Our head of penetration testing, Aleksander Gorkowienko, along with Norway-based colleague Øyvind Stensby has had an article published online by Digi.no that looks at the use of IMSI catchers set up to provide unknown third-party sensitive information. This follows on from an article by Aftenposten, Norway's largest newspaper, about the discovery that members of the parliament and the prime minister of Norway were being monitored by secret espionage equipment.
The original article is at – http://www.digi.no/932175/imsi-catchere-er-kommet-for-aa-bli but below is a translation.
The main problem is that such devices can easily be based on common mobile components or other low-cost radio equipment, which gets cheaper every month. In other words, anyone with technical skill and evil intentions may be able to capture what you and I are saying. Moreover, there are a plethora of recipes online detailing how to build passive GSM-based monitoring units.
The consequence is that it is no longer necessarily agents who conduct classical security or industrial espionage.
It might be the press or "hacktivists" in their various forms. The threat is complex and the only thing that is certain is that someone can monitor unencrypted information in the mobile network. It is a paradox that information security has low priority in IT and communication projects, and that people often think it will turn out well without further investments.
Is it possible to avoid such monitoring?
Naturally there are measures that reduce the risk of being monitored. The network providers should consider how IMSI is sent in the network. TMSI should be used instead. This prevents the subscriber being identified. Furthermore, there are several apps and software that alerts the user when there is no encryption. Just as there are recipes for people with evil intentions online, there are also recipes for how to reduce the risk for being monitored.
There is an interesting open source project called Android IMSI Catcher Detector, which intends to detect and avoid false base stations (IMSI catchers), and other base stations with poor or no encryption. The project intends to warn users that the encryption is turned off in addition to several other protection mechanisms. Perhaps it is such measures that can be further developed to ensure the phones to key personnel? Until this is in operation, you should focus on security processes regarding the use of mobile communications. Government should consider frequent change of SIM card and phones, and the phone must of course be switched off and placed outside meeting rooms where important decisions are taken.
We can only hope that communication solutions for patient data and other upcoming critical projects take account of the new threat. Use of IMSI catchers and other "Man in the Middle" attacks on communications are here to stay, and businesses and governments must take this into account when new projects are planned.
Until the security is in place, we may adopt to the security moto from the Norwegian Defense; "if you don’t say anything which may compromise information, no one will get the information…"
The learn more about the cyber security risks surrounding “IMSI catchers’ and the security measures you can put in place, contact us.