Disable 2G/GSM for security reasons on Galaxy Phones

_3 · ‎09-07-2019

Good morning,

I'm using a J3 2017 and when I requested to open a ticket with Samsung over this, they guided me here to make contact directly with Samsung developers.

So - here's a security flaw in at least my model of phone - in the network mode selection, it is only possible to disable 2G by also disabling 4G. The three options available are:

2G, 3G and 4G auto-select.
2G only.
3G only.

The "missing" entries that I would expect is:

3G and 4G auto-select. (2G Disabled).
4G only.

This is due to security flaws in older protocols that allow harvesting of location data through 2G downgrade attacks.

AntS · ‎09-07-2019

Hi @_3 .

Thanks! I've made our software team aware about this one for you. Me or one of the other Mods will let you know what the developers advise us.

Click here to see 'How to set up Emergency SOS on your Galaxy Smartphone'

_3 · ‎09-07-2019

Thanks @AntS! That's really great of you. 😊

A much better experience than your Twitter team who apparently have no ability to log anything for other teams. 🤦‍♀️

AntS · ‎12-07-2019

No worries, @_3 .

Roughly translated from the Korean, the developer response we've received is:

"I feel worry to hear that this can be a security problem. Unfortunately, current network mode entries of Samsung devices are based on each sale code and operator requests. We cannot change it now because it can cause complaints of other operators.
Beside that, please describe more detail about your security problem."

My interpretation of that is that the network selection modes are based on a combination of local requirements and what the networks have requested.

Regarding the developer's request for more detail, unsure if you've got any specific info about data harvesting via 2G downgrade attacks e.g. if your phone has been the victim of one and you have log files on it; or have a link to something that gives more detail to the potential vulnerability you've highlighted here (especially if it gives specific references to Samsung smartphones).

Click here to see 'How to set up Emergency SOS on your Galaxy Smartphone'

_3 · ‎12-07-2019

Hi Ants, thanks for the investigation.

Here's a reasonably thorough (but accessible) primer on GSM vulnerabilities:

https://www.eff.org/wp/gotta-catch-em-all-understanding-how-imsi-catchers-exploit-cell-networks#Over...

Apologies if it's a little low level from the developers. To my knowledge I haven't been a victim of any attacks, but I have no way of identifying if I had. I'm not suggesting that I'm someone who would be a target for these attacks either, I'm not that paranoid, haha - however it seems like this is a pretty well understood vulnerability - I've been hearing about GSM attacks for years now, and there have been a number of recent exploits like this one:

https://domonkos.tomcsanyi.net/?p=418

That very clearly show that GSM's vulnerability is now to the level where literally anyone can break it - so the inability to disable this in a cellular device is now a major concern.

AntS · ‎12-07-2019

Cheers @_3 . I forwarded that info to our developers.

However, they've let me know that the available network mode options (and how they work) are very much determined by the network providers rather than our developers. So I reckon it'd be worth flagging the 2G security vulnerability issue to your network (if you've not done so already). I'd also encourage others out there to do the same.

Click here to see 'How to set up Emergency SOS on your Galaxy Smartphone'