Many years ago browsers started alerting users to HTTP (vs HTTPS) connections and HTTPS sites using invalid or untrusted certificates.
How is it possible that in 2026 we're not notified by default when we connect to a cell tower with no certificate so our communications is being broadcast into the air completely unencrypted?
>How is it possible that in 2026 we're not notified by default when we connect to a cell tower with no certificate so our communications is being broadcast into the air completely unencrypted?
5G added that with Subscription Concealed Identifier (SUCI), but it's still optional. Certificates also don't work because you need to be able to roam, and doing certificate management for every carrier on earth is fiendishly hard. Not to mention that it's not feasible to hide IMEI before authentication could begin, imagine hiding IP or MAC addresses before a connection can be established, for instance.
All of these problems have been solved on the web and there are many more websites and user agents in the ecosystem.
Certainly, there are other market forces at play. Certainly carriers refusing changes and refusing to let a 3rd party authority sign their certs.
>All of these problems have been solved on the web
Have they? The solution to IP addresses is basically "use a VPN", which you could do also on a phone. SNI leaks have been around since forever, and despite eSNI, still isn't close to being widely fixed. There's MAC address randomization, but only because LANs and wifi networks are basically an unregulated free for all, so spoofing doesn't really matter. It's far less viable with controlled access networks like cellular. Some countries even have regulations banning spoofing/changing IMEIs.
They haven't been solved on the web. Mobile phones have to authenticate themselves with the carrier to ensure someone is paying for their connectivity. Therefore they can't be anonymous. On the other hand, indeed, most of the time you don't have to identify yourself to connect to a web server — but once you have connected, you may face a paywall that requires authentication! Also, you are certainly authenticating yourself somehow with your ISP for your home internet connection.
You're asking why a government, that is already known for massive surveillance, wants devices that nearly 100% of the population owns to be completely unencrypted?
Said government isn’t too keen on its own employees being vulnerable in this way, so it’s not as cut and dry as you make it out to be.
Hanlon’s razor applies here.
relevant lesser known fact - 3G crypto is broken. In such a way that is a bit suspicious - a couple terabyte-sized rainbow table will crack it.
There's no indication government is behind this and given that Google is rolling out tools now to protect against it this was probably always doable and just never prioritized.
That's a just incredibly naive.
It's observable facts. They are rolling out the features now. So what changed in 2025? Is the present government more liberal than the past? Clearly not. More like this kind of feature will be ignored and irrelevant for 99% of users.
Maybe we should just treat the pipe as insecure and focus on encrypting the app layer.
Voice calls and SMS are presumably getting less and less popular.
should'nt you always assume your communications are being broadcast into the air unencrypted unless you're connected with ssl/tls? even if encrypted to the tower the carrier can still intercept all your stuff.
True, but multiple security layers help both through redundancy and because they protect different things.
Cell encryption is not end-to-end, so even with cell signal encryption I'm susceptible to snooping by:
- the phone company
- the government if they serve the cell phone company with a warrant or other legal proceding
- malicious downstream actors
I'll use HTTPS for browsing to mitigate the damage of course, but even so without cell signal encryption, I'm susceptible to all of the above, plus any physically nearby actor can:
- see my text messages and possibly inject fake messages
- hear my phone calls
- see which IP addresses I'm communicating with (though not the contents of that communications if I'm encrypting with HTTPS)
- If app store security is inadequate or has flaws, they could force-feed me a malicious app disgused as an "update".
- I don't control the communications used by individual apps, so they can see any data passed in the clear, and trigger and exploit vulnerabilities in those apps via MITM.
So cell signal encryption helps a lot, though certainly it's not sufficient by itself.
> the government if they serve the cell phone company with a warrant or other legal proceedings
The police may have to sometimes jump though a couple of rubber stamped hoops, or hand over stacks of taxpayer money to companies for access to their online law enforcement portals, but the government is already inside taking everything that passes through those companies, using hardware those companies have been forced to install and/or by the outright seizure and occupation of their private property. There's nothing constitutional about it, but this has been true for a very long time (https://en.wikipedia.org/wiki/Room_641A) and it's not going to change.
Unless your device is fully air-gapped, and you are absolutely certain of that, then you should assume whatever you do on the device is being monitored, by someone, somewhere, for any reason at all.
WiFi still lacks forward secrecy, and SNI is still almost never encrypted.
I think at least the former is intentional.
WPA3 adds perfect forward secrecy.
[deleted]
The moment this is rolled out is the moment government will start figuring out how to insert itself into the chain of trust so it will not matter.
Why bother locking the door if it can be kicked down? /s
The harder and obvious it is, the better.
Because the door being open makes it possible for opportunistic thieves and even kids to steal something. If the police knocks on it, it's actually better to open it. Otherwise they will still get in, but you will also not have door after that.
With phone interception, I can't imagine any other actor being sophisticated enough to bother with setting up the stringray thingy. Maybe something very targeted to get somebody very special (having a hot wallet with 20 bitcoins and going around the city with it comes to mind), but I would still expect the simplier methods there too.
Add: Even with the normal HTTP traffic, mitming was way more common and more practically exploitable back in the day, just by setting up a rogue wifi AP and fishing for passowrds. I'm not sure it was ever a thing with stringrays when non-government actors did something with them.
> the attacker can harvest device information and force your phone onto an older, unencrypted protocol.
This is why you should always toggle the setting that disables 2g/3g fallback.
With 4G, for example, your device will refuse to connect fully unless the network can pass the cryptographic challenge that proves it shares the key material included in your SIM card (I know, I know, symmetric keys are not ideal). The best an attacker can hope to do in 4G+ is harvest your subscriber ID (IMSI) or deny you service while you are in range.
Only way I know how to do this on iPhone is to enable "Lockdown Mode" which also removes images from messages, etc. Is there another way?
Lockdown mode allows one to optionally disable 2g, maybe it is also the default there. One can turn 2g back on in said mode if desired.
As to 3g, it is largely switched off here, and I understand most of the rest of the world is also disabling it.
However it does not remove images from messages, it just disables certain automatic helpers - e.g. link previews etc.
One can still send photos, etc without any issue.
This doesn’t mitigate the issue that a malicious base station poses by downgrading a phone.
It doesn’t matter what the network supports. It matters what the phone supports
AFAIK lockdown mode is the only way on iPhone. This will disable 2g, but not 3g.
As far as I've been able to determine, the main feature this article speaks to is not even on the Pixel 9 - it is only a feature on the Pixel 10.
> Because of this hardware requirement, the full suite of these network security tools is currently exclusive to the Pixel 10 series. They can be found under the “Mobile Network Security” section in the system settings.
I believe it's available on Pixel 9 Pro, at least. You might need a recent update, not sure.
Wouldn't setting your phone to NR/LTE only in the ##4636## service menu prevent this as well (though without a pop up)?
Is something similar available in iOS? Apple's full control over the hardware and software should make it easier than in the Android ecosystem.
> software can only do so much. For these security features to work, your phone's modem has to be able to communicate with the Android OS in a very specific way
> Because of this hardware requirement, the full suite of these network security tools is currently exclusive to the Pixel 10 series
iOS allows disabling 2G connections, but only in lock-down mode.
This would be an amazing feature.
I set up a rayhunter, not so worried about myself, but more an early warning if something was to change in the area
I believe you need an activate sim in order for it to work correctly, is that correct?
It’s wild that in 2026 we still aren’t notified about unencrypted connections by default. Learning that SUCI is optional and roaming makes certificate management so difficult was really eye-opening. Great read!
Thing is, what're you gonna do about it when you see it?
Edit: whatever the answer is, it needs to work when this pops up frequently, because it will.
Know that you're compromised. Don't say or do anything incriminating. If possible, leave.
Switch off the phone, then leave.
Never turn off your phone if you think you're in trouble; this creates an anomaly in the data, akin to acoustic shadow.
I would write a twit about government doing the authoritarian tilt so other people can do something about it. Raising awareness is important.
Interesting question for sure. Given the implied budgets for domestic surveillance, are there any metropolitan areas which do not have fake towers?
What is the point of stringrays anyway? It's a thing that exists, so I believe it does something, but I can't figure out what exactly.
They can go through the area, catch a whole bag of IMSIs and then.... what? What capability does it enable? Knowing when a certain person of interest shows up in a certain locality? Can't they get it from the phone company without a warrant anyways, just by asking nicely? If it's not targeted, what the data is even used for theoretically?
Stingrays are use to intercept calls in real time. They are used by police and foreign intelligence agencies. It allows them to listen in on political calls. Washington DC is a haven for fake cell phone towers.
I found out the LEO in the area I was in had at least one. I saw a police car parked in the area I was in. Very out of place and would only be there if there was a house call. Decided to test the waters, went out side, paced back and forth, and kept talk. His face and body language changed dramatically which let me know he was using a Stringray and I was the current target without a warrant.
Real time collection and less legal friction?
Completely unrelated thought, but it sure is a crying shame that goatse.cx died. :(
Isn't it the case that disabling 2G on its own is enough to block these issues?
Like the notifications are nice, but they're not a Allow / Deny popup. When you get the popup your data could've been intercepted.
Potentially, although my phone only has the following options when selecting what "Network Mode" to use:
Flagship Samsung from the last 3 years. I have to expose myself to 2G, despite no 2G towers being active in my country. We don't even have 3G anymore either.
[deleted]
Great! Then you can report them to the police.. oh.
> There's a hidden Android setting that spots fake cell towers
> Because of this hardware requirement, the full suite of these network security tools is currently exclusive to the Pixel 10 series.
So, it is not an "Android setting", it is a "Pixel 10 series" setting.
In the US they disabled 2G. Other countries are doing the same.
Thankfully, my country is slow on that. I have some brick phones lying around for when I go in the field. The duration of the battery is like twice on 2g than on 3g on standby (Like two and half to five days; I haven't checked talking time). Granted, that might be phone specific, network specific, or something else specific, but when internet is not needed, I have more use for extra battery than extra security.
I know my government has 100% control over my telecomunications. It is a tradition in this country.
Many years ago browsers started alerting users to HTTP (vs HTTPS) connections and HTTPS sites using invalid or untrusted certificates.
How is it possible that in 2026 we're not notified by default when we connect to a cell tower with no certificate so our communications is being broadcast into the air completely unencrypted?
>How is it possible that in 2026 we're not notified by default when we connect to a cell tower with no certificate so our communications is being broadcast into the air completely unencrypted?
5G added that with Subscription Concealed Identifier (SUCI), but it's still optional. Certificates also don't work because you need to be able to roam, and doing certificate management for every carrier on earth is fiendishly hard. Not to mention that it's not feasible to hide IMEI before authentication could begin, imagine hiding IP or MAC addresses before a connection can be established, for instance.
All of these problems have been solved on the web and there are many more websites and user agents in the ecosystem.
Certainly, there are other market forces at play. Certainly carriers refusing changes and refusing to let a 3rd party authority sign their certs.
>All of these problems have been solved on the web
Have they? The solution to IP addresses is basically "use a VPN", which you could do also on a phone. SNI leaks have been around since forever, and despite eSNI, still isn't close to being widely fixed. There's MAC address randomization, but only because LANs and wifi networks are basically an unregulated free for all, so spoofing doesn't really matter. It's far less viable with controlled access networks like cellular. Some countries even have regulations banning spoofing/changing IMEIs.
They haven't been solved on the web. Mobile phones have to authenticate themselves with the carrier to ensure someone is paying for their connectivity. Therefore they can't be anonymous. On the other hand, indeed, most of the time you don't have to identify yourself to connect to a web server — but once you have connected, you may face a paywall that requires authentication! Also, you are certainly authenticating yourself somehow with your ISP for your home internet connection.
You're asking why a government, that is already known for massive surveillance, wants devices that nearly 100% of the population owns to be completely unencrypted?
Said government isn’t too keen on its own employees being vulnerable in this way, so it’s not as cut and dry as you make it out to be.
Hanlon’s razor applies here.
relevant lesser known fact - 3G crypto is broken. In such a way that is a bit suspicious - a couple terabyte-sized rainbow table will crack it.
I found a guy with the tables at one point, it's buried deep on the internet -- but this for example -- https://ieeexplore.ieee.org/document/6645525
There's no indication government is behind this and given that Google is rolling out tools now to protect against it this was probably always doable and just never prioritized.
That's a just incredibly naive.
It's observable facts. They are rolling out the features now. So what changed in 2025? Is the present government more liberal than the past? Clearly not. More like this kind of feature will be ignored and irrelevant for 99% of users.
Maybe we should just treat the pipe as insecure and focus on encrypting the app layer.
Voice calls and SMS are presumably getting less and less popular.
should'nt you always assume your communications are being broadcast into the air unencrypted unless you're connected with ssl/tls? even if encrypted to the tower the carrier can still intercept all your stuff.
True, but multiple security layers help both through redundancy and because they protect different things.
Cell encryption is not end-to-end, so even with cell signal encryption I'm susceptible to snooping by:
- the phone company
- the government if they serve the cell phone company with a warrant or other legal proceding
- malicious downstream actors
I'll use HTTPS for browsing to mitigate the damage of course, but even so without cell signal encryption, I'm susceptible to all of the above, plus any physically nearby actor can:
- see my text messages and possibly inject fake messages
- hear my phone calls
- see which IP addresses I'm communicating with (though not the contents of that communications if I'm encrypting with HTTPS)
- If app store security is inadequate or has flaws, they could force-feed me a malicious app disgused as an "update".
- I don't control the communications used by individual apps, so they can see any data passed in the clear, and trigger and exploit vulnerabilities in those apps via MITM.
So cell signal encryption helps a lot, though certainly it's not sufficient by itself.
> the government if they serve the cell phone company with a warrant or other legal proceedings
The police may have to sometimes jump though a couple of rubber stamped hoops, or hand over stacks of taxpayer money to companies for access to their online law enforcement portals, but the government is already inside taking everything that passes through those companies, using hardware those companies have been forced to install and/or by the outright seizure and occupation of their private property. There's nothing constitutional about it, but this has been true for a very long time (https://en.wikipedia.org/wiki/Room_641A) and it's not going to change.
Unless your device is fully air-gapped, and you are absolutely certain of that, then you should assume whatever you do on the device is being monitored, by someone, somewhere, for any reason at all.
WiFi still lacks forward secrecy, and SNI is still almost never encrypted.
I think at least the former is intentional.
WPA3 adds perfect forward secrecy.
The moment this is rolled out is the moment government will start figuring out how to insert itself into the chain of trust so it will not matter.
Why bother locking the door if it can be kicked down? /s
The harder and obvious it is, the better.
Because the door being open makes it possible for opportunistic thieves and even kids to steal something. If the police knocks on it, it's actually better to open it. Otherwise they will still get in, but you will also not have door after that.
With phone interception, I can't imagine any other actor being sophisticated enough to bother with setting up the stringray thingy. Maybe something very targeted to get somebody very special (having a hot wallet with 20 bitcoins and going around the city with it comes to mind), but I would still expect the simplier methods there too.
Add: Even with the normal HTTP traffic, mitming was way more common and more practically exploitable back in the day, just by setting up a rogue wifi AP and fishing for passowrds. I'm not sure it was ever a thing with stringrays when non-government actors did something with them.
> the attacker can harvest device information and force your phone onto an older, unencrypted protocol.
This is why you should always toggle the setting that disables 2g/3g fallback.
With 4G, for example, your device will refuse to connect fully unless the network can pass the cryptographic challenge that proves it shares the key material included in your SIM card (I know, I know, symmetric keys are not ideal). The best an attacker can hope to do in 4G+ is harvest your subscriber ID (IMSI) or deny you service while you are in range.
Only way I know how to do this on iPhone is to enable "Lockdown Mode" which also removes images from messages, etc. Is there another way?
Lockdown mode allows one to optionally disable 2g, maybe it is also the default there. One can turn 2g back on in said mode if desired.
As to 3g, it is largely switched off here, and I understand most of the rest of the world is also disabling it.
However it does not remove images from messages, it just disables certain automatic helpers - e.g. link previews etc.
One can still send photos, etc without any issue.
This doesn’t mitigate the issue that a malicious base station poses by downgrading a phone.
It doesn’t matter what the network supports. It matters what the phone supports
AFAIK lockdown mode is the only way on iPhone. This will disable 2g, but not 3g.
As far as I've been able to determine, the main feature this article speaks to is not even on the Pixel 9 - it is only a feature on the Pixel 10.
> Because of this hardware requirement, the full suite of these network security tools is currently exclusive to the Pixel 10 series. They can be found under the “Mobile Network Security” section in the system settings.
I believe it's available on Pixel 9 Pro, at least. You might need a recent update, not sure.
Wouldn't setting your phone to NR/LTE only in the ##4636## service menu prevent this as well (though without a pop up)?
Is something similar available in iOS? Apple's full control over the hardware and software should make it easier than in the Android ecosystem.
> software can only do so much. For these security features to work, your phone's modem has to be able to communicate with the Android OS in a very specific way
> Because of this hardware requirement, the full suite of these network security tools is currently exclusive to the Pixel 10 series
iOS allows disabling 2G connections, but only in lock-down mode.
This would be an amazing feature.
I set up a rayhunter, not so worried about myself, but more an early warning if something was to change in the area
Reference in case anyone's interested: https://github.com/EFForg/rayhunter
I believe you need an activate sim in order for it to work correctly, is that correct?
It’s wild that in 2026 we still aren’t notified about unencrypted connections by default. Learning that SUCI is optional and roaming makes certificate management so difficult was really eye-opening. Great read!
Thing is, what're you gonna do about it when you see it?
Edit: whatever the answer is, it needs to work when this pops up frequently, because it will.
Know that you're compromised. Don't say or do anything incriminating. If possible, leave.
Switch off the phone, then leave.
Never turn off your phone if you think you're in trouble; this creates an anomaly in the data, akin to acoustic shadow.
I would write a twit about government doing the authoritarian tilt so other people can do something about it. Raising awareness is important.
Interesting question for sure. Given the implied budgets for domestic surveillance, are there any metropolitan areas which do not have fake towers?
What is the point of stringrays anyway? It's a thing that exists, so I believe it does something, but I can't figure out what exactly.
They can go through the area, catch a whole bag of IMSIs and then.... what? What capability does it enable? Knowing when a certain person of interest shows up in a certain locality? Can't they get it from the phone company without a warrant anyways, just by asking nicely? If it's not targeted, what the data is even used for theoretically?
Stingrays are use to intercept calls in real time. They are used by police and foreign intelligence agencies. It allows them to listen in on political calls. Washington DC is a haven for fake cell phone towers.
I found out the LEO in the area I was in had at least one. I saw a police car parked in the area I was in. Very out of place and would only be there if there was a house call. Decided to test the waters, went out side, paced back and forth, and kept talk. His face and body language changed dramatically which let me know he was using a Stringray and I was the current target without a warrant.
Real time collection and less legal friction?
Completely unrelated thought, but it sure is a crying shame that goatse.cx died. :(
Isn't it the case that disabling 2G on its own is enough to block these issues?
Like the notifications are nice, but they're not a Allow / Deny popup. When you get the popup your data could've been intercepted.
Potentially, although my phone only has the following options when selecting what "Network Mode" to use:
- 5G/4G/3G/2G (Auto Connect) - 4G/3G/2G (Auto Connect) - 3G/2G (Auto Connect) - 3G Only
Flagship Samsung from the last 3 years. I have to expose myself to 2G, despite no 2G towers being active in my country. We don't even have 3G anymore either.
Great! Then you can report them to the police.. oh.
> There's a hidden Android setting that spots fake cell towers
> Because of this hardware requirement, the full suite of these network security tools is currently exclusive to the Pixel 10 series.
So, it is not an "Android setting", it is a "Pixel 10 series" setting.
In the US they disabled 2G. Other countries are doing the same.
Thankfully, my country is slow on that. I have some brick phones lying around for when I go in the field. The duration of the battery is like twice on 2g than on 3g on standby (Like two and half to five days; I haven't checked talking time). Granted, that might be phone specific, network specific, or something else specific, but when internet is not needed, I have more use for extra battery than extra security.
I know my government has 100% control over my telecomunications. It is a tradition in this country.
[dead]