Hackers and Law Enforcement Could Hijack Wi-Fi Connections to Track Cellphones

One morning on the underground in London, Piers O’Hanlon, a privacy and security researcher at Oxford University, noticed something strange about his phone: it kept automatically connecting to Wi-Fi networks from his provider without asking for a password — displaying a small lock icon.

What started off as another morning on the tube prompted O’Hanlon’s next research project. He began digging into the widely available public, automatic Wi-Fi provided by the phone companies, and looking at the ways it could be exploited and spied on. It turns out, those initial connections, which largely happen without consent, are insecure and unencrypted — and can be easily intercepted by malicious hackers or law enforcement.

What O’Hanlon and his Oxford research associate, Ravishankar Borgaonkar, looked into was a previously known — but unaddressed — flaw in the automatic Wi-Fi protocols that would allow someone to track the location of phones that connect to these networks. While tech experts are aware of the flaw, it’s so deeply engrained in the system that it would require a large overhaul to fix — something companies aren’t eager to invest in.

This flaw would allow someone to hijack a user’s Wi-Fi connection the way law enforcement currently does with wireless communications using Stingrays, or IMSI Catchers, the handheld devices that imitate cell phone towers. Stingrays and similar devices trick nearby phones to connect and dump information about the phone, like its location, and sometimes also the content of calls, onto the tracker. (Stingrays are a specific brand sold by Harris Corporation in Florida.)

“We [can] demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS, Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user,” O’Hanlon and Borgaonkar wrote in a description of their research.

The glaring insecurity of open Wi-Fi has been a topic of research before, often appearing in headlines (like a 2013 study that specifically tested how iPhones automatically connect to Wi-Fi). The Oxford team broadened the investigation to more devices — and revealed how little has been done to address the inherently insecure protocols first released in 2006. They also made the connection to what law enforcement is already routinely doing — tracking cellphones.

Normally, Stingrays operate “on the licensed spectrum,” O’Hanlon explained during a phone interview with The Intercept. Oftentimes they’ll operate over 2G; if a phone is running on 3G or 4G, the device will hijack that connection and downgrade it. That behavior can interrupt cell phone connection for everyone nearby — posing a danger to people making emergency calls, depending on the length of the interruption, which is still a matter of dispute between technologists and the FBI.

The Oxford team’s technique, were it to be adopted by an attacker or an investigator, would do something similar — only it would hijack the Wi-Fi signal instead of the radio spectrum cellphones normally use to make calls. They presented their research to a crowd at annual security conference Blackhat Europe on Thursday.

For phones that rely on Wi-Fi connections to make calls (which automatically happens in airplane mode), and phones that automatically connect to Wi-Fi networks set up by the provider — something O’Hanlon says is “becoming increasingly prevalent” — there is a danger that information about the phone’s location, its IMSI, or International Mobile Subscriber Identity, could get leaked.

O’Hanlon describes two approaches he discovered for uncovering that private information. First, he says, you can set up a rogue access point — basically a wireless connection masquerading as the network the phone will connect to. “The phone will associate with that access point. It can happen because of the way the automatic networks have sprung up,” he explained.

The phone is verified as a legitimate device connecting to the network when the operator’s system looks up a secret key stored on the device. A digital “handshake” takes place when the device is recognized, and the phone automatically connects, revealing the IMSI.

But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.

This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.

O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.

Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.

The protocols for these automatic Wi-Fi networks have been around since 2006, and explicitly say that the connection isn’t as secure as it could be. But there hasn’t been any incentive to address the concern.

“The problem lies in a few places,” O’Hanlon says. But primarily, it comes down to “the way the standards were written. … They do admit in the standards that it can be eavesdropped upon.”

When asked whether he knew of any companies taking advantage of these insecurities for new Stingray-like devices — legal or illegal — he said he wasn’t sure, but was confident attackers would be aware of the insecurities.

Cell phone users can mitigate these concerns by turning off the Wi-Fi. Plus, using O’Hanlon’s technique, you only get the IMSI, or the location data — not any content. But when this type of information is readily available “from passive snooping” that can be done easily, O’Hanlon says, “that’s not a good thing.”