A man using an iPhone in tubestation
Oxford University security researchers have uncovered an attack that allows rogue WiFi hotspots to steal a user's unique IMSI identifying number from their smartphone iStock

Cybersecurity researchers Piers O'Hanlon and Ravishankar Borgaonkar from Oxford University have demonstrated a new attack at Black Hat Europe 2016 that enables hackers to capture a smartphone's unique 15-digit IMSI number within a second as they walk past, and then use that number to spy on the user's movements.

The attack is possible because most smartphones in the world today are programmed to automatically connect to popular Wi-Fi networks. For example, Virgin Media runs the Wi-Fi network on the London Underground, but users can only connect to it via their operators.

So for example, let's say you are an O2 mobile subscriber, and you have set up your phone to connect to O2's Wi-Fi network, which bears the SSID name "Wifi Extra". The operator has configured your phone so that whenever your phone detects that "Wifi Extra" is in range, it will automatically try to authenticate and gain access to this network, without you needing to do anything.

Because your phone is already configured to do this, if an attacker were to put a rogue access point on a London street and renamed its SSID to "Wifi Extra", as you walked past, your phone would immediately try to authenticate, and the rogue access point could steal your phone's IMSI number immediately. As the IMSI number is a unique identifier for your smartphone, your movements could then be tracked, wherever you go.

The researchers also demonstrated a second variation of the attack whereby the Wi-Fi calling feature offered by mobile operators can be hijacked, so instead of the device connecting to make a call, instead the rogue access point can intercept the traffic from the smartphone trying to make the call and quickly extract the IMSI number in seconds as well.

Phone makers, mobile OS creators and operators must work together

Clearly this is a big privacy issue, and since government law enforcement agencies have access to databases of IMSI numbers, this attack could easily be used for mass surveillance. Unfortunately, solving the issue isn't simple and the researchers say it hasn't been fixed, so if an attacker were to set up a rogue wireless access point today, they could start collecting IMSI numbers in droves.

"I reported this to the OS manufacturers, handset manufacturers and the GSMA over six months ago. They all suffer from the same problem and ultimately a solution needs to be deployed to suit them all," O'Hanlon told IBTimes UK.

"It's not an overnight fix. it's not a vulnerability you can just patch, it requires work from the standards body level, the operator level, the handset level and the vendor level so they have support from the hardware, meaning the boxes the operators stick in their data centres."

O'Hanlon says that protocols like conservative peer pseudonym support – introduced in iOS 10 by Apple as a result of conversations with the researchers – can help to improve the overall privacy approach, but it's not enough on its own, and a better solution would be to use a security protocol called EAP-TTLS to implement cryptographic certificates on the systems that the smartphone needs to talk to.

"The mobile industry needs to work together to ensure that the users' privacy is sufficiently protected. Some of the organisations don't really see it as much of an issue, but Apple and the GSMA are taking it seriously," he stressed.

"Apple have been very keen to get this problem under control, but no one organisation can fix it, so there's a limit to what Apple can do without operators deploying it."

The mobile industry responds

Apple told IBTimes UK that it's aware of the issue and claim to have addressed it in iOS10. Apple reminds iPhone users to best protect themselves by making sure they are using the latest version of the mobile operating system and avoid joining untrusted networks.

A Google spokesperson said: "Because this issue affects all mobile platforms, we're working closely with partners across the mobile ecosystem to develop mitigations and protect users, regardless of the devices they use. "

The GSMA says that it is aware of the research, but it cautions that the research concerns only specific authentication mechanisms over Wi-Fi.

"Current internet standards ensure that the network identifier can be protected using temporary identities. This protection was already available on the network side and is now being rolled out in mobile devices," a spokesperson told IBTimes UK.

"The GSMA welcomes positive research that identifies and pinpoints implementation issues that can be fixed and that results in enhanced security levels and ongoing user confidence in mobile services, and we appreciate that the researchers were able to share their research at a meeting of the Fraud and Security Architecture Group in late September."

UK mobile operator O2 says that it is aware of the research and is protecting its customers by issuing temporary identities during authentication through current internet standards. "We take privacy of our customers seriously and we are working closely with industry partners to improve the authentication process," an O2 spokesperson told IBTimes UK.

Despite the GSMA saying that a fix is now being rolled out on mobile devices, there isn't a consensus in the mobile industry about which solution should be used. O'Hanlon said that there are a range of potential solutions to address the issue, but each solution comes with its own complexities that could cause problems for the user or the network.