tool as in your example. Privacy will be compromised.

electric_nan@lemmy.ml · 17 days ago

These devices (CSS/Stingray) are going to see both your SIM IMSI number, and your device IMEI number. AFAIK, the MAC randomization that most modern phones do, is with your WiFi modem so that WiFi routers can’t track you.

If you put your SIM card into a new phone, and then login to your cell service provider portal with a computer or other device, you will observe that they know the model of phone you are using. They get this info from the IMEI when your phone talks to the tower. Since the CSS is a rogue tower, they get the same info.

Akip · edit-2 16 days ago

Thanks for clearing up my WiFi mix-up. From my understanding the same attack path still applies even to https://grapheneos.org/features#lte-only-mode and respectively https://grapheneos.org/usage#lte-only-mode correct?

https://en.wikipedia.org/wiki/International_Mobile_Subscriber_Identity states the phone would send a https://en.wikipedia.org/wiki/Mobility_management#TMSI most of the time? But your point about the IMEI still stands. So there is no real way to protect yourself other than to turn off cell tower roaming?

electric_nan@lemmy.ml · 16 days ago

Thanks for the links. There’s some new information in there that I’ll have to look further into. For one, I’ve never heard of security concerns about 5G versus 4G.

I also wasn’t aware of the TMSI at all. I still don’t fully understand some things about it which would be important considerations:

How is this randomized number assigned/correlated to the IMSI? Is it done by the tower?

It seems like the carrier can request the actual IMSI at any time. Can these CSS also do that? TMSI is supposed to protect against ‘eavesdroppers’ but these industrial a grade CSS might have greater capabilities than passive eavesdropping.

I am unsure if or how disabling roaming would protect you from CSS. For one, the spoofing might make your device think it isn’t roaming. Secondly, the CSS might still be aware of your device anyway, even if it doesn’t establish an open connection to it. The phone and the tower need some minimum communication to even determine if you’re roaming or not.