It’s easier to do this yourself. How to buy an unused phone? Experts tell us how to protect your smartphone from identity theft 03/07/2024, 08:07

Change settings

The level and nature of modification to the phone depends on the goal that the user sets for himself. There may be two of these globally.

The first is to reduce the amount of data transferred to Google, Apple or other IT companies that collect various information about users for later sale to advertisers. Data collection is carried out by both operating system manufacturers (iOS and Android), smartphone manufacturers and developers of most online services.

The second is to hide information that could be used to identify and reveal the user’s location.

To accomplish the first task, that is, to reduce data transfer to an IT company, it is often enough to change the settings of your smartphone. The fact is that many devices and applications are configured by default to send as much information as possible to IT companies’ servers, from smartphone usage sessions to its location.

For example, in the case of an Android smartphone, it might be a good idea to disable voice command recognition, according to Konstantin Gorbunov, network threats expert and web developer at Code Security.

“This feature allows the device to listen to voice commands and send them to Google servers for processing. That is, with its help, Google can actually legally connect to the device’s microphone remotely and listen to the situation. The expert advises that to disable the function, you need to go to the settings and click “Ok Google” or “Voice It said you need to disable the “control” option.

You can also disable synchronization with your Google account in the settings accordingly. In this case, the American company will no longer be able to receive information about new contacts in the phone book, marks in the calendar and entries in the notebook.

Next, you should check which applications have access to information about your smartphone’s movements (you can find this in the geolocation settings) and disable any suspicious programs. Similar settings are also available on iOS.

NTI SafeNet market expert Igor Bederov, Head of T.Hunter Investigation Department, noted: Disabling these options in the settings interface does not guarantee their actual deactivation, since in the background the smartphone still transfers various information to the servers of Apple, Google and even Russian IT giants.

This can be verified by analyzing outgoing Internet traffic, he said. For more reliable protection in the case of Android, you can use the “pure” Android Open Source Project (AOSP) operating system, in which all kinds of Google utility services are not built into it.

“But you need to be prepared that using such a device will be very inconvenient,” the expert warned.

Avoid base station

According to Bederov, there are also more complex modifications to smartphones that can confuse the digital trace. However, it requires the user to carefully prepare and understand that the scenarios for using the device will be severely limited.

First of all, you need to know about IMEI and its functions. IMEI is a unique identification number assigned by the manufacturer to every device with a cellular network (GSM) connection.

IMEI encrypts information about the phone’s manufacturer, country of origin, and some of its features, as well as its release date and serial number. IMEI is saved in the device’s memory and is indicated on the packaging and in the technical data sheet. Using this identifier, you can determine the location of the cellular base station closest to your smartphone, even if it does not have a SIM card. IMEI can be rewritten, but not on every smartphone.

The next step is to stop using the SIM card. Most modern smartphones boot easily without this. The absence of a SIM card makes it difficult to identify the device in the GSM network, especially if the IMEI is changed regularly. You can use a virtual mobile number to register for online services in the future.

The second stage of creating an “anti-spyware” smartphone is installing an alternative operating system. The most popular Android analogue pre-installed by the manufacturer is the already mentioned AOSP. However, there are other alternatives with a smaller set of pre-installed services that transmit various information to the IT company. These include Ubuntu Touch, Kali NetHunter, GrapheneOS and more.

“Alternative operating systems focus on greater privacy and security for their users. This means they store less user data and it is much more difficult to query that data.

Bederov said that some projects, such as GrapheneOS, were made specifically to increase user privacy.

According to the expert, you need to worry about accessing the internet later. To do this, you can first install a program that will change the real IP address. (A unique identifier is available for each device connected to the Internet. – “socialbites.ca”)and second, get a browser that scrambles the routing of Internet traffic and encrypts it.

“We will finally have a smartphone that produces a minimum number of digital traces. Bederov said that such a device would be difficult to track both on the GSM network and on the Internet.

Simpler does not mean better

According to information security experts interviewed by socialbites.ca, the widespread myth that push-button phones are better protected against surveillance and wiretapping is not true.

“Just because a phone doesn’t have a touchscreen doesn’t mean it doesn’t have access to the internet. In the 2010s, a large number of push-button phones appeared that also had a browser and network access, meaning the same network threats apply to them as modern smartphones, which It was simply adapted to the current operating system at that time,” explained Konstantin Gorbunov from Security Code.

So these phones also have the ability to create a digital footprint on the internet when used to access the global network. They have an IP address, which means they can be identified. In this case, push-button phones are even more vulnerable to surveillance because they are harder to customize at the software level. To protect such devices, you will need to use external security loops, such as a Wi-Fi access point with a pre-installed anonymizer.

“If we talk about push-button phones that do not have access to the network and can only make calls and send SMS, then it will still not be possible to completely hide the digital trace. Cellular operators can store both SMS and data on calls made,” added Gorbunov.

Igor Bederov from T.Hunter reminded that SMS and calls are transmitted via radio waves in the GSM network consisting of base stations of mobile phone operators. At the same time, GSM traffic is much easier to block and decrypt because it is protected by relatively simple and outdated encryption algorithms. However, this does not mean that all conversations are listened to by everyone and all the time.

“This interference is possible only within the framework of operational investigative actions and only with the help of so-called technical means systems aimed at ensuring the functions of operational investigative measures (SORM) built into the infrastructure of cellular operators. Bederov emphasized that interfering with the operation of GSM communications by third parties is prohibited, difficult to implement and may be punished.

At the same time, the expert noted that tools for additional encryption of voice traffic in the GSM network exist, but they are relatively widely used only by security forces and the military. There are also civilian encryptors, such as Rohde & Schwarz’s TopSec Mobile. It’s similar to an old mp3 player that connects to a phone or smartphone via Bluetooth. During a phone call, the gadget additionally encrypts the traffic before sending it to the GSM network.

“In general, in current realities, encrypting voice traffic before sending it to the network is an irrelevant and unnecessary task. If the task is to have a private conversation, it is much easier to use a smartphone and make an encrypted Internet call. There are many applications and services for this purpose. “In addition, even if the attackers use classic telephone conversations, they are encrypted not by technical means, but by using foreign languages ​​and special expressions,” Bederov said.

letter of law

A smartphone or phone replacement will help achieve the desired anonymity, but it is also important not to forget to comply with the law. Speaking to socialbites.ca, Vladimir Shalaev, a partner at the Law Group, said that using additional tools to encrypt voice traffic in the GSM network, for example, could be illegal. The fact is that a modified mobile phone can be legally classified as an uncertified means of communication, and their use is considered an administrative offense.

“According to clause 13.6. The Code of Administrative Offenses of the Russian Federation requires the imposition of a fine on citizens in the amount of 3 to 5 thousand rubles for the use of an uncertified means of communication. whether or not the device is confiscated. For officials – from 15 to 30 thousand rubles. For legal entities – from 60 to 300 thousand rubles,” Shalaev warned.

In response, Igor Bederov stated that changing the IMEI of a phone, even using publicly available software solutions, violates the laws of many countries, including Russia.

“Changing the IMEI phone number in Russia is a criminal offense according to Article 138.1 of the Criminal Code of the Russian Federation. This could entail criminal liability in the form of a fine or imprisonment of up to 3 years, the expert said.

Olga Zakharova, head of the DRC law firm’s personal data protection practice, added that the creation of modified communication tools and their use in criminal activities can bring a person under Article 273 of the Criminal Code of the Russian Federation “Creation, use”. and distribution of malicious computer programs.” The maximum penalty is up to four years’ imprisonment.