[rupellohn]

For 3G/4G networks there is strong mutual authentication between the device and the network, for 2G(GSM) networks only the device is authenticated so these interception devices work by jamming the 3G/4G bands forcing the device onto the (fake) 2G network.

[mmagin]

And in the world of TLS, this is called a downgrade attack and treated as a serious problem...

[vog]

Indeed! A very good advice that read on this topic was this one:

As a rule of thumb, any security protocol that contains lots of "MAY" parts (options) in its specification is suspicious. Even more so if the security layer itself is optional. Ideally, a security protocol contains no "MAY" parts, not even "SHOULD" parts, but only "MUST" parts.

(Not sure where I read this, or who wrote that. So I'm paraphrasing it here. Maybe it's common sense without a single attributable source.)

[leeoniya]

there's a feature in cell modems that can indicate radio link encryption/auth..put on tinfoil hat...and it's disabled in pretty much all phone firmware

http://www.jmeds.eu/index.php/jmeds/article/view/Enabling_th...

https://github.com/PrivacyCollective/Android-CipheringIndica...

[leeoniya]

https://code.google.com/p/android/issues/detail?id=5353

[DasIch]

What's the point of such a feature anyway? I don't want my phone to even connect to such tower, just tell me there is no service available.

[pbhjpbhj]

Not even to connect in an emergency? Maybe "no service, click to attempt unsecure connection" would be better.

[Johnny555]

If you're willing to give up service when connecting to an untrusted source, then just use an always-on VPN and VOIP for voice + some tcp based messenger for SMS.

[guelo]

Which makes me wonder how Stingray/Hailstorm works. Does Harris Corp have a universal key for LTE?

[digi_owl]

Best i can tell, stingray is a passive device.

It just use a directional antenna to listen for the "keepalive" exchange between cell tower and device, focusing on a specific IMSI.

Also, even if your device is currently using LTE or similar, the GSM (or whatever 2G radio it has) will still be on and talking to the relevant network (unless you specifically tell the device otherwise, and the OEM allowed you to). This to provide a smoother handover should the LTE signal drop too low.

Hailstorm on the other hand is basically a jammer tuned to 3G and 4G frequencies, thus forcing any devices in range to drop down to 2G. For the general public a jammer would be a big nono, but law enforcement is a different matter.

[dublinben]

IMSI catchers (like Stingray) are not fully passive devices. They have an operation mode where they broadcast a signal that appears to come from a legitimate cell phone tower. This captures traffic from all devices within range, targeted or not. This is why they are often called "cell site simulators" because that accurately describes how they are often used. For more information, check out this EFF page.

https://www.eff.org/sls/tech/cell-site-simulators

[chrissnell]

...but how? Comments above imply that 3G and 4G are protected with strong encryption/authentication. How is a Stingray capturing metadata from calls and SMS?

[diafygi]

I was under the impression that Hailstorms either have valid cell tower certificates (dunno if wireless carriers are complicit) or they exploit the vast quantity of modem firmware bugs.

http://www.ee.columbia.edu/~roger/ShmooCon_talk_final_011620...

[diafygi]

I thought Stingray was active because you can detect it if you have the right firmware.

http://www.slate.com/blogs/future_tense/2014/12/31/snoopsnit...

Also, I thought Hailstorm was LTE only (and doesn't degrade to 2g).

https://insidersurveillance.com/deciphering-harris-hailstorm...

[digi_owl]

Could have sworn that even though a more recent network is the preferred one at that time, the older ones are still connected and listening to provide a smoother handover experience.

Depending on the device you may be able to tell it to use newer network only though (my somewhat aging Android device can opt for UMTS only for example).

[Tharkun]

Indeed. But I haven't come across any phones that let you specifically disable 2G(GSM). Most let you disable 4G or 3G, or let you prioritise one over the other, but disabling 2G altogether seems to be missing.

[ac29]

On Android dial [star]#[star]#4636#[star]#[star] in the phone app and you can change what types of cell networks can be connected to. Apparently doesn't work on all phones, but definitely works on my stock Nexus 5X on Android 7.

[MrRadar]

My Blackberry Priv lets me select any combination of LTE, 3G, and 2G. I currently have it set to use LTE and 3G only. That's the only phone I've seen with that feature, though.