It was a weird project request:

Track messages and call communications within a certain geographical area. Provide an admin interface for viewing the communications log.
Do this secretly.

Those are some of the specifications I received for a project through a friend of a friend who was commissioned by an anonymous organization to source for contractors who could deliver.

I thought this was highly toxic stuff, bordering on illegal in Kenya, but curiosity got the better of me, so i did some quick research: the findings were shocking.

The IMSI Catcher

What the heck is IMSI?

International Mobile Subscriber Identity (IMSI), is a GSM unique identifier by which your mobile device is identified.

On the other hand, an IMSI Catcher is a fake phone base station that tricks nearby cell phones into routing their outbound calls through it, allowing the hacker to intercept even encrypted phone calls - even an app like RedPhone, which provides encrypted voice calls between two phones running the app is useless against an IMSI catcher.

IMSI Catcher
IMSI Catcher constructed with a laptop, hard drive (to handle the encryption tables), and a cell phone or commercial cell radio with an external antenna.

The principle by which this base tower spoofing works is simple: your mobile phone automatically tries to route its communications through the strongest signal from nearby phone base towers, and the IMSI Catcher satisfies this need by emitting the strongest signal.

Back in 2010 at the annual DefCon event, a security researcher by the name of Chris Paget made a demo IMSI Catcher at a cost of about USD $ 1,500.

Imagine what damage terrorists would do to the government if they could listen into communications made through phone calls, what black hat hackers could do to banks and stock brokers who share sensitive information via phone calls, the list of scary possibilities is endless.

But it doesn’t stop there.

The Silent App

Smartphone apps are relatively easy to hack, and SIM apps like M-PESA aren’t so safe either.

The encryption keys used to secure the data exchange between M-PESA as a SIM card app and the server have been hacked again and again by security researchers: but that’s a story for another day.

A hacker inserts malicious code into an app, which can, for example, disable security controls, making it possible to have unrestricted access to all resources and files in the phone: now that’s a Silent App.

Distribution of this malicious app is the next step, and can be done in various ways:

  1. As a ‘cracked’ version of a premium app.
  2. As a new cheesy app — “ We have detected x infected files on your phone, download ‘anti-virus’ .”
  3. The hacker can also choose to surreptitiously (re)install the malicious app on a user’s phone.

Once installed, all manner of shenanigans can then happen.


Now Beg For Mercy

From reading of sensitive e-mails and SMS to stealing of photos and tracking of location - which can be dangerous for VIPs as they become easier targets - to lifting of credentials from that banking app installed on your phone, now that almost every Kenyan bank has an app for its consumers.

The type of attacks possible here are only limited by the coding ability and creativity of the hacker.

Does This Sound Like A Sci-fi Movie?

I know it does, Kenya and other Sub-saharan African countries have many other problems which seem to be much more important than cyber security, but we need to have the culture of anticipating threats, including cyber-crime and even cyber warfare.

The problem is that most organizations and the Kenyan government are still thinking like:

“This can’t happen here, this is Africa, it only happens in other countries in the developed world.”

77 Chinese nationals cuffed for Internet hacking in Kenya

But yes it can, and most likely will happen, or is already happening. In Kenya, it almost happened, but a fire exposed the Chinese hacking outfit that had tucked itself in a residential area.

Cyber Security Is About Layers

he mobile phone is still the most vulnerable link in the chain that can be easily exploited and also happens to have quite a rich data set that can leveraged for social hacks.

But we are lucky, the USA's NSA — the world’s ‘Bad Boy’ of digital spying — released a freely available secure version of android known as SE (Security-Enhanced) Android.

So all we need to do in Kenya and other Sub-Saharan countries is to customize this free security-enhanced android version and make it a policy for all key personnel to only use phones that run on it.

If we do that, we’ll be one step closer to a more cyber secure digital culture.

As the Starks say in Game of Thrones, “Winter is coming.” Let’s not be caught off-guard.

Cover Image: Android OS | davidsancar

Share this via: