It appears that the WiFi connectivity that is bundled in virtually every cell phone sold today can be used to track the owners easily.
Cell Phones can Be Traced Via WiFi
As it appears most cell phones used today can be used to actively track their owners just by using the WiFi connectivity option. A well-established option that has been used to date was the use of a tool called IMSI catcher. This has been used by law enforcement agencies to track suspects and find missing people. The way things is that the device mimics a cellphone tower which tricks the devices in range to connect to it. The IMSI catcher has the capability to intercept internet traffic, calls, send and receive fake texts and install malicious programs (spyware) on the victim device. By definition this is considered a man-in-the-middle attack. Nowadays it is quite easy for anyone to obtain such a device. Last year security experts reported that customers can easily purchase and order a low-cost IMSI catcher that has the ability to work with most modern connectivity standards, including 4G. One such device can be purchased for 1400 US dollars and works in a 2o meters radius.
Now a new danger has arose. During the international hacker conference BlackHat Europe a research team from Oxford University demonstrated a new type of IMSi catcher attack that used the WiFi protocol. The demonstrated attack allowed the capture of the cell phone’s IMSI number within seconds as soon as the user came in range of the network.
The consequences include the active tracking in real time of the victims and this affects both Android and iOS device owners. This can be fixed by disabling the WiFi calling feature on the device and the network auto connect feature.
The summary of the findings are given on the conference’s web site:
WIFI-BASED IMSI CATCHER
Piers O’Hanlon | Researcher, University of Oxford
Ravishankar Borgaonkar | Researcher, University of Oxford
Location: Gallery Hall
Date: Thursday, November 3 | 10:00am-11:00am
Format: 50 Minute Briefing
Track: Android, iOS and Mobile Hacking
We introduce a new type of IMSI catcher which operates over WiFi. Whilst existing Stingray type IMSI catchers exploit 2-4G radio protocols to track movements of mobile subscribers, in this talk, we introduce two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi. These protocols are now widely implemented in most modern mobile OSes, allowing for the creation of a low cost IMSI catcher.
We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
Finally, we present guidelines for vendors and cellular network operators to mitigate the user privacy issues that arise.