Apple and Google Are Introducing New Ways to Defeat Cell Site Simulators, But Is it Enough?

However, when the null cipher is used, communications are instead sent in the clear and not encrypted. Null ciphers are useful for tasks like network testing, where an engineer might need to see the content of the packets going over the wire. Null ciphers are also critical for emergency calls where connectivity is the number one priority, even if someone doesn’t have a SIM card installed. Unfortunately fake base stations can also take advantage of null ciphers to intercept traffic from phones, like SMS messages, calls, and non-encrypted internet traffic. 

By turning on this new setting, users can prevent their connection to the cell tower from using a null cipher (except in the case of a call to emergency services if necessary,) thus ensuring that their connection to the cell tower is always encrypted.

We are  excited to see Google putting more resources into giving Android users tools to protect themselves from fake base stations. Unfortunately, this setting has not been released yet in vanilla Android and it will only be available on newer phones running Android 14 or higher,2 but we hope that third-party manufacturers—especially those who make lower cost Android phones—will bring this change to their phones as well. 

Apple Is Taking Steps to Address CSS for the First Time
Apple has also finally taken steps to protect users against cell site simulators after being called on to do so by EFF and the broader privacy and security community. Apple announced that in iOS 17, out September 18, iPhones will not connect to insecure 2G mobile towers if they are placed in Lockdown Mode. As the name implies, Lockdown Mode is a setting originally released in iOS 16 that locks down several features for people who are concerned about being attacked by mercenary spyware or other nation state level attacks. This will be a huge step towards protecting iOS users from fake base station attacks, which have been used as a vector to install spyware such as Pegasus. 

We are excited to see Apple taking active measures to block fake base stations and hope it will take more measures in the future, such as disabling null ciphers, as Google has done. 

Samsung Continues to Fall Behind 
Not every major phone manufacturer is taking the issue of fake base stations seriously. So far Samsung has not taken any steps to include the 2G toggle from vanilla Android, nor has it indicated that it plans to any time soon. Hardware vendors often heavily modify Android before distributing it on their phones, so even though the setting is available in the Android Open Source Project, Samsung has so far chosen not to make it available on their phones. Samsung also failed to protect its users earlier this year when for months it did not take action against a fake version of the Signal app containing spyware hosted in the Samsung app store. These failures to act suggest that Samsung considers its users’ security and privacy to be an afterthought. Those concerned with the security and privacy of their mobile devices should strongly consider using other hardware.

Recommendations
We applaud the changes that Google and Apple are introducing with their latest round of updates. Cell-site simulators continue to be a problem for privacy and security all over the world, and it’s good that mobile OS manufacturers are starting to take the issue seriously. 

We recommend that iOS users who are concerned about fake base station attacks turn on Lockdown Mode in anticipation of the new protections in iOS 17. Android users with at least a Pixel 6 or newer Android phone should disable 2G and disable null ciphers as soon as their phone supports it.

1. T-Mobile plans to disable its 2G network on April 2nd, 2024

2. Specifically phones must be running the latest version of the hardware abstraction layer or HAL.

Cooper Quintin is a security researcher and senior public interest technologist with the EFF Threat Lab. This articleis published courtesy of the Electronic Frontier Foundation (EFF).