this post was submitted on 12 Jun 2024
166 points (98.8% liked)

Privacy

31872 readers
401 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 18 points 5 months ago (3 children)
[–] [email protected] 2 points 4 months ago

Nah, encrypted communication.

[–] [email protected] 23 points 5 months ago (1 children)

A VPN won't really do anything against CSS/IMSI catchers.

[–] [email protected] 3 points 4 months ago (1 children)

Forgive my ignorance, but isn't preventing this type of man in the middle attack exactly what VPNs are for?

[–] [email protected] 10 points 4 months ago (1 children)

That's not how a VPN works. A VPN masks the information you are actually accessing by showing you query the VPN instead. To make a connection to a service you still need an address. This info is what they are using to identify your device.

Most traffic is already encrypted (httpS) so someone spying on you wouldn't know the content of your communication only who you contact. But without a VPN a man in the Middle could see who you are contacting. E.g. looking up pornhub. With the VPN it only shows you looking up the VPN.

[–] [email protected] 6 points 4 months ago (2 children)

Right, that's what I understood. So using a VPN, a CSS will be able to identify that my phone is active, but not the content I'm accessing, or who I am accessing it from, correct?

The previous comment said VPNs do nothing against this type of attack- were they just referring to identifying your device?

[–] [email protected] 0 points 4 months ago (1 children)

CSS wouldn't be used to spy on your network traffic; if they wanted your internet data, they'd have much simpler methods to collect it than CSS (and they wouldn't be able to decode most of that data anyways in normal cases).

or who I am accessing it from

What do you mean by that?

Suggesting that a VPN could mitigate stuff relating to CSS is like wearing a floating vest 24/7 when flying in a Boeing plane: you might feel a bit safer with it on, but it'd probably be smarter to have a parachute instead.

[–] [email protected] 1 points 4 months ago (1 children)

Ok, I'm missing something then.

What is CSS used for?

[–] [email protected] 2 points 4 months ago

CSS are used to establish whose phone (the therefore who) is in a location and whose phone (and therefore whomst) sent and received data at what times.

That information is what police will use as probable cause to get warrants against the services you use if not your person or home.

[–] [email protected] 4 points 4 months ago (1 children)

Right, that’s what I understood. So using a VPN, a CSS will be able to identify that my phone is active, but not the content I’m accessing, or who I am accessing it from, correct?

From my understanding your statement seems correct, but it's also lacking a bit. Unless you also randomize your mac address (grapheneOS does this) they can still map your position and visiting times. Additionally not all of your phones data goes through the VPN, something like a phone call/SMS isn't encrypted unless you're using an app to make the call.

The previous comment said VPNs do nothing against this type of attack- were they just referring to identifying your device?

Yes, they are thinking of a VPN as a privacy tool, not strictly as a security tool as in your example. Privacy will be compromised.

[–] [email protected] 6 points 4 months ago (1 children)

These devices (CSS/Stingray) are going to see both your SIM IMSI number, and your device IMEI number. AFAIK, the MAC randomization that most modern phones do, is with your WiFi modem so that WiFi routers can't track you.

If you put your SIM card into a new phone, and then login to your cell service provider portal with a computer or other device, you will observe that they know the model of phone you are using. They get this info from the IMEI when your phone talks to the tower. Since the CSS is a rogue tower, they get the same info.

[–] [email protected] 4 points 4 months ago* (last edited 4 months ago) (1 children)

Thanks for clearing up my WiFi mix-up. From my understanding the same attack path still applies even to https://grapheneos.org/features#lte-only-mode and respectively https://grapheneos.org/usage#lte-only-mode correct?

https://en.wikipedia.org/wiki/International_Mobile_Subscriber_Identity states the phone would send a https://en.wikipedia.org/wiki/Mobility_management#TMSI most of the time? But your point about the IMEI still stands. So there is no real way to protect yourself other than to turn off cell tower roaming?

[–] [email protected] 2 points 4 months ago

Thanks for the links. There's some new information in there that I'll have to look further into. For one, I've never heard of security concerns about 5G versus 4G.

I also wasn't aware of the TMSI at all. I still don't fully understand some things about it which would be important considerations:

How is this randomized number assigned/correlated to the IMSI? Is it done by the tower?

It seems like the carrier can request the actual IMSI at any time. Can these CSS also do that? TMSI is supposed to protect against 'eavesdroppers' but these industrial a grade CSS might have greater capabilities than passive eavesdropping.

I am unsure if or how disabling roaming would protect you from CSS. For one, the spoofing might make your device think it isn't roaming. Secondly, the CSS might still be aware of your device anyway, even if it doesn't establish an open connection to it. The phone and the tower need some minimum communication to even determine if you're roaming or not.

[–] [email protected] 21 points 5 months ago

The lower layers all already at least moderately well encrypted, what they're doing here is trying to pull the unencrypted device ID necessary to establish a connection. It's not really what you're sending (though traffic frequency analysis may be included) and more about just figuring out where a particular phone is so they can physically track the user.