 | My Pixel 10 warns me constantly that I might be making rogue connections.
|
I have a Pixel 10 Pro XL phone, which may be the first phone to give warnings when the phone might be connecting to a fake cellphone tower. There are two possible alerts. One says a tower was given identifying information. The other is that the phone connected to an unencrypted network.
I never got the second warning. I got the first. What is said is, “Your data may be at risk. Device ID accessed. At 6:57 PM a nearby network recorded your device’s unique ID (IMSI or IMEI) while using your T-Mobile SIM. This means that your location, activity, or identity has been logged.”
The second message, which I never got, would have said, “Non-encrypted connection. You’re connected to a non-encrypted cellular network. Your calls, messages, and data are vulnerable to interception.”
What are the alerts saying?
The first alert simply says that the phone has made a new cell tower connection. It may or may not be a legitimate cell tower. When the phone makes a connection, it needs to provide two things to the tower. The IMEI (your unique equipment ID) and your subscriber ID that would be known to your cellular provider (IMSI or SOCI). This is simply what the alert is telling you. Legitimate or not, your phone gave out your IMEI, IMSI, and/or SOCI.
The second message, at least in the U.S., means you are under attack! Your phone is no longer using encryption. There are no longer unencrypted connections in the U.S. You’ve been connected via 2G which is an unencrypted protocol. There are no 2G towers in the U.S. any longer, so it has to be a CSS. Your text messages can be read. Your phone calls can be listened to. Fake SMS messages can be pushed to your phone.
If you ever got the second message it means you don’t have 2G Protection enabled. Enable it! If your phone doesn’t have the option, and you get this message, then put your phone on airplane mode or turn it off until you move out of range. Make sure the protocol indicator on the top right is 5G, 4G or LTE before using your phone again. If it’s 2G or 3G turn the phone back to airplane mode.
Normal situations for the first message
- Your phone is making a connection for the first time to a new tower. It needs to provide this information. So, it’s OK.
- Your phone lost connection and is now connecting again to the same tower. It must provide this information. So, it’s OK.
- You’re switching towers because you are traveling or because the phone found a better tower. It needs to provide this information. This is common if you are in an area with a weak signal where the phone can ping-pong between towers. If you are moving, you must connect to new towers. Therefore, it’s OK.
To really understand what is happening, it’s necessary to break this down into 2 sections. First, your unfriendly neighborhood hacker, and second, your local police, government agents, and foreign agents. Then within each section, we need to discuss the attack by the protocols 2G, 3G, 4G, and 5G.
Attacks by your unfriendly neighborhood hacker
If you are not moving between towers and you normally have a strong signal, then the alerts might mean you might be targeted by a hacker using a cheap, easily available IMSI catcher. But it won’t be a very sophisticated or powerful device. It might cost a few hundred dollars.
What is the hacker trying to do?
With this device, the hacker must attack your phone using the 2G protocol. Once connected by 2G, the hacker can perform a Stingray Attack. Because 2G uses unencrypted traffic, they can read your text messages and listen in on your phone calls. If this succeeds, you would get the second alert.
A stalker might want to initiate a Stingray Attack to eavesdrop on their victim.
Most likely, though, the hacker will be using the attack to send malicious text messages directly to your phone. People have been caught driving around cities connecting via 2G to phones and performing SMS Blast attacks. I’ve read they can push these messages to about 1,000 phones/hour. They don’t use normal cellular accounts because they want to be anonymous and because cellular companies will filter out apparently malicious SMS messages.
A 3rd possibility is that the hacker, a law enforcement agent, is running the IMSI catcher just to collect the IMEI and IMSI values to know who is in the area. Maybe they are at a protest. In this case the CSS connects, gets the information, and drops the connection. Know, though, that by just listening to the cell tower broadcasts, they can tell which phones are in the area within 2.5 km of the tower. They don’t even need to connect to your phone. This is because the tower knows who is connected, and if an SMS message needs to be delivered or a phone call delivered, it sends a message to every phone telling them that if it’s for them, handle it. These IDs can be easily captured and recorded. They are plain text. So, if the police want to know if you’re in an area and your phone is on, they will know you are in the area, one way or the other. The IMSI catcher just tells them that you are closer to them.
There is a 4th possibility, but it is not likely to be done. They can tell your phone that it does not support 5G, 4G, 3G, or 2G. Your phone will believe the fake tower. You will no longer receive any phone calls or messages because your phone will no longer try connecting to anything until you reboot the phone. But this is not something a hacker would be interested in doing to you. Law enforcement might do something like this.
The 2G attack
2G is no longer used in the U.S. except for emergency calls. The last tower was shut down in 2024. If you happen to notice your phone showing a 2G connection, or you got the second notification, you can be 100% certain that you are experiencing a Stingray attack.
Here’s how the attack is done. A CSS will first send out a strong signal on 2G to attract phones. Once you connect to their 2G CSS, you are caught, and the attack begins.
The most important defense you have against any of these attacks by your neighborhood hacker is to disable 2G
If you have an Android phone using Android 12 or later, PLEASE determine how to turn on 2G protection for your phone and Android version. This disables 2G for everything other than emergency calling. Your neighborhood hacker will be unable to attack your phone if the CSS cannot make a 2G connection. I’m told, though, that not all Android phones have this option.
If you use an iPhone, you cannot disable 2G unless you turn on Lockdown Mode. Unfortunately, this disables other features. You will need to decide whether you want to do this. There is no option on an iPhone to just turn off 2G.
Attacks Using 3G
We’re talking about your neighborhood hacker. Their equipment is not sophisticated enough nor powerful enough to initiate a 3G attack. But what they will try to do if they can’t get you to connect directly to a 2G signal is send out a strong 3G signal. Once you connect to the CSS with 3G, the CSS will tell your phone that 3G is no longer available. Your phone will then switch to 2G, and the 2G attacks can commence. This is a Downgrade Attack where they force your phone to drop to an insecure protocol (2G).
In this case you will probably see both notifications. First, one that says you gave up information on a new connection. Then the second one says you are on an unencrypted network.
If you disabled 2G, then the Downgrade Attack is blocked. The hacker can only get your IMEI and IMSI for tracking. You would only get the first message.
3G is also no longer available in the US. It was turned off in 2022, even before 2G was turned off. Since blocking 2G stops the most common attack, phones have no option to turn off 3G. My feeling is that if there are no 3G towers, and there are IMSI Catchers using it, there ought to be a way to disable 3G as well, but neither Google nor Apple apparently agree.
There may be a way to tell your Android phone that you prefer to stay off 3G, which may help prevent an attempt to start the Downgrade Attack. I cover the secret menu and what this does under special information at the end.
Attacks Using 4G and 5G
Your neighborhood hacker won’t be able to do this. 4G and 5G are too secure, and their equipment just doesn’t have what it takes, so I’ll skip this but cover it more under the section related to Law Enforcement and government.
Attacks by Law Enforcement and Government Agents
While your neighborhood hacker spent a few hundred dollars for their 3G/2G IMSI catcher, your local police department and government agencies will have spent hundreds of thousands of dollars, and even up to $1M, on a military-grade IMSI catcher, and this is a different story.
To give an idea of what we’re dealing with, while you can stop your local hacker from tracking you by turning off your phone, according to Edward Snowden, the government can not only continue connecting to your turned-off phone but even enable the microphone to eavesdrop.
“Based on documents leaked by Edward Snowden, the National Security Agency (NSA) had already developed a technique in 2004 to locate cell phones even when they were turned off, called “The Find”, mostly used to locate terrorist suspects [36]. This was accomplished through the use of IMSI catchers which could wirelessly send a command to the phone’s baseband chip to fake any shutdown and stay on [37]. The phone could then be instructed to keep just the microphone on, in order to eavesdrop on conversations, or periodically send location pings.“
https://www.cis.upenn.edu/wp-content/uploads/2019/08/EAS499Honors-IMSICatchersandMobileSecurity-V18F.pdf
2G attacks
Everything that I wrote about 2G attacks brought on by your neighborhood hacker pertains here as well, except that it is likely that turning on 2G protection will not stop the government nor the police from forcing your phone to connect to 2G. I have no evidence of this, but I suspect they know a way to talk directly to the modem or to go through the emergency protocols to get inside the phone.
If you are worried about the government tracking you or attacking your phone, keep the phone in a Faraday bag to keep all electromagnetic radiation separate from your phone. I mean, you can’t even turn it off to stay protected.
3G attacks
Everything that I wrote about 3G attacks for the hacker is true, but there’s more. While the best the hacker can do with 3G is try to force your phone to 2G, government IMSI Catchers have powerful computers that can break 3G encryption in real time. So, they don’t even need to force your phone to 2G to listen in, send text messages, and who knows what else.
4G attacks
While 2G and 3G attract phones to the CSS by using a more powerful signal (or by weakening the signal from the surrounding towers), they force your phone to 4G by using a higher priority signal than the surrounding towers. Even if your phone is connected to a tower with a strong signal, it must move to the tower with a higher priority signal. This is how they get your phone to connect to their CSS. Once connected, not only can they get your IMEI and IMSI, but who knows what else they can do?
5G attacks
5G is the same. Your phone will move to the tower with the higher priority. The only difference is your phone won’t have an IMSI, which is an unencrypted subscriber number, but rather a SOCI which is encrypted. They can’t read your subscriber number, but they can use it as a unique tracker.
Government IMSI catchers can also break into WiFi
I don’t know much about this, but the documents I’ve seen show that they can hack into a WiFi and probably attack the phones and computers that are connected to it.
Other information
If you have an Android phone, you may be able to tell the phone that you prefer 4G and 5G. This way, your neighborhood hacker may not even be able to connect at 3G to try to start a downgrade attack, and they won’t be able to get your IMEI and IMSI values. I believe the following process tells the phone that even if there’s a strong 3G signal, so long as there is a 4G or 5G signal, do not connect to 3G.
After all, if there are no 3G towers any longer, then a 3G signal has to be coming from an IMSI Catcher, right? So why would you want to connect using 3G?
On your Android phone, you can try dialing #.#.4636.#.# and select “Phone Information.” Look for a drop down called “Set Preferred Network Type.” Select “NR/LTE.” This tells your phone you only want to use 4G (LTE) and 5G (NR). This is not available on an iPhone.
How can you know if the connection is legitimate if the connection is encrypted?
The answer is that you can use a device called a RayHunter. I currently have one operating on the Verizon network and will have another operating on T-Mobile. I will cover this in a separate post.
After posting this on my Mastodon server (https://hear-me.social/@Jerry) and on my PieFed server (https://feddit.online), I got some follow-up questions.
- How do I enable these notifications on my phone?
As of 1-Sep-2025, I believe only the Pixel 10 phones have the hardware to support this. Because these notifications are added to Android 16, many new Android phones will come with the required hardware in the future. Google wants this feature to be generally supported.
You would need to go into the Mobile Network Security location (search for this in settings). There you will see “Network notifications” if your phone supports this feature. You can turn it on. - Can a signal booster cause false alerts?
No. Signal boosters are passive devices. They simply take the signal that comes in on one end, and they amplify it. They don’t make connections. - Where can I read more about this?
https://www.androidcentral.com/apps-software/android-os/android-16-can-tip-you-off-if-someone-is-snooping-on-you-using-stingray-devices - Can I turn off 2G on an iPhone?
Appears not. You can do lockdown mode, but that turns off more than 2G, which is probably not what you’d want permanently enabled. 3G cannot be turned off either.