24.2k unique visitors in the last 3 days

Android to Stop Man-in-the-Middle Attacks by Letting Enterprise Users Disable 2G Downgrades

Spies and scammers connect to phones and push them on to 2G connections to work around the security built into newer networks.

New security features in version 14 of Android include the option for enterprise customers to prevent their organization’s phones connecting to 2G networks. Without this feature, bad actors could silently force a handset to connect to 2G in order to neutralize the superior security and privacy protocols implemented in later generations of networks. Google explained via their corporate security blog:

2G networks, first implemented in 1991, do not provide the same level of security as subsequent mobile generations do. Most notably, 2G networks based on the Global System for Mobile Communications (GSM) standard lack mutual authentication, which enables trivial Person-in-the-Middle attacks. Moreover, since 2010, security researchers have demonstrated trivial over-the-air interception and decryption of 2G traffic.

There has been growing concern about the privacy of users being undermined by devices variously known as IMSI-catchers or false base stations. As the latter name suggests, these devices send out a radio signal which prompts handsets in the vicinity to connect to them instead of connecting to the user’s regular network. Warnings about the over-use of IMSI-catchers for state surveillance have been given for such diverse countries as Germany, the USA and Iran. Simultaneously downgrading the user’s connection to 2G would typically be part of a strategy to defeat the use of encryption that protects the privacy of communications.

Meanwhile, simpler ‘SMS blaster’ radio devices have also used 2G to spam nearby phones with unwanted messages. Such messages may be the starting point for smishing and romance scams. The use of SMS blasters is difficult to counter; network operators cannot monitor them directly because the device obstructs their connection to the user’s phone. Law enforcement in South East Asian countries have become increasingly vexed by SMS blasters that are difficult to find because they are driven around cities, often by stooges who may not know they are working for organized crime. Consciousness of the risks skyrocketed in France after the discovery of a gang that drove two vehicles with SMS blasters around the suburbs of Paris in order to phish information via a bogus health insurance website. However, public and police awareness of the threat appears to be next to nil in most other countries. This begs the question of whether there are many more countries suffering instances of this crime that have not yet been discovered.

Another new security feature in Android 14 is designed to protect users by preventing them using a mode of communication that is not encrypted.

Although all IP-based user traffic is protected and E2EE [end-to-end encrypted] by the Android platform, cellular networks expose circuit-switched voice and SMS traffic. These two particular traffic types are strictly protected only by the cellular link layer cipher, which is fully controlled by the network without transparency to the user. In other words, the network decides whether traffic is encrypted and the user has no visibility into whether it is being encrypted.

Recent reports identified usage of null ciphers in commercial networks, which exposes user voice and SMS traffic (such as One-Time Password) to trivial over the air interception. Moreover, some commercial Stingrays provide functionality to trick devices into believing ciphering is not supported by the network, thus downgrading the connection to a null cipher and enabling traffic interception.

The new version of Android includes a user option that prevents the modem being used for null-ciphered connections. Neither this control nor the restriction on 2G would prevent calls to emergency services using 2G or an unencoded connection.

It is pleasing to see how Google has responded to real security and privacy threats that have not yet grabbed the attention of most of the public. Prevention is better than cure, but some businesses have an unfortunate tendency to monetize protection by waiting for bad things to happen first. Researching this article also yielded another unexpected pleasure; Google illustrated the reasons to disable 2G by referencing two Commsrisk articles about the Paris smishing gang. Returning the favor, Google’s security announcement for Android 14 is found here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email