How is this possible? Are phones willing to connect to any cell and blindly trust that text messages from there are genuine and really coming from the numbers they claim to be coming from? Isn't there some cryptographic verification?
How is this possible? Are phones willing to connect to any cell and blindly trust that text messages from there are genuine and really coming from the numbers they claim to be coming from? Isn't there some cryptographic verification?
2g networks didn't have the phone verify the network, so yes they can do this.
At least as of today, most phones have an option to turn off 2g but that isn't a default.
The only way to truly disable 2g on an iPhone is to enable lock-down mode, which is a step too far for me.
Agree. I do a lot of travel and in 3rd-world countries it is quite common to get 2g spam, it's really unacceptable that Apple doesn't offer a way to turn off 2g short of lockdown mode.
Are you sure it's not sourced from the visited network? In that case, 3G or beyond wouldn't help you, as mutual authentication does not imply end-to-end authentication of all traffic between you and your home provider.
At least Pixels have the setting to disable 2G, which is on by default.
It's always amusing to me how apple tries to hide basic security features behind there super duper totally secure mode which nobody will enable because it destroys usability.
Meanwhile GrapheneOS in the default mode is as much or much more secure (and private duh) than there marketing mode with little to no usability decrease.
Yeah, they really go all or nothing with the lock down mode. There are a lot of things from it I’d like to enable but not everything.
I was curious about this so I looked around a bit. My interpretation is that GrapheneOS still has not cracked this nut. Neither has iPhone, unless you enable "Lockdown Mode"
https://github.com/GrapheneOS/os-issue-tracker/issues/3952 https://github.com/GrapheneOS/os-issue-tracker/issues/6076
Plausible. Only Rogers still has working 2G.
It doesn't matter what the network is doing; the phone needs to disable 2g. There's various ways to get the phone to downgrade to 2g otherwise, eg https://montsecure.com/files/2021_downgrade.pdf
Android has it as a toggle: https://source.android.com/docs/security/features/cellular-s...
iPhone disables it for phones in lockdown mode.
And if you have a modern enough SIM+phone combo, it won’t even display the 2g network as an available network, nor 3G on my device.
I wonder if this mostly hit international SIMs, since they wouldn’t be running the same level of SIM code to prefer various network locks like a local SIM.
Helps you stay under the radar and gov services over SMS is a lot more advanced outside of Canada if you want to do some fraud.
>And if you have a modern enough SIM+phone combo, it won’t even display the 2g network as an available network, nor 3G on my device.
Source? It might just be that your carrier retired its 2g/3g network, not that the phone/sim refuses 2g/3g connections. If some cell tower popped up claiming to 2g/3g, your phone still might happily connect.
source = Rogers SIM in me phone
my Telus/Bell SIM shows the 3G network tho
Unfortunately, I think there's no way for a SIM card to indicate to the phone that it would like it to please never connect to any 2G (or any non-mutually-authenticated) network.
Absent that, maybe this happens via a carrier profile (or equivalent mechanism)?
Ah, so the attack might depend on whether your phone is set to allow roaming or not. Maybe.
But I only have an option for data roaming on/off, not roaming entirely.
I don't think that matters, since the phone has no way of knowing from the SIM card alone whether it should still connect to 2G networks or not.
It sounds like a good idea to at least restrict 2G connections to non-roaming scenarios, but then you have the next practical problem: How does your baseband know that you're abroad?
Sure, all solvable at the application layer (the phone could use location heuristics to figure out where it is etc.), but not trivial and full of edge cases that could easily result in your phone mysteriously not connecting while abroad or, worse, not being able to make an emergency call or similar.
That's incredible, here in Australia they not only shut down all 2G networks almost a decade ago, but they've already shut down 3G as well!
Although now looking at Wikipedia there are a lot more 2G networks sticking around than I realised, still hard for me to believe given what's happened here!
You do realize it’s a fake 2g/3g network and most phones don’t care. They will happily connect to whatever they support.
Only if they’re not already connected to a better network, no?
Which is interesting in that they very publicly shut down the 3G network last year.
The original standards weren't expecting anyone but carriers to send messages and ramping up security has been a slow process, so downgrade attacks probably work nicely.
Guessing the spammer doesn't want to overload towers or be foxed within the same 3 so they're driving. Maybe the hats(?) shut off on rotation... or eSIM?
Well, based on what I'm gleaning from https://www.smsbroadcaster.com/ (yes, they sell these brazenly in the open), I suspect they're doing some SDR shenanigans to bring up fake cell networks and leverage Cell Broadcast instead of just SMS.
https://en.wikipedia.org/wiki/Cell_Broadcast
They are also interfering with connections and attempting downgrade attacks to do 2G SMS messages as well (and is likely where Canadian carriers were picking up the 'millions' of attacks against its network and failed authentication attempts).
Amusingly this was all also caught because of Telus reviewing those SMS messages that were reported as spam from people on iOS/Android and realizing that the messages weren't being terminated inside the cell network at all when they tried tracing them out and suspected that this was the case.