Did you know that fake mobile phone masts – once the preserve of government spies and major law enforcement – are now available to common criminals for just $300 online?

It’s a scary thought that these fake mobile towers, which work by intercepting information from passing phones, are so low in price that anyone wanting to hack calls and sell data can buy them.

Back in 2015, over 20 fake phone masts were uncovered in London during an investigation by Sky News. It was assumed that these ‘stingray’ mobile towers were being used by the police or intelligence officers to scoop up data from nearby mobiles, listen in on calls and sniff out communication between terrorists or other criminals.

At the time, this caused controversy because the masts are unable to distinguish between criminals’ phones and the devices used by everyone else – meaning that they pick up on every voice call, text and group chat.

The use of IMSI-catchers, as they are also known, certainly isn’t restricted to the UK. Fake phone masts are deployed by law enforcement and spy programmes all over the world.

Recent research from American mobile security firm Lookout counted 22 phone-hacking efforts in the first five months of 2018 – all of which appeared to be government-backed. Most of these hacks targeted political opponents in developing nations.

The problem is that you no longer need to have the resources of a nation state to tap into people’s mobile calls. Cryptography expert Bruce Schneier blogged last year that IMSI-catchers can be purchased for under $2,000. Since then the price has dropped significantly, increasing the number of people able to carry out phone-tapping.

Peter Matthews

The range of potential victims is also growing, moving beyond high-threat targets such as celebrities, politicians and the intelligence community. Anyone who talks about or exchanges commercially sensitive information (such as new product details, formulas, industrial secrets or intellectual property) is now at risk.

My worry is that stingray masts will increasingly be used for industrial espionage, for example to eavesdrop on confidential calls between business directors and their lawyers about mergers or acquisitions.

Hackers could then sell information to competitors or use it for blackmail. Group chats or video calls between fund managers and dealers could also be exposed, potentially affecting share prices.

From the conversations I’ve had with business owners and the legal, audit and financial services that support them, I’ve been shocked by how little is known about fake phone masts. To a passing mobile phone user – who might have nipped out of the office, away from their company’s WiFi – an IMSI-catcher looks like a major mobile phone network.

Hackers wait for users to connect and calls are routed through the mast, with everything being recorded. When the call is finished, a file is created – a recording of both sides of the call – which can be forwarded to the hacker’s client.

So how can you beat the threat? The answer is simple: be aware. Fake mobile masts or cells are often placed in financial, legal and business districts in busy cities, so if you’re outside a trusted Wi-Fi connection, think twice before you connect to another network.

The challenge is that mobile phones are designed to link to the nearest cell. So, make sure you encrypt your conversation or use a business-grade app to secure all communications, so criminals can’t make sense of your data.

To be extra safe, use a program that ensures your ‘metadata’ – the date and time of calls and messages, the mobile phone numbers of recipients and senders, your location and contact lists – is also inaccessible.

Cyber criminals are becoming more sophisticated when it comes to targeting mobile devices, and it’s near-on impossible to stop your conversations being intercepted. The key is to ensure that those conversations can’t be understood.

More cyber security in our digital magazine below

E-edition cover