Interception for Good or for Bad
Aotearoa Police replied in a letter dated 26 October 2016 to a request from Mr B Gordon for Official Information about Police use of IMSI catchers: "Pursuant to section 10 of the Official Information Act 1982 Police neither confirms or denies the existence or non existence of the information requested." The thing is, a disproportionate amount of attention is placed on government agencies’ alleged use/misuse of IMSI catchers, and little attention on the illegal use of these devices by criminals, other nation-states and adversaries.
The problem with this for government, citizens, businesses and corporates in Aotearoa and South Pacific nations is criminals, other nation states and adversaries may be operating IMSI catchers inside Aotearoa's and South Pacific nations’ borders (and against the targetted countries’ overseas activities and interests) for the mixed purposes of criminal financial gain, corporate espionage or nation-state benefit.
So for the example above, regardless of whether or not Aotearoa Police (or police in South Pacific nations) use or don't use IMSI catchers, the simplest versions of the technology are now cheap enough for criminals to obtain, and the sophisticated versions of the technology (such as those sold by Harris Corp, Verint and Ability) remain accessible to a variety of nation states and adversaries.
A Different Path to the Same Privacy Destination
Perhaps Mr B Gordon could have taken an alternative approach and ask instead what reasonable steps private citizens, businesses and other organisations in Aotearoa may take to protect themselves against illegal IMSI catcher activities. Whether they're private citizens or CEOs, it’s not unreasonable for folks to learn what reasonable steps they may take for themselves and their households and organisations to mitigate illegal use of IMSI catchers against them by criminals, other nation states and adversaries. Why? Because folks have stuff worth stealing - money, identities, sensitive or private information, commercial secrets and so on.
Much like folks receive advice from government agencies from time to time on how to stay safe on the roads, how to mitigate risks of burglary, or to make sure to use antimalware on their computing devices, perhaps police, cyber security and other relevant government agencies could provide folks solid sensible advice on how to stay safe from illegal IMSI catcher activities.
Can Government Do More With Cyber Safety Messaging?
Protecting against IMSI catcher exploits helps prevent losses of privacy, money, commercial/trade secrets, intellectual property and state secrets. As you’ll see in the paragraph below for example, the Aotearoa government has an opportunity available today to educate the country on how to stay safe from illegal IMSI catcher activities, to the direct benefit of its citizens and the businesses and organisations operating in the country.
A quick search today on an Aotearoa government public cyber security site gave no information about how to stay safe from illegal IMSI catcher activities, but has offered some tips on other basic levels of security. Perhaps not a typical search for the general public, but the Aotearoa government’s Protective Security site shares some useful information on general potential risks when using mobile devices and some suggested mitigations to reduce risks when using mobile devices. Though the annexes are generally useful, neither of them explicitly identifies the threat posed by IMSI catchers nor explains mitigations specifically against them (phone battery removal works only for as long as you don’t require use of the mobile, is impractical, and doesn’t work with phones where their battery can’t be removed).
How to stay safe from illegal IMSI catchers requires a very basic understanding of mobile smartphone anatomy. IMSI catchers exploit vulnerabilities in mobile devices' baseband processors which are responsible for the phone’s cellular communications. Running anti-malware on the application processor of your mobile phone will not detect nor prevent exploits against your phone's baseband processor.
So what can you do for yourself or your organisation?
Use a smartphone with a built-in baseband firewall which detects attacks against the phone's baseband processor. The solution is available to private individuals, businesses and organisations, and governments.
Use trusted, reputable, transparent and open-source orientated end to end encrypted communication applications on your mobile smartphone (such as Wire or Signal, or the Cryptophone app on the CP500i). The solution is available to private individuals, businesses and organisations, and governments.
Deploy mitigation against "over the air" attacks (i.e., IMSI catchers) to not only detect IMSI catchers but also geolocate them; small, powerful and highly portable sensors can be placed anywhere within your country or overseas to detect and locate IMSI catchers. The solution is available to businesses and organisations, governments and cellular network carriers.
Deploy mitigation against "over the network" attacks (i.e., SS7 exploits, which have not been discussed in this article). The solution is available to governments and cellular network carriers.
Want help? Need help?
Contact us at ARC Solutions anytime. We can help you with acquiring, deploying and using the solutions listed above.
Unencrypted open email: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com
Encrypted email: send us an email from a Tutanota account to firstname.lastname@example.org; the email will be end-to-end encrypted.