Android to Stop Man-in-the-Middle Attacks by Letting Enterprise Users Disable 2G Downgrades

New security features in version 14 of Android include the option for enterprise customers to prevent their organization’s phones connecting to 2G networks. Without this feature, bad actors could silently force a handset to connect to 2G in order to neutralize the superior security and privacy protocols implemented in later generations of networks. Google explained via their corporate security blog:

2G networks, first implemented in 1991, do not provide the same level of security as subsequent mobile generations do. Most notably, 2G networks based on the Global System for Mobile Communications (GSM) standard lack mutual authentication, which enables trivial Person-in-the-Middle attacks. Moreover, since 2010, security researchers have demonstrated trivial over-the-air interception and decryption of 2G traffic.

There has been growing concern about the privacy of users being undermined by devices variously known as IMSI-catchers or false base stations. As the latter name suggests, these devices send out a radio signal which prompts handsets in the vicinity to connect to them instead of connecting to the user’s regular network. Warnings about the over-use of IMSI-catchers for state surveillance have been given for such diverse countries as Germany, the USA and Iran. Simultaneously downgrading the user’s connection to 2G would typically be part of a strategy to defeat the use of encryption that protects the privacy of communications.

Meanwhile, simpler ‘SMS blaster’ radio devices have also used 2G to spam nearby phones with unwanted messages. Such messages may be the starting point for smishing and romance scams. The use of SMS blasters is difficult to counter; network operators cannot monitor them directly because the device obstructs their connection to the user’s phone. Law enforcement in South East Asian countries have become increasingly vexed by SMS blasters that are difficult to find because they are driven around cities, often by stooges who may not know they are working for organized crime. Consciousness of the risks skyrocketed in France after the discovery of a gang that drove two vehicles with SMS blasters around the suburbs of Paris in order to phish information via a bogus health insurance website. However, public and police awareness of the threat appears to be next to nil in most other countries. This begs the question of whether there are many more countries suffering instances of this crime that have not yet been discovered.

Another new security feature in Android 14 is designed to protect users by preventing them using a mode of communication that is not encrypted.

Although all IP-based user traffic is protected and E2EE [end-to-end encrypted] by the Android platform, cellular networks expose circuit-switched voice and SMS traffic. These two particular traffic types are strictly protected only by the cellular link layer cipher, which is fully controlled by the network without transparency to the user. In other words, the network decides whether traffic is encrypted and the user has no visibility into whether it is being encrypted.

Recent reports identified usage of null ciphers in commercial networks, which exposes user voice and SMS traffic (such as One-Time Password) to trivial over the air interception. Moreover, some commercial Stingrays provide functionality to trick devices into believing ciphering is not supported by the network, thus downgrading the connection to a null cipher and enabling traffic interception.

The new version of Android includes a user option that prevents the modem being used for null-ciphered connections. Neither this control nor the restriction on 2G would prevent calls to emergency services using 2G or an unencoded connection.

It is pleasing to see how Google has responded to real security and privacy threats that have not yet grabbed the attention of most of the public. Prevention is better than cure, but some businesses have an unfortunate tendency to monetize protection by waiting for bad things to happen first. Researching this article also yielded another unexpected pleasure; Google illustrated the reasons to disable 2G by referencing two Commsrisk articles about the Paris smishing gang. Returning the favor, Google’s security announcement for Android 14 is found here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.