News Stay informed about the latest enterprise technology news and product updates.

Rogue IMSI catchers heighten enterprise cell phone security risks

News roundup: Rogue cell phone towers are popping up across the United States, heightening enterprise communication and data privacy concerns. Plus: Goodwill breach update; Adobe patches released; and security in 2025.

Cell phone, mobile device, smartphone ... whatever you call the device, it's one of the most prevalent tools for both personal and professional success, helping people stay connected, attend meetings, work on the go, or just plain converse about what's for dinner.

While many mobile device-wielding users may not think too long or hard about how the device makes the call -- unless it can't find a signal -- recent news of "ownerless" rogue cell phone towers popping up across the United States may be cause for concern, especially if these towers have the ability to eavesdrop on private conversations.

In an article published last month by Popular Science, secure mobile phone vendor and manufacturer ESD America announced that its engineers and customers had detected 17 phony cell phone towers -- also known as inceptors or IMSI catchers -- across the country using its CryptoPhone 500, an Android-based mobile phone that includes native voice and message encryption. While the inceptors may look legit, they are anything but: Rogue towers could allow attackers to eavesdrop on calls and text messages or even possibly infect the devices connecting to it with malware.

According to Popular Science, though standard mobile devices may not detect a threat, the CryptoPhone's baseband firewall notifies users when the device's encryption has been turned off, a dead giveaway of a rogue cell phone tower. Another sign is that standard carrier towers will be named whereas inceptors will not be. An interceptor or fake tower can force the decryption of devices connecting to it, allowing the tower to spy on and even hijack phone calls, text messages and other means of communications.

"Mobile phones seek out radio signals and connect to the nearest cell tower, and each phone has to prove its authenticity to the tower it is connecting to," explains security expert Graham Cluley. "That's where IMSI catchers, which are used by law enforcement agencies, collect the IMSI identification numbers of the SIM cards used in LTE and GSM phones. Cell phone towers nearby, regardless of whether the towers are fake or real, log the device's IMSI."

More recently, ESD partnered with mobile security vendor IntegriCell Group Inc. and this week found 15 new rogue cell towers in the Washington D.C. area.

According to SilverSky's CTO and SVP Andrew Jaquith, it's not Big Brother watching you. "The NSA doesn't need a fake tower," Jaquith told VentureBeat. "They can just go the carrier to tap your line."

An unnamed source told The Register that they were skeptical of criminal actions, saying the rogue towers were likely placed there to "allow coverage to groups of people that are not in a conventional coverage area (such as paying customers in a casino, or military groups)."

Even still, the fact that rogue towers exist so prevalently is troubling to say the least. Who put them there? Who is using them? These issues have made their way up to Congress, which in an Aug. 1 letter requested information from the Federal Communications Commission about the use of these towers. In response, the FCC created a task force to "combat the illicit and unauthorized use of IMSI catchers," though the FBI and other law enforcement agencies may also get involved.

So do interceptors put enterprise mobile communications at risk? It is important to note that IMSI catchers available online sell for upward of $100,000 and are only available to government and law enforcement agencies. However, this hasn't stopped homemade models from appearing. At DEF CON 18, Kristin Paget presented how to eavesdrop and record cell phone communications; within minutes she had more than 30 devices connected to her homemade system. And at Black Hat 2013, a trio of researchers demonstrated how to use a femtocell to eavesdrop on voice, SMS, MMS and other cellular communications. So while enterprises may not consider themselves possible targets of inceptor attacks, femtocell attacks are certainly a threat to be wary of.

And while the CryptoPhone may be helpful in identifying interceptors, with a hefty $3,500 price tag, it isn't likely to be on the shortlist of many enterprises any time soon. For the time being, conducting smart use of mobile devices is critical to maintaining security, and saving confidential communications for properly secured phone lines is of the utmost importance.

Aaron Turner, president of IntegriCell, said the recent interceptor discoveries shouldn't cause mass hysteria. He did note, however, that "if you're a high-value target, or if you have high-value information inside of your company, then you need to take precautions and protect your communications while you're on [cellular network]."

In other news

  • C&K Systems Inc., a third-party payment vendor, published a press release this week acknowledging its involvement in Goodwill Industry Inc.'s security breach. In the statement, the company admitted that its Hosted Management Services Environment was targeted by a highly specialized point-of-sale malware (called infostealer.rawpos) between Feb. 10, 2013, and Aug. 14, 2014. According to C&K, three of its customers were affected. Goodwill confirmed earlier this month that its customers were victims of the attack; the other two companies have not been made public. C&K notes, however, that "while many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25." The company also stated that it quickly investigated, contained and eliminated the issue.
  • Adobe Systems Inc. this week released previously delayed software updates for its Adobe Reader and Adobe Acrobat software. These updates, which were originally slated for a Sept. 9 release but were delayed due to issues in routine testing, address eight vulnerabilities in the programs on Windows and Macintosh platforms that could potentially allow attackers to take over systems. Five of the vulnerabilities could allow remote-code execution, while the other three address a universal cross-site scripting vulnerability, denial-of-service vulnerability and sandbox bypass vulnerability. The bulletin, APSB14-20, is rated critical; enterprises should install the updates as soon as possible. The company recommends updating to Adobe Reader 10.1.12 and Adobe Acrobat 11.0.9.
  • A recent study by McAfee Inc., Safeguarding the Future of Digital America in 2025, offers insight into the next decade of technology and its impact on everyday life, the workplace and privacy. Approximately 60% of the 1,500 consumers surveyed expect to have a "smart home" within the next 11 years, and 70% believe that wearable devices will be leveraged for everyday use. As McAfee Chief Consumer Security Evangelist Gary Davis wrote in his blog, "Our devices are getting increasingly 'smarter' and entwined with our daily routines." However, along with these changes come increased security and privacy concerns. Sixty-four percent of consumers are worried about identity theft, monetary theft and fraud in the future, and 77% fear falling victim to cyberattackers. Davis notes that this study was conducted "to shine a light on these matters and expectations so [industries] can best integrate new innovations with [consumers'] online security and privacy in mind."

Next Steps

Learn more about preventing mobile phone spying and ensuring mobile device protection.

Check out the latest on the recent slew of retail data breaches; Adobe patching news; and the trend of wearable technology.

Dig Deeper on Mobile security threats and prevention