You probably do not wake up in the morning and are worried that your phone will actually betray you. Malware and security issues are one thing, but updates keep that boogeyman away. And even though we read about villains caught by stingrays and dirt boxes (fake cell towers), it’s just something the authorities use to keep us safe – right? Whatever your opinion is about to canned worms, like me probably should not have mentioned, it will also be easier for criminals to build them now too. A demo site at Qualcomm’s recent event even caught an analyst’s phone. But companies like Qualcomm have been working on ways to mitigate it.
Full disclosure: Qualcomm flew me and dozens of other journalists, analysts, and content creators to their Snapdragon Summit media event in Hawaii. It’s hot outside, we’re all masked, and I’m pretty sweaty.
At the summit, Qualcomm had a demo set up to show how its phones can detect these Stingray cell sites and their tricks. You may not be aware of it, but these types of software-defined mobile towers are getting cheaper and easier to build – Qualcomm had one sitting in a box on a table, made with easily accessible hardware and almost fully open source software, which made it quite easy to put together. It is not just something that state-level actors or the police can afford anymore. And they are not just used to track locations or intercept communications. Like everything else these days, they can also be used for spam.
I can not say that it is a problem I have personally encountered yet, but Qualcomm showed a demonstration of a text message sent by a mobile site simulator pretending to be a bank reporting fraudulent transactions. These are the same kind of spam messages that some of us get daily, but the message of the fake mobile site is more compelling. You may not be aware of this, but text messages is it not encrypted, and from its man-in-the-middle position, these fake towers can send messages that look legitimate, apparently from the real phone numbers. Throw a link to a malicious website, and what seems like a credible message can be anything but.
There is not much you can do to prevent it directly. SMS is an old, bad standard (which is why people like me are so fond of things like RCS messages that can enable end-to-end encryption). But if you can not stop the messages being delivered, you can at least prevent devices from connecting to fake cell phone pages that send them.
See, the way these sites work is by making itself more attractive to your phone. If you are wandering around the city, already connected to a legitimate mobile tower, these fake ones need to do something special to stand out as a good choice for your phone to switch to. They do this with things like higher signal strength and by not offering a list of adjacent towers for easy delivery, making devices likely to leave them (among other more technical configuration options). Like a data-filled pitcher plant, it is ready to catch phones in its trap and do everything it can to not let go of them.
At the demo I saw today, the demonstration cell site even snatched Moor Insights & Strategy senior analyst Anshel Sag’s Galaxy S21 Ultra, handing it the eerie preview message we got shown on a demo phone. These things really work!
Fortunately, these attractive properties actually makes it easier to detect the bad cell phones, and phones can see things like lack of listed neighbors or too high signal strength in terms of features, and Qualcomm’s modems can detect it. In fact, the logic of this runs fully inside the modem itself, separate from the OS or the rest of the chipset. The usual black box warnings apply: It’s probably more secure and can probably not be affected by on-device malware, but you have less of an idea of what’s going on in there.
This is not a completely new concept, and Qualcomm says their modems have had this technology for 2G, 3G and 4G networks for some time (and via the transitive feature, 5G NSA, which relies on a 4G backbone to connect). But the new X65 modem, available in Snapdragon 8 Gen 1, brings this detection to standalone 5G networks. And when it finds a potentially untrustworthy cell page, it either downgrades it (if it’s just suspicious) or directly blocks the connection if it’s a real stinker.
But if you absolutely have to connect to one of these suspicious cell sites, Qualcomm also plans to roll out a whole set of APIs to developers as part of an SDK that can also allow apps to make informed decisions on their own. This may mean a banking app that will not rely on these suspicious connections to protect you from a man-in-the-middle attack or a messaging app that ignores or applies a warning sticker to text messages that land when they are connected to Stingrayed towers. Unfortunately, I’ve been told that this side of things is not ready yet, but the APIs are coming.
We all ignore our digital security more than we probably should. It is a topic that is difficult to make appealing or present as a major killer feature in the same way that we are talking about e.g. speed increases or camera enhancements. Being safe is not a fun new toy. But this is one of those things that does not require any effort on your part to make your life better, even developers will have little work to do when the new APIs are available to detect these forged cell sites.
Read Next
About the author
Post a Comment