Detecting A Surveillance State - Part 4 Cellular Attacks

This is the fourth and final post in my series of posts about state actor surveillance technologies. Thus far we've covered hardware infections, radio frequency exfiltration devices and BIOS/Firmware infections. In this final post, I'll discuss a topic that might be more relevant to a broader audience--cell phone monitoring and cellular network attacks.

This series of posts have been based on the public knowledge gathered together on the Wikipedia page for the leaks released by Der Spiegel and what was publically disclosed at the recent 30c3 conference.

A lot of data has been made available pertaining to the cell phone and cellular network surveillance attacks. Below I categorize attacks under the following types: cell phone monitoring, cell phone malware and rogue cell towers. Instead of addressing the theoretical defenses against each particular attack, I discuss defenses against each type of attack.

As cell phones are still an emerging market when it comes to attacks and defenses, I must take a moment to tip my hat to the individuals responsible for these attacks, which were all available in 2007 and 2008. Most of the device specific attacks listed in the leaked documents reference what is now out-dated hardware and software (Windows CE, Flip Phone handsets, etc…) but the attacks could work similarly and have been updated to target Android, IOS, and the new Windows phones.

Cell Phone Monitoring:

GENESIS
WATERWICH
CANDYGRAM
PICASSO

Foremost, with cell phone monitoring/tracking, there really is no safe choice here aside from removing the cell phone from the picture. Regardless of what device you have, if it communicates over a cell network, that specific device ID is registered to you and state-level surveillance techniques aside, that means the information can be pulled from the provider (with proper judicial oversight) to track the location of anyone with a cell phone on their person. That is unless the device's signal is unable to reach the radio tower or the device is left behind.

Cell phone Malware:

DROPOUTJEEP
GOPHERSET
MONKEYCALENDAR
TOTEGHOSTLY
TOTECHASER

Cell phone malware has become a realistic concern. While these leaked documents show that state actors have been participating in this since the mid 2000s, they are no longer the sole threat. I will cover a bit about the basics of preventing cell phone malware here instead of being specific to the leaked information from over 5 years ago.

There are two ways to approach the problem of cell phone malware: prevention and detection.

Your first steps should be prevention. Knowing how an attacker could install malware on a phone is key here. This topic alone could be its own blog post. Common practices to infect phones include the following: man-in-the-middle attacks, hijacking an over-the-air update, a supply-chain attack could easily infect a phone before it gets to your hands, phishing attacks can trick you into installing malware yourself and juice-jacking or a drive-by attack are also possible if you charge your phone in a public location or leave it unattended. The defenses against these are simple: do not accept applications or updates from sources you do not trust (or at all while on untrusted networks), do not leave your phone unattended and do not trust a random charging port.

In order to detect malware on a cell phone, your first possibility might be some security products available on the market. Many new phones now ship with security products in their manufacturer's stock ROM. These phone-malware detection options suffer from the same issues that PC-based anti-virus products do, they tend to not fair very well at detecting unique, targeted, malicious code. If you have the time or need to be certain about what is going on, then you should take the time to set up a test environment where all network traffic the phone sends out is monitored and then personally review the packet captures to see who the phone is communicating with to detect whether any errant or malicious network communication is taking place.

Rogue Cell Towers:

CYCLONE
CROSSBEAM
EBSR
ENTOURAGE
NEBULA
TYPHO

Finally, to address the threats of rogue cell towers, you may find this solution surprising simple and effective, with the right forethought. If a state actor surveillance crew is able to prop-up a rogue cell tower, they could intercept your cellular traffic (voice and data). The ability to detect the towers in an area has actually become easier with smart phones. Any rogue cell tower would give itself up once it's turned on, which means a defense to this attack would be to monitor the available cell towers your device can reach in an area (many applications can do this for you, even displaying them on a map overlay) then later comparing the towers again to look for any changes. While new towers occasionally pop-up as providers expand services, you may be wary if they tend to always pop up at every new hotel you're staying at.

The real lesson can be summarized in the TL;DR of "do not take your cell phone to untrusted environments."

This concludes this series of posts for now. There are many technologies available in the leaked documents that were not covered due to time constraints.

  • Read part one of this series here
  • Read part two of this series here
  • Read part three of this series here

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.