Note: restricting to “4G only” may not be right for everyone. If it negatively affects service, you can disable with:
systemctl disable 4g-only.service (if service is affected in your area).
Tips for common, 2G / 3G. 4G cell site simulators exist (active, less common).
Originally shared on bmac June 21st, 2022.
Hey friends, 😀
Today let’s talk a bit about what are commonly referred to universally as: “Stingrays” (popular model), and for Linux phone (Pinephone tested) users, sharing a small service for “4G Only” persistence (every boot): here).
Why? After noticing downgrades, wanted to see if it will affect my service over the long run (good coverage). Opted to try “4G only” for a while.
4G only restricts 2G / 3G and could cause service interruption during moments lacking 4G availability.
Includes tips for Android users. iPhone, not having as many options, does carry a “4G Only app“.
Cell Site Simulators (examples: “Stingrays”, “IMSI Catchers”): False Cell Towers appeal as “strongest signal in the area” for phones in nearby area (ex: 10,000 phones per device in some cases). Once connected, phone location can be tracked, and on lower security (ex: 2G), SMS / calls can be more easily captured)
SUMMARY: most Cell Site Simulators rely on downgrade attacks to cause your phone to connect to the less secure (encryption) 2G services (and other times 3G). We talk about how to mitigate for Linux phones (Pinephone service), Android, and iPhone (briefly).
INTRODUCTION
Video (older) introducing an Android tool for detection and mitigation of “cell site simulators”.
A basic introduction to what these devices are designed to do (mimic cell towers), and what various models may look like (including homemade), from the smallest (fitting in the palm of the hand), to the flying…
Watch Here:https://www.youtube.com/embed/w8reJoOl5fM
RELATED VIDEO: Top 11 Android Privacy Tips
Tracking With Cell Site Simulators
Essentially functioning as false towers.
If You Have A Phone…
it will eventually fall into this surrounding net…
These devices can scoop all phones in the area. Some reportedly handle 10,000 phones in vicinity, at a time.
Common in midst of a protest (examples, further down).
We all deserve the right to privacy in our home, and inside our most personal devices.
Privacy represents the most fundamental Human Rights (no right guaranteed without right to privacy)
Companies producing Cell Site Simulators have:
non-disclosure agreements
SIM CARDS: SILENT SMS + MORE
While we are talking smartphones, it’s best to include SIM cards in the mix.
Did you know your SIM card carries its own microcomputer, runs its own OS and browser, and accepts hidden binary text messages?
You can learn more about this on our video, here:https://www.youtube.com/embed/U4h6YuDxmLo
CELL SITE SIMULATOR MITIGATIONS
Downgrading phones to 2G service makes content easier to intercept (ie: calls and SMS txt, due to weak security in the 2G).
4G Cell Site devices run more expensive (comparing to 2G / 3G), generally offering location tracking.
Previously, price quotes (released a couple years back) marked “Hailstorm” devices for over $450,000.
Ultimately, for both criminal and official purposes, most rely on “downgrade” attacks.
Some may notice 4G blocked during certain areas of protest.
See: here, here, and here as examples where 4G was blocked during protest. Nearly all serious protests deal with this, (possibly) forcing connection to cell site simulators.
VULNERABILITY: SYMPTOMS OF ATTACK (Then Again… There Aren’t Always Signs)
- Quicker than normal battery drain (push max battery usage)
- High power usage forced on phones (amplification can allow farther operation distances)
- Downgraded service to 2G, 3G (from stable 5G, 4G)
- Service disruptions (problems sending SMS txt, calls, internet)We should ask ourselves: Why is there no tower provider authentication, to protect our phones from these devices?
If providers desired so, it would be so.
Why Do Downgrade Attacks From 4G To 2G, 3G Happen?
Downgrade attacks occur to move phones to a more ‘receptive’ environment.
- 4G Cell Site Simulators (pricey)
- 2G, 3G offers lower security capabilities (ie: receiving calls / SMS txt)
Use To Our Advantage?
Since said false malicious cell spy towers utilize downgrade attacks to force all phones in the area to connect to their malicious cell site simulator…
We can attempt to mitigate downgrade attacks by forcing 4G only (keep in mind not all settings are saved after reboot – that is the idea of trying the 4g-only service for the Pinephone service: it forces 4G/LTE only, each reboot)
ANDROID USERS: SETTING 4G / LTE ONLY
- Open Dialpad
- Dial: * # * # 4 6 3 6 # * # * (this opens testing window)
- Go into “Phone Information”
- Set Your Preferred Network Type To LTE Only for 4G only (keep in mind this settings holds until reboot)
iPhone Users: 4G / LTE Only There is a reported 4G only app.
You can also access iPhone service options by following this page.
Pinephone / Linux Phone Users
Today I am writing today to intro a small example “4G Only” Service.
It’s something I wanted on my Pinephone (Linux phone) to prevent downgrade attacks.
Symptoms Of Malicious Intent
- Phone jumps from its reliable 4G, down to 2G, or 3G
- Phone has service disruption after this connection change
- Internet may lose reliability, texts and calls may show issue / stalling
Apps like Android’s “Cell Spy Catcher”: take 24hr to map out all current cell towers (and locations), alerting you to towers which move or behave suspiciously, such as changing tower information, and location (ie: true cell towers are not moving around, changing location 😤)
RELATED STORY: In some areas, attacks could even be of foreign interests, even criminal networks.
See Example: IMSI Catchers found planted on Whitehouse grounds
(said to be of foreign origin – details in article)
Mitigation (For Most Cases / Devices): Force 4G Only.
Sure, settings in the Gnome / Phosh allow you to momentarily selecting 4G only, issue here is, it resets to allow 2g, 3g, 4g on the next boot. This service ensures 4G is the only available service to the modem (during service downgrade attempt).
Setting Up 4g-only Service
The service is simple to setup.
Simply download / clone package from Gitea onion (use torify git clone, or Tor Browser to view and download), and run the install.sh script (using sudo). This moves everything where it belongs, making a new command in our execution path, and enabling the service (by default starting 1st on your next reboot).
If you would like the service to start right away, you can run the command installed:
sudo 4g-only
Or (once running install.sh), you can start the service without reboot by issuing:
sudo systemctl start 4g-only.service
To avoid having to reboot.
What Does It Do?
First detects your current modem location (does change), setting “4G / LTE Only” for that modem, every reboot.
Running:
sudo 4g-only
forces 4g-only from the commandline.
If you need access to 3G as well, there is a single argument:
sudo 4g-only reset
Personally, I recommend 4G-only (not the reset) to prevent connection to these lower services linked to most malicious cell site simulators (note: during downgrade attack you may lose service – but at least you may know why..)
Checking Status Of 4g-only.service
Once installed (after a reboot), you can check the status of 4g-only.service.
sudo systemctl status 4g-only.service
Once you have run the install.sh, you will have 4g only every single boot 100% of the time.
If you need access to 4G + 3G (not recommended for most areas), I added the ability in the systemctl ‘stop’ command of the service.
And so:
sudo systemctl stop 4g-only
Won’t just allow 3G, it keeps 4G preferred.
But for myself, and most people, I do recommend leaving the service as is, allowing 4G Only (not including 3G), if you wish to mitigate downgrade maximally.
If you notice service disruptions on 4g Only, this could be a sign of downgrade attacks. That alone IMHO, can be useful to know.
Will share more options as tested in future (check back).
Hope you find useful. ❤️ 📱 🐧
🙂 Thanks for following this page and spreading the word!
Be sure to share this post everywhere!
Support options ☕ (original tips / writing supported by coffee, crypto, cashApp)
HowTo: Privacy & Infosec 