Two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi
Modern smartphones are programmed to automatically connect to known Wi-Fi networks, without user interaction, by handing over their IMSI numbers to log into the network.
Exploiting the WiFi authentication protocols (EAP and AKA) an attacker could set up a “rogue access point” masquerading as a well-known WiFi network, and a smartphone in the AP range tries to connect, the rogue access point extracts his IMSI number immediately.
With the captured identifier the attackers can track movements of the smartphone:
We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.
Some tips extracted from the slides:
Selectively disable WiFi-Calling
Switch off WiFi in untrusted environments
- Turn off ‘Auto-Join’ toggle for Auto-WiFi networks
- iOS10 may provide better protection (once operators deploy support)
- Disable Auto-WiFi profiles