Categories
Privacy & Security

secure cell phone?

Seriously?

Test your “safe” phone. Now.

Let’s face it, who are you really afraid of?

There aren’t that many hackers who can actually track your phone for a few simple reasons: Expensive hardware is required, there is a lack of knowledge about the GSM stack and the SS7 protocol, and not to mention that the hackers have no interest in you, the average citizen. Apart from your concerned parents and jealous girlfriend, no one wants to know your (cell phone) location. Tracking a cell phone is not a simple “push-button” situation when done by a hacker. It requires deep and extensive knowledge, fairly expensive hardware, time, and last but not least, a significant interest in you, the average citizen. Which is obviously not the case, unless you are just another experienced hacker or a high profile person.

The situation becomes serious if you have done something bad or even illegal. Then you became a target of law enforcement and/or intelligence agencies. And there is no way to hide your (cell phone) location. Not only do you have the legal ability to track your cell phone at any time, but you also have the technical and human resources to do so, not to mention trained professionals.

If you think your own cell phone is safe, it’s time for 2 simple tests.

TEST #1: TEST NETWORK BY EMERGENCY CALL.

Just remove the SIM card (if you have one) and call any local emergency number (e.g. 112 or 991) or, if you have a modern cell phone, just press the emergency button. It works, doesn’t it? You can call even without a SIM card. Are you surprised? You should now think about the security of your phone. This is what “safe” phone manufacturers and retailers hide from you:

As soon as you switch on your “secure” cell phone, the telephone radio modem is active. There is no other option. An active radio modem means that your phone can “see” the surrounding cell towers to make possible emergency calls. It also means that all surrounding cell towers (up to 6, from all local carriers!) can “see” your “safe” phone to enable emergency calls. The cell tower that handles your emergency call and to which your “safe” phone connects is the closest one. This is how your emergency call is handled: Your “secure” cell phone sends a registration request to the network, providing its IMEI and (if inserted) SIM-IMSI. There is no other way to make a phone call, even without a SIM. You can make emergency calls even without a network signal. If your phone loses signal from your carrier’s network, it will automatically connect to the strongest network it can find to enable emergency calls.

From this point on, your “secure” cell phone becomes easy prey: phone IMEI and SIM-IMSI (if a SIM card is inserted) are stored at the network level and are available not only to the network operator, but also to law enforcement agencies. In addition to your phone’s identifiers (IMEI and IMSI), your phone’s geo-location is also disclosed and available to the aforementioned agencies.

**Please note:** No call to a local emergency number is required for IMEI/IMSI acquisition. As soon as you turn on your cell phone, its radio modem sends requests to the nearest cell tower. As a result, your phone’s IMEI is revealed and stored on the network’s HLR/VLR servers, where it is available for location tracking procedures or call interception.

According to this, the sky is the limit: Abusive governments (and sometimes skilled hackers) can invade your “safe” cell phone and install a wide range of spyware that bypasses all known anti-virus apps. This is how FinSpy (a government spying tool) gets installed on your “safe” cell phone. Please note that all of this does not require you to make an emergency call, just turn on your phone.

Sure, you can put your “secure” cell phone into airplane mode, which will turn off the phone’s wireless modem. But this will also turn off WIFI and data connections, making your “safe” cell phone worthless.

Now you know that it’s time to seriously change your approach to “secure” cell phones…. Learn more about government-grade spyware here.

TEST Nr. 2: SOFTWARE-INSTALLATION

Whether you like it or not, it is time to find out if your secure phone is vulnerable to government spyware. It doesn’t matter if you have turned your regular cell phone into a “safe” phone by installing various “safe” applications like Silent Circle, Signal or Telegram, or if you have bought a ready-made “safe” phone from a well-known web store. From the point of view of such spyware, (almost) all phones are the same. And this is not necessarily due to the weakness of your phone, but to the weaknesses of the mobile network (including SS7 protocol).

You don’t need an antivirus program to check your phone’s security vulnerabilities. You don’t need a specially developed app to reveal your phone’s security vulnerabilities. You also don’t need a deep understanding of GSM stack, cell phones, cryptanalysis and programming. All you need is to hold your phone in your hands. So let’s get started.

Try to install any (we mean any) compatible application on your “secure” cell phone. Whether it’s from Google Play, App Store or on your SD card or phone memory. It doesn’t really matter. All that matters is the result of the installation: if you managed to install any compatible app on your “secure” phone, it means that your phone failed this simple security test. That’s all you need to know. And of course, you must not forget that your “secure” cell phone is not good for anything. Not to mention that your privacy is just a false feeling and not a real situation. Here’s why:

Government-grade spyware can be installed remotely on virtually any cell phone (Android, iPhone, BlackBerry, Windows Mobile, Symbian, etc.). And usually it is installed remotely because there are not that many field agents who can trick you into picking up your phone unless you are a high-profile target. This can also be done remotely with your “secure” phone itself in your own pocket.

It does not need any interaction from the phone user to complete the installation of the spyware. If they need to, they will trick you big time, just like the Italian government and private companies did with the help of Italian network operators when they installed Exodus on people’s cell phones: they pretended that the user has to install an app that will fix the phone’s network connection, which was actually a spyware installed by the network operator itself. All this after the same accomplice, the network operator, refused to allow the phone to connect to the network, just to make sure that the phone’s user would be happy to install the “solution” they had infiltrated.

If you can install any app on your “secure” cell phone, then abusive state actors can do the same remotely whenever they need to, without your help or knowledge, and without your consent. Which is deeply illegal without a warrant, but that’s just a small thing these days, unfortunately.

Now comes the worst part: not only governments, but also a few skilled hackers can remotely install a spy app on your phone. This can be done by injecting code into an existing app on your phone, which is then pushed as a legitimate app update. Just one example, here:

Remote code injection

Remote code injection

Install spyware remotely on a cell phone

DEFINITELY NOT A “SAFE AND SECURE” PHONE.

Above, one of the many “secure” phones that pretend to prevent tapping. You can easily see that “emergency call” is available on the bottom home screen.

Not even notoriously encrypted phones are immune to this attack. A few years ago, an average person posted a short movie on YouTube showing how a well-known app used for encrypted corporate communications – GoldLock – was defeated by a cheap commercial spy app called FlexiSpy.

Since he had the phone in his hands that already had GoldLock installed, he also installed FlexySpy on the same phone. He started an encrypted phone conversation with another GoldLock phone. The entire conversation was recorded by FlexySpy in plain text, as FlexiSpy taps the audio directly from the microphone even before GoldLock goes to voice encryption. Then, when the conversation was finished, it was automatically sent by FlexiSpy via WIFI or data connection to a server where it could be listened to by the user’s personal account. Simple, efficient and embarrassing for a top-notch encryption application. You can do the same test whenever you want.

For some reason, the video was removed from YouTube, so we can’t post a link. Since then, free test apps from GoldLock are also no longer available to avoid other similar situations.

And yes, the same thing can happen to your “safe” cell phone.

A special note for feature phones (also known as dumb phones), which we use as hardware for making a wide range of stealth phones: No sophisticated spyware application can be remotely installed on them due to the lack of an operating system. In fact, there is no spyware for dumb phones today for one simple reason: almost no one uses them, a situation that does not fit with mass surveillance. To draw a parallel: It’s like trying to install Windows on a calculator. However, a normal feature phone can be remotely monitored via a SIM toolkit attack or via SS7 eavesdropping systems like SkyLock and ULIN, which does not require an app to be remotely installed on the phone.

Now you know it’s time to make serious changes to your approach to “secure” cell phones.

Are XCell Stealth Phones immune to spyware remote installation? No doubt about it: yes. We have eliminated or quarantined (depending on the phone model) the vulnerability in SIM Toolkit using SIM Toolkit Inhibitor, while blocking all app installation directly at the firmware level.