Analyzing the Risk Associated with Domestic and International Usage of 2G on COPE, BYOD, and CYOD Devices within Corporate Environments.

Encrypted GSM traffic can be captured over-the-air with RTL-SDR devices. This would allow anyone to sniff and capture GSM traffic with a fairly inexpensive attachment. Since the vast majority of voice and data passing through modern GSM networks are highly encrypted, the risk of exploitation is similar to that of connecting to a very secured Wi-Fi access point, very low. However, an issue arises when voice and SMS data transverse the older 2G network. Data captured over 2G is demonstratively hackable using rainbow tables, and provides an attack vector that may led to reputational and financial losses for companies.

The risk of 2G is mainly limited to voice and text (as 2G speeds are too slow to run heavy data, plus voice and data does not work simultaneously on 2G). Furthermore, in the United States cell service providers primarily function on the safer and newer 5G/4G/3G standards. Most of the major carriers like AT&T and Verizon have retired the older 2G cellular signals. T-Mobile on the other hand is the only US carrier I found that continues to carry the 2G signal. According to T-Mobile, 2G will be retired on April 2, 2024.

T-Mobile 2G retirement date

While the risk of a modern cellular devices in the United States using 2G at some point is extremely low, this still leaves open the possibility of (at least for T-Mobile subscribers) sophisticated actors with access to Stingray like technology intercepting and decrypting domestic 2G communications. Previously local law enforcement and units like the FBI have used Stingray devices to conduct covert operations on suspects, however this type of technology has since leaked over to repositories on GitHub and in all likelihood to criminal syndicates on the dark web.

For more on the Stingray

Use Case

Threat actors with access to sensitive devices can purposely set up mobile devices that default to 2G by disabling other signals bands via the phone’s settings. This creates the conditions where a company’s mobile device is setup to utilize 2G. If an unsuspecting employee is using the compromised device, the threat actor could potentially sniff and capture the GSM traffic using a RTL-SDR device. The risk of 2G traffic sniff increases if the COPE, BYOD or CYOD device is used internationally in less regulated cellular markets. Emerging countries like India, China, South Africa still use 2G, as well as the United Kingdom, Spain and France.

2G shutdown dates by country

• x Bharti Airtel focusing capital investments on 5G, no plans to shut down 2G network: https://economictimes.indiatimes.com/industry/telecom/telecom-news/bharti-airtel-focusing-capital-investments-on-5g-no-plans-to-shut-down-2g-network/articleshow/98986814.cms
• A list of countries that still use 2G and their shutdown dates is provided below: https://en.wikipedia.org/wiki/2G

ATTACK

Unfortunately, there are many options available online when it comes to jamming cellular signals. Theoretically a threat actor could use a jammer device to block reception to 5G, 4G, and possibly forcing the target cellular device to hop between signals looking for a connection. This is similar to a deauthentication attack orchestrated by threat actors that force wireless clients to reconnect to a WAP. In the case of mobile devices, once the mobile device settles on a 2G signal the vulnerability surfaced is now achieved and information leaving the mobile device suspectable to capture and decryption.

A device like the ‘Portable 5G 16 Bands Jammer’ can jam an array of signals from a radius of “5–30 meters”. Specs can be found below.

Portable 5G 16 Bands Jammer

VIPs are especially at risk for such attacks both domestically and internationally. Considering the prevalence of 2G in emerging markets, this risk is quantified when travelling internationally.

Mitigation

An accounting of COPE, BYOD, and CYOD policies to reflect the very low, but persistent threat of 2G exploitation both domestic and international would have to be implemented while 2G is still active. A few simple preventative measures can remove the possibility of a company mobile device hopping onto a 2G signal, efficiently eradicating the risk of unauthorized access to company data via this exploit.

Below are actions that will mitigate any 2G vulnerability on company mobile devices.

Implement MDM policies that prevent user from changing key device settings, such as network settings.

Enable a refresh policy for Android devices that do not support updating to latest Android software. Android 14 (which launches on August 2023) introduces the ability to block 2G networks via the network settings.

Educate end-users to prevent reenabling 2G.

If the company budget isn’t available to refresh older Android devices, there are ways to disable 2G via the settings. Namely settings/Connections/Mobile networks/Network Mode and selecting “LTE/3G (auto connect)”.

• on some versions once you select “LTE/3G (auto connect)” the following drop down message will appear “Attention, This setting disabled 2G service. If 2G service is disabled, some apps and functions may not work in locations where LTE or 3G is unavailable”. Unfortunately, on some versions of Android there is no way of disabling this message, the user of the device would have to be educated to ignore the message and not reenable 2G services.

There is a workaround to disable 2G services on older Android devices without triggering the warning message. To use this workaround you have to open the dialer on the Android mobile device and dial *#2263# and then press call. Once inside the Service Mode menu select “GSM Band Preference (*)”. On the next screen deselect “GSM 1900”. This will disable the 1900 band, which is the cellular band used for 2G. After this is complete select the 3 dots on the top right corner and select “Back” to go back to the previous menu. Finally select “Apply band configuration”, and then you will see a screen that states “APPLY DONE”, reset the device and you’ve officially disabled the 2G band in preferences.

PoC: Proof of Concept

The following tools, methods and procedures are credited to their respective creators, and are referenced here for educational purposes only. The goal of this security risk evaluation is to demonstrate my working knowledge of the cybersecurity mindset when evaluating potential issues that might arise when a company’s cellular devices are maliciously configured to actively utilize an insecurity 2G signal.

2G has been cracked using the following tools.

A RTL-SDR dongle to sniff encrypted GSM data, this device can be found on common sites like Amazon/Ebay/AliExpress or directly at https://www.rtl-sdr.com/buy-rtl-sdr-dvb-t-dongles/

Once the dongle is obtained users install the following drivers.

• Windows https://www.rtl-sdr.com/rtl-sdr-quick-start-guide/
• Linux https://ranous.wordpress.com/rtl-sdr4linux/

With the RTL-SDR dongle drivers properly setup, Windows users will have to go through the extra step of installing a VM copy of a Debian-based Linux distro to use the tools to sniff and capture the GSM data, typically for cybersecurity purposes that distro is Kali Linux. As for Linux users, any Debian-based distro will do, however for the best compatibility Kali Linux is recommended.

Once logged in the Linux distro the following apps should be installed (note some security distros might have these preinstalled).

gr-gsm used to capture GSM traffic https://osmocom.org/projects/gr-gsm/wiki/Installation

Wireshark used to read the captured GSM data https://github.com/wireshark/wireshark

Here is a video of gr-gsm and Wireshark being used together to sniff traffic

The captured 2G data was then cracked by using the tool KRAKEN found here https://github.com/0xh4di/kraken.git

KRAKEN uses rainbow tables to decrypted the captured 2G traffic. The repository https://github.com/0xh4di/GSMDecryption/tree/master/file links to the massive terabytes worth of rainbow tables need to decrypt the 2G traffic.

The Crazy Danish Hacker YouTube channel has a more detailed explanation of how to use KRAKEN together with the rainbow tables to decrypt the captured 2G traffic.

Analyzing Cellular GSM with RTL-SDR (RTL2832), Airprobe and Wireshark https://www.youtube.com/@CrazyDanishHacker/videos

According this recent (2023) YouTube video by user Rob VK8FOES he was successfully decrypted capture 2G traffic.

Disclaimer

Sniffing and capturing mobile traffic is highly illegal and against the law in the United States (and I suspect in other countries as well). The following is published for research purposes only! Do not attempt to use any of the above tools, methods, or procedures, even for your own personal GSM sniffing purposes, the risk is too great that you might break the law and is not worth landing in jail because you want to see if you can read your SMS over the air. I personally have NOT tried/use/downloaded any of the above tools. I conducted this research to theoretically create a risk assessment use case for company devices that might be configured by threat actors to gain access to PII both domestically and internationally using the vulnerable 2G protocol. I am not an expert; I only wish to demonstrate my cybersecurity mindset as encouraged by my training while earning my Google Cybersecurity Professional Certificate. The cybersecurity certificate course found here: https://www.coursera.org/programs/eightfold-pliic/professional-certificates/google-cybersecurity encourages creating a cybersecurity portfolio and highlighting any propensity one might have for work in the field of cybersecurity.