Mobile Network Threats · Rolling Thunder Security

Phones are uniquely promiscuous network endpoints. They join unfamiliar Wi-Fi networks routinely, hand off between cell towers without user awareness, accept SMS from arbitrary numbers, and carry SIM cards that connect to telecom infrastructure designed in the 1970s with very little authentication. Each medium has its own attack patterns.

Wi-Fi threats

Rogue access points ("evil twin")

An attacker stands up an AP with the same SSID as a legitimate one (the coffee shop, the hotel, the conference). Phones with that SSID in their known networks auto-join. Once associated, the attacker is in the middle of every connection — with the ability to intercept DNS, inject pages, and downgrade unencrypted traffic.

Why it works: phones aggressively join known SSIDs. Open networks (no password) are indistinguishable to the device: any AP claiming "Starbucks WiFi" gets joined.

DefensesUse a VPN on any untrusted Wi-Fi. Modern phones use private MAC addresses by default per SSID, making targeted attacks harder. Enterprise WPA3 with cert pinning resists this for managed devices. Don't auto-join open networks; configure your phone to ask first.

Captive portals

The "agree to the terms" web page on hotel/airport Wi-Fi. The portal sees every device's MAC address and the HTTP requests the phone makes before authenticating. A malicious portal can inject malicious code, capture credentials entered during the "agreement" flow, or hold the connection hostage to a paid upgrade.

DefensesModern phones isolate the captive portal in a special browser context that cannot access the real device state. Avoid logging into anything on the captive portal; treat it as a hostile webpage.

Cellular threats

IMSI catchers / Stingrays

Devices that pose as cell towers. Phones in range associate with them, exposing their IMSI (the SIM's unique identifier) and downgrading to weakly-encrypted 2G/3G modes that the attacker can decrypt in real time. Originally police surveillance tools; the hardware is now under $1,000 and the technique is documented widely.

What gets captured: IMSI (allows tracking by identity), phone calls, SMS, web traffic that didn't go through a VPN or HTTPS.

DefensesiOS 17+ and Android 14+ both offer a setting to disable 2G entirely — this defeats most Stingrays since they typically force 2G fallback. Use end-to-end encrypted apps (Signal) so even captured cellular traffic reveals only metadata.

SS7 attacks

Signaling System 7 is the global telecom signaling protocol — built in the 1970s with no authentication. Attackers with SS7 access (purchased from compromised telecom employees or shady "global roaming" services) can intercept SMS (including 2FA codes), track phone location in real time, and redirect calls.

The 2017 O2 (Germany) bank account drain was an SS7 attack — criminals stole 2FA codes via SMS interception and drained accounts.

DefensesDon't rely on SMS for 2FA for anything that matters. Use TOTP, push-based MFA, or hardware tokens. For very high-risk individuals, app-based authentication only; never SMS recovery.

SIM swapping

The attacker convinces the victim's carrier — via phished employee credentials, social engineering, or paid insider — to port the victim's phone number to a SIM the attacker controls. The victim's phone goes silent; every SMS, including 2FA codes, goes to the attacker. Bank accounts, crypto wallets, and email accounts that use SMS recovery follow quickly.

The attack pattern is industrialized. "SIM swap as a service" exists on criminal forums. Carriers have improved verification but the human element (a bribed retail employee) remains exploitable.

DefensesSet a carrier PIN/passphrase. Use app-based 2FA, not SMS. Treat the phone number as a publicly-known identifier, not a security factor. Major banks and crypto exchanges now offer SMS opt-out for MFA — use it.

eSIM hijacking

eSIM (the embedded SIM in modern phones) is easier to provision — which means easier to abuse. Attacker calls carrier, social-engineers them into provisioning a new eSIM "for a replacement device," activates it on attacker hardware, takes over the line. Similar outcome to physical SIM swap but easier to execute remotely.

DefensesSame as SIM swap: carrier PIN, no SMS 2FA on anything critical. Some carriers now require an in-store visit for eSIM transfers; verify yours does.

SMS / RCS threats

Smishing & malicious links

SMS phishing — "your package is held; click here to pay $2 redelivery fee." Spoofed sender IDs, urgency, links to credential-harvesting pages or APK downloads. Less sophisticated than email phishing but with much higher click-through rates because users still trust SMS.

DefensesBoth iOS Messages and Google Messages now warn on unknown senders and likely-spam content. Don't click links in SMS from unknown numbers. For organizations: train staff that the IT help desk does not send password reset links via SMS.

RCS attacks & iMessage exploits

Rich messaging protocols (RCS for cross-platform, iMessage between Apple devices) parse complex content: stickers, animations, link previews. The parsers are where zero-day exploits live. NSO's Pegasus famously delivered zero-click iMessage exploits that fully compromised phones via crafted attachments.

DefensesKeep iOS/Android current — these are the bugs Apple/Google patch most quickly when discovered. iOS Lockdown Mode disables most attachment auto-rendering, defeating this class of attack. For high-value targets, Lockdown Mode is genuine defense.

Bluetooth threats

BlueBorne, KNOB, BIAS & friends

A steady drumbeat of Bluetooth stack vulnerabilities — pairing flaws, encryption negotiation bypasses, RCE in BT firmware. Most require proximity (10m or so), are patched quickly, but the patches don't reach every device — many cheap IoT devices and old phones never receive the updates.

DefensesTurn Bluetooth off when not in use — iOS keeps Bluetooth on by default for AirDrop/handoff; Android too. Keep your phone updated. Don't pair with unknown devices.

Defense summary

Don't use SMS for MFA on anything important. The single highest-leverage mobile security decision.
Set a carrier PIN. The second highest-leverage decision.
Use a VPN on untrusted Wi-Fi. WireGuard-based VPNs (Tailscale, Mullvad) are fast and easy.
Disable 2G fallback in modern iOS/Android settings.
Forget public Wi-Fi networks after one use to prevent auto-rejoin.
Keep your phone updated. Most network-stack and parser exploits are patched promptly; updates close the windows.
Lockdown Mode (iOS) / Advanced Protection (Android) for high-risk individuals.

The point

Mobile networks add attack categories that don't exist on a desktop with a wired Ethernet. The good news is that the highest-leverage defenses are simple and consistent: no SMS MFA, carrier PIN, VPN on untrusted Wi-Fi, current OS. Apply those four and you've closed the door on the majority of practical mobile network attacks.

For the residual high-end threat — nation-state mobile malware, targeted SS7 surveillance, IMSI-catcher monitoring — the platform's hardened modes (Lockdown, Advanced Protection) are the right answer for the individuals who need them. For everyone else, the basics carry the day.

References

Formatted in APA 7.

Apple. (2022). About Lockdown Mode. Apple Support. https://support.apple.com/en-us/105120
Federal Bureau of Investigation. (2022). Public service announcement: SIM swapping. https://www.ic3.gov/Media/Y2022/PSA220208
Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y.-Y., Greene, K. K., & Theofanos, M. F. (2017). Digital identity guidelines: Authentication and lifecycle management (NIST Special Publication No. 800-63B, Rev. 3). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-63b
Nohl, K., & Engel, T. (2014). Mobile self-defense [Conference presentation]. 31st Chaos Communication Congress (31C3). https://media.ccc.de/v/31c3_-_6122_-_en_-_saal_1_-_201412271715_-_mobile_self-defense_-_karsten_nohl