Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Detecting A Surveillance State - Part 4 Cellular Attacks

This is the fourth and final post in my series of posts about state actor surveillance technologies. Thus far we've covered hardware infections, radio frequency exfiltration devices and BIOS/Firmware infections. In this final post, I'll discuss a topic that might be more relevant to a broader audience--cell phone monitoring and cellular network attacks.

This series of posts have been based on the public knowledge gathered together on the Wikipedia page for the leaks released by Der Spiegel and what was publically disclosed at the recent 30c3 conference.

A lot of data has been made available pertaining to the cell phone and cellular network surveillance attacks. Below I categorize attacks under the following types: cell phone monitoring, cell phone malware and rogue cell towers. Instead of addressing the theoretical defenses against each particular attack, I discuss defenses against each type of attack.

As cell phones are still an emerging market when it comes to attacks and defenses, I must take a moment to tip my hat to the individuals responsible for these attacks, which were all available in 2007 and 2008. Most of the device specific attacks listed in the leaked documents reference what is now out-dated hardware and software (Windows CE, Flip Phone handsets, etc…) but the attacks could work similarly and have been updated to target Android, IOS, and the new Windows phones.

Cell Phone Monitoring:


Foremost, with cell phone monitoring/tracking, there really is no safe choice here aside from removing the cell phone from the picture. Regardless of what device you have, if it communicates over a cell network, that specific device ID is registered to you and state-level surveillance techniques aside, that means the information can be pulled from the provider (with proper judicial oversight) to track the location of anyone with a cell phone on their person. That is unless the device's signal is unable to reach the radio tower or the device is left behind.

Cell phone Malware:


Cell phone malware has become a realistic concern. While these leaked documents show that state actors have been participating in this since the mid 2000s, they are no longer the sole threat. I will cover a bit about the basics of preventing cell phone malware here instead of being specific to the leaked information from over 5 years ago.

There are two ways to approach the problem of cell phone malware: prevention and detection.

Your first steps should be prevention. Knowing how an attacker could install malware on a phone is key here. This topic alone could be its own blog post. Common practices to infect phones include the following: man-in-the-middle attacks, hijacking an over-the-air update, a supply-chain attack could easily infect a phone before it gets to your hands, phishing attacks can trick you into installing malware yourself and juice-jacking or a drive-by attack are also possible if you charge your phone in a public location or leave it unattended. The defenses against these are simple: do not accept applications or updates from sources you do not trust (or at all while on untrusted networks), do not leave your phone unattended and do not trust a random charging port.

In order to detect malware on a cell phone, your first possibility might be some security products available on the market. Many new phones now ship with security products in their manufacturer's stock ROM. These phone-malware detection options suffer from the same issues that PC-based anti-virus products do, they tend to not fair very well at detecting unique, targeted, malicious code. If you have the time or need to be certain about what is going on, then you should take the time to set up a test environment where all network traffic the phone sends out is monitored and then personally review the packet captures to see who the phone is communicating with to detect whether any errant or malicious network communication is taking place.

Rogue Cell Towers:


Finally, to address the threats of rogue cell towers, you may find this solution surprising simple and effective, with the right forethought. If a state actor surveillance crew is able to prop-up a rogue cell tower, they could intercept your cellular traffic (voice and data). The ability to detect the towers in an area has actually become easier with smart phones. Any rogue cell tower would give itself up once it's turned on, which means a defense to this attack would be to monitor the available cell towers your device can reach in an area (many applications can do this for you, even displaying them on a map overlay) then later comparing the towers again to look for any changes. While new towers occasionally pop-up as providers expand services, you may be wary if they tend to always pop up at every new hotel you're staying at.

The real lesson can be summarized in the TL;DR of "do not take your cell phone to untrusted environments."

This concludes this series of posts for now. There are many technologies available in the leaked documents that were not covered due to time constraints.

  • Read part one of this series here
  • Read part two of this series here
  • Read part three of this series here

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More