Android 16 Will Tell You When Fake Cell Towers Try To Track Your Phone (androidauthority.com) 51
Android 16 will include a new security feature that warns users when their phones connect to fake cell towers designed for surveillance. The "network notification" setting alerts users when devices connect to unencrypted networks or when networks request phone identifiers, helping protect against "stingray" devices that mimic legitimate cell towers to collect data and force phones onto insecure communication protocols.
registered-only list. (Score:3)
Why don't telecons maintain a database of legitimate towers and send an updated list to one's phone every week or so? If you ride out of the area, a new list for the new area is downloaded just before you reach the boundary. (There might be special "starting" towers the world over in the local list.) The phone should only attempt communicating with towers in the database.
In emergencies such as 911 one could override that protection upon user confirmation.
Or do they spoof legitimate towers also? Seems they couldn't do much to one's phone unless they first gain access credentials somehow. The phone could even report suspicious towers to the telecom so they can whack or sue common offenders.
Re: (Score:3)
Re: (Score:3)
If they accidentally forget to put a tower in, they're gimping themselves -- not to mention some companies do cross-sharing agreements which would need to sync.
All the more reason becoming a certified legitimate cell tower should be quite the documented process, along with sustaining a more centralized list of registered legitimate towers that include hefty fines for lack of accuracy.
Most people won't be affected by Stingray like devices or fake towers. I bet even after this, most people won't even notice a difference.
Most people won't be falsely accused of a crime either. But when it does happen to someone, it's not exactly something you brush off and forget about in the manner you just described.
Re: (Score:2)
Re: (Score:2)
Who is "they"? The vendor would set up phones initially and test them. If by chance the phone can't find ANY usable towers, the phone can prompt the user for the option of having their phone ignore the registry (along with a stern warning).
Not a show-stopper, just need a decent Plan B.
I don't see why that's a problem. Vendors can include all registered
Because cops (Score:1, Flamebait)
It's a consequence of tough on crime politics and militarizing our police. You would think people would know that Benjamin Franklin quote but goes right out the window the moment somebody ruffles through the change in your dashboard...
Re: (Score:2)
As many others have told you before, please get psychological help!
On top of that, as usual, you have absolutely no idea what you are talking about from a technical standpoint. You are simply trolling America from Asia where you live again!
Please listen to yourself, those people were talking to you. Joe Biden is not in the room with you right now.
Re: (Score:1)
The primary use of fake cell towers for tracking is police.
There is no law requiring you to carry your cell phone when leaving your residence. What now, police?
There is no law requiring you to carry your cell.. (Score:2)
...but the fact that a suspect normally did and suddenly didn't has been used as evidence against them.
Re: There is no law requiring you to carry your ce (Score:3)
Where
Re: (Score:2)
https://www.towerforensics.co.... [towerforensics.co.uk]
Ignore this troll (was Re:Because cops) (Score:2)
The primary use of fake cell towers for tracking is police.
You’re leaning on half-truth as a rhetorical crowbar, and it’s a tired move. You're not here to unpack power or push for reform — you're here to poison the well. By flattening the issue into “cops bad, tech bad,” you strip away the nuance that actually matters: the lack of oversight, the secrecy, the legal gray zones that allow these tools to be used without accountability. You're not exposing injustice — you’re a grandstanding troll, not a dissenter. Just go away
So I believe everything I say (Score:1, Troll)
But don't mistake bitter rage for trolling. Trolling is when I am trying to derail the conversation. I'm not I'm just fucking angry at you morons for setting fire to America because you hate trans kids or a terrified you're going to have a few too many beers, dro
Re: (Score:1)
And the majority of people here agree with me because they know. Even the ones that voted for Trump agree with me they just don't like to talk about it or about voting for Trump.
Re: (Score:2)
Trump isn't gonna steal a house from some Slashdotter.
Re: (Score:1)
I mean yeah strictly speaking Trump is just a senile old man and it's the billionaires in the banks that are going to take your house. They will slash funding to the programs you use to keep yourself alive, you are blissfully unaware of that Chesterton's fence or literally any of the other ways our heavily interconnected economy affects you, so in a few years you'll end up bankrupt and mortgaging your house. Then the bank takes it and gives it to a
Re: (Score:2)
No, he won't, and when he doesn't you'll bumble right along posting bullshit without ever admitting that you were wrong about this and dozens of other things.
Shut up, you're posting while drunk/stupid.
Re: (Score:2)
Phone-to-provider encryption seems like a better option. The only unencrypted information to start with would be your provider's ID, so your traffic is routed to their systems for decryption. Basically... my best current guess for greater security? Give up your mobile phone number, use data and a VOIP app. Then the cops will have to get a warrant (assuming your VOIP provider worries about that) not only to know the content of your conversation, but even to know who you called.
You're never going to be ab
Re: (Score:2)
Hard to tell if this was written by a disillusioned sysadmin or someone beta-testing narrative control for his Wumao handler.
Phone-to-provider encryption seems like a better option. The only unencrypted information to start with would be your provider's ID, so your traffic is routed to their systems for decryption. Basically... my best current guess for greater security? Give up your mobile phone number, use data and a VOIP app. Then the cops will have to get a warrant (assuming your VOIP provider worries about that) not only to know the content of your conversation, but even to know who you called.
This starts off sounding like a thoughtful proposal — until you realize it’s just a punt to a totally different infrastructure. Yes, VoIP over encrypted data is a step up from circuit-switched 2G — that’s not a revelation. But you’re not actually proposing a way to defend against IMSI catchers, which target the physical-layer handshake before traffic hits
Re: (Score:2)
>This is the final refuge of the defeatist: âoeTheyâ(TM)re already watching you, so why care?â
Please don't put words in my mouth. Try, "They're already watching you, so you're going to need to find another way to avoid them if it's important enough, and it'll take a lot of work".
Re: (Score:2)
Why don't telecons maintain a database of legitimate towers and send an updated list to one's phone every week or so? If you ride out of the area, a new list for the new area is downloaded just before you reach the boundary. (There might be special "starting" towers the world over in the local list.) The phone should only attempt communicating with towers in the database.
It’s a reasonable idea on paper, but cellular networks weren’t built with centralized tower authentication in mind — especially not legacy protocols like 2G and 3G, which are still widely used as fallbacks. Tower IDs aren’t verified cryptographically, and there’s no authoritative global list to push to phones in real time. Tower infrastructure changes constantly due to roaming agreements, maintenance, emergencies, and temporary deployments. A weekly "known good" sync would be
Re: (Score:1)
Okay, but they should require it for new or overhauled towers to start heading in that direction. Maybe give the industry a window of 5 to 10 years to add it.
Re: (Score:2)
Why don't telecons maintain a database of legitimate towers and send an updated list to one's phone every week or so?
That's how it used to work, although the update frequency was much less than 2 weeks. If you didn't update, you could even lose connectivity. And it was not transparent: you had to do something on your phone that disrupted usage, in order to download and install the tower update. They stopped doing all that, or made it totally transparent. It was probably too hard to keep their databases up to date.
Re: (Score:2)
Of course, this only stops casual spoofers: if a three-letter agency is tracking you, they can kindly ask the Telco to give them the private key, exactly like they can ask to be included in the database.
Re: (Score:2)
Why don't telecons maintain a database of legitimate towers and send an updated list to one's phone every week or so?
LOL, they participate in the surveillance, why would they make it easier to distinguish it?
Sure it will. (Score:5, Funny)
Re: (Score:2)
These are not the towers you're looking for.
Well this won't go over well with governments (Score:4, Funny)
How are they supposed to spy on journalists if they can't spoof cell towers and hack phones?
Re: (Score:2)
They can still hack phones.
Cat's already out of the bag (Score:4, Interesting)
This is too little, too late.
It's already become common to set up cellular hotspots where even picocell sites can't reach. It's also become common to set up phone-over-carrier-wifi where phones will connect to an org's wifi network specifically set up through an org like Ameriband where calls and texts tunnel to the carrier, but data is offloaded to the host org's corporate internet connection and thus their policies. And DAS has been around for so long that I've seen systems lifecycle, and then the lifecycled-systems go into fault due to age and requiring lifecycle again.
Not for everyone, but crucial for a few (Score:5, Insightful)
It's easy to dismiss fake cell towers as tin-foil hat stuff — until you read the court filings. Stingrays (aka IMSI catchers) are real, widely used by law enforcement, and rarely disclosed to the public. They're not some hobbyist-grade hacker toy — they're high-end surveillance gear.
What Android 16 is doing isn't magic; it's giving users visibility into when their phone gets bumped onto a sketchy, unencrypted channel — something that has real privacy implications, especially for high-risk individuals like journalists, activists, or whistleblowers. Next time you're near a protest, I suggest turning it on. If the crowd is big enough, some alphabet agency is probably hoovering up cell metadata. The FBI once logged license plates near demonstrations — this is the internet-era version of the same playbook.
Is it overkill for the average user? Probably. But the principle matters: people should at least know when their phone is being manipulated at the network level. You wouldn’t ignore a browser telling you your HTTPS connection was hijacked — why ignore your phone doing the same?
Not good enough (Score:2)
Better would be a setting that stops your phone connecting to an unencrypted network.
A Stingray may be the strongest signal in order to get switched to automatically, but it won't be the only signal of adequate strength.
Re: (Score:2)
Better would be a setting that stops your phone connecting to an unencrypted network.
A Stingray may be the strongest signal in order to get switched to automatically, but it won't be the only signal of adequate strength.
I hear you, but doing that would run into a legal issue. Cell phones are required by law in the US and EU to connect to any available tower for emergency calls, even if the phone doesn't have an active SIM card. Adding a user confirmation step risks delaying critical calls and would create a liability for not only the carrier, but also for whoever created the OS running on the phone. This is one of those areas where convenience and safety override stricter controls, for better or worse.
Will cause confusion more than anything (Score:3)
Re: (Score:2)
Femtocells are common in many public places that where large numbers of people gather such as stadiums and malls. I doubt Google can easily tell the difference between these and a device such as a Stingray.
Femtocells are typically provider locked and should not break encryption. The ones in stadiums and malls should look identical to the ones on towers.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
I'm certainly no expert, but doesn't setting up a MitM require a downgrade to broken GSM ciphers to extract the device key?
Yes — exactly. That’s the whole point of this feature. A typical Stingray-style attack doesn't just magically siphon data. It works by coercing the phone into falling back to a weaker, older protocol, like GSM with null or deprecated ciphers — precisely because those protocols either lack mutual authentication or use encryption so weak it's functionally absent. Once the connection is insecure, IMSI catchers can request identifiers, intercept messages, or proxy connections to simulate a nor
Re: (Score:2)
Just...go way, dude.
The cell phone standards only mandate encryption between the user equipment (UE, e.g., the cell phone) and the LTE base station (eNodeB).
Nice pivot. Unfortunately, it’s also a dodge. Your original claim was that Android’s alert system would confuse femtocells with Stingrays — a claim based on nothing but vibes and spy-movie flair. Now, suddenly, you’ve abandoned that and are giving us a half-digested Wikipedia blurb about LTE encryption scopes. Cute, but irrelevant.
Basic text messages are never encrypted as they are just extra bytes on a control packet.
This is technically outdated and misleading. You're describing SMS over legacy protocols, not RCS, end-to-end messaging apps, or even m
Re: (Score:2)
What is a user supposed to do with this information?
Fair question. But instead of staying with it and exploring what a meaningful user response might look like — disable 2G, avoid sensitive conversations in high-risk areas, keep an eye on repeated triggers — you throw it away like a rhetorical prop. You’re not interested in answers; you’re teeing up an excuse to derail the conversation into spy movie tropes.
Femtocells are common in many public places that where large numbers of people gather such as stadiums and malls. I doubt Google can easily tell the difference between these and a device such as a Stingray.
What? Let me give you a clue, 007. Stingrays aren’t just weird little towers — they’re baseband devices that ma
Will Android 16 display a permanent red alert... (Score:3)
Re: (Score:2)
Re: (Score:2)
Why would they? I'm not concerned about Google tracking me. Heck I'm not concerned about China or Russia tracking me. I'm concerned about the people who can actually impact me, and that is an overzealous enforcement arm of my local government with an authority to actually affect my life.
Re: (Score:2)
The oldest troll tactic is the strawman. The second oldest is whataboutism and its logical fallacy twin, false-equivalence — and you’ve planted your flag firmly in the second camp. You’re trying to derail a thread about protecting users from rogue surveillance by shouting, “But Google bad too!” Go shout somewhere else, please.
Congratulations — you’ve discovered capitalism. But none of this has a anything to do with what’s being discussed. You’re dragging
Arms race (Score:2)
So Android adds an alert that notifies you about Stingray towers. Two things will happen:
- Stingray will upgrade its software to thwart the notification.
- Governments will set up *real* cell towers that behave like a regular cell tower in every way, but record data in the process.
Re: (Score:2)
So Android adds an alert that notifies you about Stingray towers. Two things will happen:
You frame this like you’re about to deliver a profound insight, but what follows is just recycled defeatism dressed up like foresight.
- Stingray will upgrade its software to thwart the notification.
You say this like it’s a checkmate — but all it means is the game got harder for the attacker. That’s called progress. Android 16 doesn't block IMSI catchers with a magic firewall — it flags behaviors like forced cipher downgrades and unauthorized identifier requests. If Stingray operators want to bypass that, they have to sacrifice capabilities,
When will iPhone users get this? (Score:2)
Or does it already have it?