Who needs a Stingray when Wi-Fi can do the job?

If you’ve been reading Naked Security, you’ve probably heard of “Stingrays”: devices that pretend to be cell towers, capture the identifiers associated with cellphones that wander by, and help law enforcement figure out who’s in the vicinity.

Originally secret anti-terrorism weapons, they’ve increasingly been adopted by conventional law enforcement, too. They’re still costly, specialized contraptions… but what if you could coax an ordinary Wi-Fi hotspot into doing the same job? Then practically anyone could potentially compromise your privacy.

It can be done. The University of Oxford’s Piers O’Hanlon and Ravishankar Borgaonkar have just shown how.

At BlackHat Europe, O’Hanlon and Borgaonkar outlined attacks exploiting two privacy flaws associated with mobile authentication with your cellphone’s unique International Mobile Subscriber Identity (IMSI) number. Nobody but your mobile service provider is supposed to see your IMSI.

But, according to the University’s accompanying press release, someone running the researcher’s PC software “could set up a ‘rogue access point’ masquerading as a well-known auto WiFi network… lure smartphones in range to connect… and [extract] their IMSI[s].”

As Lucian Constantin reports in Computerworld, the problems are caused by:

…protocol and configuration weaknesses in mobile data offloading technologies such as automatic Wi-Fi connections and Wi-Fi calling that mobile operators are increasingly adopting to reduce costs and congestion…

Problem #1 is associated with Wi-Fi Auto Connect’s EAPOL protocol. EAPOL typically authenticates with IMSI the first time you connect, and then generates temporary “pseudonym” identities for future connections.

But most implementations:

“…are configured by default in a ‘liberal’ peer mode, where they will always respond to requests for their permanent identity – the IMSI.”

The alternative to “liberal” peer mode is, unsurprisingly, “conservative” peer mode. In that configuration, after the device has connected to a carrier’s Wi-Fi network once and has becomes eligible for pseudonym identities, it will henceforth refuse to reveal its IMSI to anyone.

But, until now, the pre-configured profiles mobile operators load onto their cellphones generally have chosen “liberal” mode, nor have device operating systems supported it.

The researchers say their work has prompted Apple to incorporate “conservative” peer mode as an option in iOS 10. But, reports Constantin, moving to conservative peer mode will require the carriers to make additional investments in certificate-based infrastructure. That’s not likely to happen overnight.

Problem #2 is associated with WiFi-Calling, which allows network operators to complement conventional wireless networks with WiFi hotspots where they’re available.

As the University’s press release states, connections to the operator’s edge packet data gateway (EPDG) are encrypted during IPSec’s setup phase. But cryptographic certificates aren’t used, so these exchanges are “susceptible to a man-in-the-middle attack” that could also reveal your IMSI.

The researchers’ low-cost IMSI catcher won’t do everything the fancy boxes will. For example, it can’t eavesdrop on your calls or data.

Plus, whoever catches your IMSI number still has to link it to your phone number. (Without access to the operator’s subscriber database, that’s a non-trivial challenge.)

Still, IMSI catching is getting easier. Last year, Ars Technica reported on another $1,400 home-built mechanism for capturing IMSIs on 4G LTE networks. If this cat’s not fully “out of the bag” just yet, he’s clawed himself right up to the edge.