GSM Analysis

A quick look over the data we collected during the surveillance of the Global System for Mobile (GSM) communications network revealed SIM cards belonging to a total of 30 different countries. A list of the top ten collated along with the count can be found on the right hand side. The scope of collection would have exceeded the limits of the ExCeL in London where the conference was held, however it was interesting to see that over 49% of SIM cards using the GSM network were from outside of the UK. The map above shows just how far travelled people were in within the area. Other data collected allowed us to drill down to the operators, brand and the exact International Mobile Subscriber Identity (IMSI) number. The ability to harvest this data is, as pointed out, open source but potentially incredibly dangerous in the wrong hands. An IMSI could be placed into software for tracking purposes, allowing a criminal to know when a mobile device is in the area or not. Similarly journeys could be mapped out via cell tower connections.

Why does this matter?

This blog post has highlighted a number of ways of identifying personal devices in time and space. The threat increases dependent on the perceived importance of the device by the threat actor. Advice relating to protection against IMSI tracking is limited. The risk to many people is low and the outcome could be potential surveillance of device. The greater risk lies with Wi-Fi and SSIDs.  The reason for this is simply that the data collected above relies on probe requests. After this if the probe request is successfully answered, authentication occurs and the connection is made. If a threat actor wished to use the data collected maliciously it would be very easy to do so and could result in an end user connecting to a fake SSID. This would act as a man-in-the-middle, forwarding and receiving data, harvesting all the information in flow that is unencrypted.

How can you protect your data?

Our best advice to prevent tracking device by MAC address is to ensure you have a random MAC address and where possible, that this is randomised every connection.

iPhone

Randomise MAC

• Settings
• Tap Information next to Network
• Ensure Private Network Address is enabled

Managed Networks

• Settings
• Wi-Fi
• Ask to Join Networks (Set to Notify or Off)

Android

Randomise MAC

• Settings
• Developer Tools
• Enable Wi-Fi-enhanced MAC randomisation

Managed Networks

• Settings
• Connections / Wi-Fi
• Click the three dots in the top right and choose Advanced
• Manage Networks (Remove networks not in use)

Other top tips:

1. Turn off Wi-Fi when not in use – simple but effective.  

2. Prevent your device from connecting to networks automatically if already known or remove known networks if possible.

3. Ensure the networks you’re connecting to are using strong encryption.  

4. If using public Wi-Fi use a VPN.

‍

If you are interested in learning more about this demo, please do get in touch. Our defensive team can work with you to secure your devices, perform digital forensics on those devices, and ensure that your business networks are set up correctly. We also specialise in open-source information gathering, and can work with you to provide actionable intelligence.

‍