Man-in-the-Middle (MITM) mobile attacks can be accomplished in a wide range of technical ways, but the high level effect is the same in every scenario. An individual manages to insert himself between a call originator and recipient, and manages, as well, to fool each party into believing they are communicating directly with the other desired party, when, in fact, they are each communicating with the attacker. Having thus convinced each party that they are taking part in a legitimate and secure conversation, the attacker then has access to both parties’ IMSI numbers, physical locations, and all of the contents of their conversation, which can, in turn, be eavesdropped on or recorded for other nefarious purposes.
How Does It Work?
The most common methodology for achieving a MITM voice attack is the Baseband Attack described in the Vysk Threat Brief of that name. The baseband attack methodology requires creating a fake cellular “tower” that tricks nearby mobile phones into linking to it rather than a legitimate cell tower. Once connected, the fake tower typically reduces or completely disables the native tower-to-phone encryption and then captures the phone’s IMSI number while forwarding the call on to its desired recipient, with neither party being aware that their call has been compromised. Once inserted into a call in this way, the attacker can even modify the contents of text messages before forwarding them on to the recipient. This sort of interception technology is commonly used by law enforcement (e.g., the Stingray system), but it can also be easily purchased online or built from scratch for typically less than $2000. Other variants on this attack methodology exist, including the creation of bogus Wi-Fi networks/gateways.
Creation of a strongly encrypted voice call requires the passing of encryption keys between the call parties. Only when both parties utilize the same secret encryption key is the call truly secure. But a MITM fraudster will intercept the public key of the originating caller with a matching key (creating a unique secure encryption key with the originator). He will then relay the public key to the call recipient and establish a second unique secure key with that recipient. In such an attack, the third party effectively impersonates the other party, and relays the data back and forth on behalf of each user. Because the fraudulent third party has established two secure encryption keys, they are able to intercept and decode any voice/data before re-encrypting it and passing it along to the call recipient.
The Bottom Line
Because the Vysk QS1 encrypts calls at the source (inside the mobile phone) and decrypts them at the recipient’s mobile phone using proprietary hardware and software algorithms, there is no point in the call-flow where this attack methodology can access the unencrypted voice information. Manually decrypting an intercepted call that has been encrypted at its source is a profoundly difficult challenge, one that most hackers have neither the resources nor the inclination to undertake.
In addition, Vysk’s proprietary Voice Authentication Code (VAC) technology allows the call parties to test whether their call is indeed secure. With the push of a single button on the QS1, the Vysk Privacy Network sends matching authentication codes (derived from the secret encryption keys) to each (not transmitted over the call circuit and so unavailable to the MITM attacker). If the call has not been compromised, both parties will hear the same VAC code, and by repeating that code to each other, they can be assured that no one else is privy to their conversation. Conversely, if the parties receive and repeat non-matching VAC codes, this is proof that their call has been compromised and they should disconnect it immediately.