NEW YORK (MainStreet)—You take all the mobile phone security precautions. You PIN protect the device, you encrypt your data, you don't jailbreak phones, and you download apps only from the main app stores. Guess what: you still have enormous vulnerability, because, suddenly, crooks are unleashing what amounts to carrier-level attacks designed to gain access to all data and voice calls and, right now, there is very little you can do to protect yourself. Two big threats are literally challenging just about every assumption about cellphone security.
Meet the first threat: a security firm executive was in an airline lounge at Kennedy Airport when he noticed something strange occurring to his phone. The signal had plummeted from fast 4G to barely moving 2G on the GSM network, and then it dawned on him: his phone was being redirected to a rogue cellphone tower that had been set up to grab all the data and voice traffic from phones in that lounge. It dialed down to 2G, because at that speed the rogue tower can simply turn off any encryption applied by the device, meaning the traffic is all in the clear.
Don't dismiss this as geek paranoia. As far back as 2010, a security researcher demonstrated a home brewed device that could mimic cell towers.
That nightmare is coming true: suddenly crooks are erecting bogus cellphone towers. "It shouldn't cost more than $1500," said Phil Lerner, a vice president at security company Stonesoft.
And price are dropping. "This is a growing issue," said Tom Eston, an executive with SecureState. "This is going to get worse."
Experts said plug and play kits - assembled in Eastern Europe - now are starting to show up for sale in online criminal bazaars. So the required technical skill levels are dropping along with the prices.
Just about all GSM phones - running on AT&T and T-Mobile - are vulnerable to these hijinks, said experts. Phones powered by CDMA chips - running on Verizon or Sprint - may not be vulnerable but at least some are.
Who is erecting fake cellular towers? Right now the primary actors are the usual suspects - law enforcement, industrial espionage squads funded by bent Wall Streeters, spies serving foreign governments and elite private detectives who serve a well-heeled clientele.
But security experts said this ruse is rapidly moving down market - which means just about all of us loom as potential targets.
And bad as that sounds, it gets worse still, especially for those traveling abroad. The second new threat ups the ante even higher. That is because - in a lengthening list of countries - legitimate carriers are pushing out spyware to at least some travelers. "I know of one Fortine 25 CEO whose phone was infected twice in six months," said Gregg Smith, CEO of KoolSpan, a mobile phone security company.
Here is how this works. Cellphones, going back to their beginning, have been designed to accept patches and updates delivered by carriers. But what if the carrier - in cahoots with the government - targets particular travelers and delivers eavesdropping malware disguised as a security patch to their phones. In these instances, just about every packet leaving some phones will be inspected by a government agent who is on the hunt for competitive intelligence, trade secrets and any information of value.
The nightmare thickens because even after the victim leaves the country, the malware patch may still be routing all traffic back through the spying country where it is picked over before getting sent along to its intended destination. That redirection, said experts, often may go on for many months with nobody noticing.
This carrier-level phone hijacking happens, frequently, said Aaron Turner, co-founder of N4struct, an enterprise security consulting firm, who ticked off a list of countries where this is commonplace. China, Brazil, Russia, India, Saudi Arabia and Israel top Turner's list, but, really, just about every country is doing this, at least to select individuals.
The cure: "bring only a throwaway phone" when traveling to high risk countries, advised Fred Rica, a principal at consulting firm KPMG. More advice is: don't use the phone for email in high risk countries, and limit voice calls to innocuous chat.
Will that keep you safe? Watch what you say, and the answer is yes. Even if you have to make your smartphone dumb to get there.
Written by Robert McGarvey for MainStreet