Google has launched a new security characteristic in Android 14 that lets IT administrators to disable assist for 2G mobile networks in their managed unit fleet.
The search giant explained it can be introducing a 2nd consumer location to change off support, at the design level, for null-ciphered cellular connections.
“The Android Security Design assumes that all networks are hostile to keep people risk-free from network packet injection, tampering, or eavesdropping on person targeted visitors,” Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle said.
“Android does not rely on backlink-layer encryption to deal with this threat design. Rather, Android establishes that all network targeted traffic ought to be stop-to-close encrypted (E2EE).”
2G networks, in specific, employ weak encryption and lack mutual authentication, rendering them prone to around-the-air interception and targeted traffic decryption attacks by impersonating a genuine 2G tower.
The danger posed by rogue mobile base stations usually means that it could be weaponized by malicious actors to intercept communication site visitors, distribute malware, as properly as launch denial-of-support (DoS) and adversary-in-the-center (AitM) assaults, posing surveillance problems.
In June 2020, Amnesty Intercontinental disclosed how a Moroccan journalist was qualified with network injection assaults, very likely using a pretend cell tower to supply the Pegasus spyware.
To make matters worse, an adversary could start a stealthy downgrade attack using state-of-the-art mobile-web site simulators (aka Stingrays) that pressure the handsets to join to a 2G network by using benefit of the simple fact that all present cellular equipment nonetheless attribute aid for 2G bands.
Google, in an attempt to handle some of these fears, extra an selection to disable 2G at the modem degree with Android 12 in early 2022. As a up coming rational phase, the organization is now putting in position a new restriction that prevents a device’s ability to downgrade to 2G connectivity.
Also tackled in the upcoming release of the mobile working procedure is the risk of null ciphers (non-encrypted mode or GEA0) in commercial networks, which exposes person voice and SMS website traffic, such as 1-time passwords (OTPs) to trivial on-the-fly interception attacks.
The disclosure comes as Google stated that it’s enabling E2EE for RCS conversations in its Messages app for Android by default for new and existing buyers, though the business notes that some customers might be questioned to concur to Phrases of Assistance delivered by their provider network.
It also follows its plans to insert help for Concept Layer Security (MLS) to the Messages app for interoperability throughout other messaging services.
While Google has tried to publicly pressurize Apple into adopting RCS, the iPhone maker seems to be written content with iMessage for encrypted messaging. Nor has it expressed any fascination in releasing a model of iMessage for Android, forcing customers texting amongst the two working devices to change to a 3rd-party messaging alternative.
Discovered this article intriguing? Observe us on Twitter and LinkedIn to study additional exceptional information we article.
Some parts of this article are sourced from:
thehackernews.com