- Mar 1, 2024
- 1,060
We regularly criticize carriers and regulators for failing to block SMS scams. And while this criticism may be somewhat warranted, Google is keen to note that the world's most potent SMS attacks are not transmitted through legitimate cellular networks. Such attacks are completely beyond your carrier's control—they must be blocked at a device level by disabling 2G connectivity and implementing next-gen security features.
Modern smartphones operate on LTE and 5G networks and rarely, if ever, fall back to 2G. This isn't just a question of speed; the 2G protocol is outdated and contains some major security flaws. Most major carriers have shut down their 2G networks, but your phone is still capable of connecting to 2G, and this capability can be exploited through cell-site simulation.
Imagine if a criminal built their own miniature "cell tower." They could install it in the back of a car (or place it in a backpack), roll up to a crowd of people, and impersonate a carrier's 5G signal. This fake cell network would bypass anti-spam protections and forcibly downgrade nearby devices to a 2G signal. Then, the criminal could send out phishing links and malware over SMS. They could even spoof the phone number of a bank or some other trusted institution, as 2G lacks mutual authentication technology.
This technique, called SMS blasting, doesn't need to be imagined. It's real. Criminals can buy cell-site simulators online (or build them at home) and set up fake "cell towers." And cell-site simulation isn't exclusive to criminals. It's regularly used by law enforcement to track individuals, identify protestors, or perform other investigative tasks that would normally require a warrant or other forms of judicial oversight.
An option to disable 2G connectivity debuted on Android some years ago. Google is now encouraging users to go into "Settings," navigate to "Network & Internet," select "SIMs," and manually disable 2G. This option is supported on most Android phones, though some OEMs haven't implemented it. (For safety purposes, Android's 2G-blocking mechanism does not affect emergency calls to 911.)
Also, Android's 2G-blocking option will soon be accompanied by an anti-cell-site simulation feature that notifies users when a connection is untrustworthy. Pixel users will get anti-cell-site simulation in Android 15, though it may take some time for other Android OEMs to catch up.
I should point out that the iPhone, which is often marketed as a more secure option than Android, doesn't provide any straightforward 2G-blocking technology. Those who want to block 2G connectivity on the iPhone must enable Lockdown mode, which severely limits a device's functionality and is primarily intended for journalists or dissidents who may be targeted by mercenary spyware.
security.googleblog.com
Modern smartphones operate on LTE and 5G networks and rarely, if ever, fall back to 2G. This isn't just a question of speed; the 2G protocol is outdated and contains some major security flaws. Most major carriers have shut down their 2G networks, but your phone is still capable of connecting to 2G, and this capability can be exploited through cell-site simulation.
Imagine if a criminal built their own miniature "cell tower." They could install it in the back of a car (or place it in a backpack), roll up to a crowd of people, and impersonate a carrier's 5G signal. This fake cell network would bypass anti-spam protections and forcibly downgrade nearby devices to a 2G signal. Then, the criminal could send out phishing links and malware over SMS. They could even spoof the phone number of a bank or some other trusted institution, as 2G lacks mutual authentication technology.
This technique, called SMS blasting, doesn't need to be imagined. It's real. Criminals can buy cell-site simulators online (or build them at home) and set up fake "cell towers." And cell-site simulation isn't exclusive to criminals. It's regularly used by law enforcement to track individuals, identify protestors, or perform other investigative tasks that would normally require a warrant or other forms of judicial oversight.
An option to disable 2G connectivity debuted on Android some years ago. Google is now encouraging users to go into "Settings," navigate to "Network & Internet," select "SIMs," and manually disable 2G. This option is supported on most Android phones, though some OEMs haven't implemented it. (For safety purposes, Android's 2G-blocking mechanism does not affect emergency calls to 911.)
Also, Android's 2G-blocking option will soon be accompanied by an anti-cell-site simulation feature that notifies users when a connection is untrustworthy. Pixel users will get anti-cell-site simulation in Android 15, though it may take some time for other Android OEMs to catch up.
I should point out that the iPhone, which is often marketed as a more secure option than Android, doesn't provide any straightforward 2G-blocking technology. Those who want to block 2G connectivity on the iPhone must enable Lockdown mode, which severely limits a device's functionality and is primarily intended for journalists or dissidents who may be targeted by mercenary spyware.
Keeping your Android device safe from text message fraud
Posted by Nataliya Stanetsky and Roger Piqueras Jover, Android Security & Privacy Team Cell-site simulators , also known as False Base St...
