Advanced Mobile Threats 101 > Radio frequency attack

What is a radio frequency (RF) attack?

A radio frequency attack is a type of smartphone attack in which the threat actor leverages one or more exploits for a wireless protocol – typically cellular, WiFi, Bluetooth or Bluetooth Low Energy (BLE) – to force the phone to connect to untrusted equipment. Such an attack gives the threat actor the ability to extract data from the phone and potentially perform other operations.

How does an RF attack work?

A radio frequency attack against a smartphone will vary based on the protocol and exploit(s) being used. However, all require relatively close proximity to the target.

For cellular communications, a key threat is the IMSI catcher, which is essentially a fake cell tower designed to trick smartphones within range into connecting to it. The IMSI catcher may employ various techniques to do so, such as performing a downgrade attack (to a less-secure protocol like 3G or 4G), masquerading as a neighboring cell tower, operating at a higher-priority frequency than other towers or jamming other frequencies with white noise. Once connected to a targeted smartphone, an IMSI catcher is essentially performing a man-in-the-middle (MITM) attack, situating itself between the target’s smartphone and their cellular network in order to both remove the phone from the real network and to clone the target’s identity.

A key threat for WiFi is a Karma attack delivered by a rogue access point. A rogue access point is often just a WiFi penetration testing device – the WiFi Pineapple is one popular model – that, instead of being used for auditing WiFi networks, is set up to lure unsuspecting smartphones into connecting. In a Karma attack, the rogue AP exploits a basic feature of smartphones (and all WiFi-enabled devices): whenever its WiFi is turned on but not connected to a network, a smartphone broadcasts a preferred network list (PNL), which contains the SSIDs (WiFi network names) of access points to which the device previously connected and is willing to automatically reconnect to without user intervention. After receiving this list, the rogue AP assigns itself an SSID from the PNL, tricking the smartphone into thinking that it’s connected to a familiar WiFi network.

And for Bluetooth, a key threat is the exploitation of one or more Bluetooth vulnerabilities, typically delivered via laptop. After obtaining the MAC address of a smartphone with an active Bluetooth signal in the vicinity, the attacker sends out an exploit tailored to the device’s operating system. A prime example of such a capability is the BlueBorne attack that was first disclosed in 2017. The BlueBorne vulnerabilities allowed the threat actor to take complete control over a targeted device without needing to pair with it or even needing the device to be in discoverable mode.

What are the key risks of an RF attack?

The risks of an RF attack will vary based on the attack method employed.

Key risks of connecting to an IMSI catcher include location tracking (within a defined geographic area) and the leakage of certain types of cellular data (like phone call and text message metadata). In addition, some higher-end IMSI catchers advertise the ability to deliver spyware to the target device.

Key risks of a Karma attack include the leakage of sensitive information (like passwords or credit card details) through eavesdropped traffic, as well as spyware infection.

And for Bluetooth, the risks vary based on the exploit but generally include the leakage of sensitive information and spyware infection.

How can Privoro help you protect yourself from RF attacks?

In general, security solutions don’t have visibility into threats from the RF spectrum, meaning that a smartphone can be attacked without tipping off the user. Users can evade RF attacks by turning off their wireless radios when on the move. However, manipulating software settings is inconvenient and easy to forget to do consistently. We recommend using Vault – our two-in-one RF shielding and audio masking device – as a convenient and highly assured way to block out untrusted wireless signals, especially when in high-traffic areas.

Additional reading