DEV Community

Cover image for OWNED AT THE ANTENNA.The Attack Your VPN Cannot See
 IntSpired®
IntSpired®

Posted on

OWNED AT THE ANTENNA.The Attack Your VPN Cannot See

Mobile communications did not begin as an app economy.

They began as RF engineering.

In 1973 Motorola built the first handheld cellular prototype. It weighed more than a kilogram, had no display, took around 10 hours to recharge and delivered about 35 minutes of talk time. A decade later, that development path led to the DynaTAC 8000X.

It was not a smartphone. It was not a software platform. It was a radio terminal.

Motorola DynaTAC 8000XImage 1: Motorola DynaTAC 8000X, FCC-approved in 1983 and widely recognised as the first commercial handheld mobile phone. This is where the handheld mobile era became real.

Four decades later, by 2012, mobile had crossed a line.

The smartphone was no longer emerging technology. It had become the default personal device of the modern internet era. Global mobile subscriptions had already reached billions. Smartphone sales were accelerating fast. Android and iPhone had reshaped the market. BlackBerry, Nokia and the old feature-phone model were visibly losing ground. Popular Mechanics ranked the smartphone number one in its list of 101 Gadgets That Changed the World, above the TV, the PC, the telephone and the light bulb.

That is why 2012 matters. It was not the year the smartphone began. It was the year the smartphone became normal.

Every security story has a starting point. And in that same year, an IEEE antenna-engineering lecture that most people never saw captured something important: the modern phone was already becoming a dense, multi-radio system.

A smartphone is not just a screen, an operating system and some apps. It is a radio device built around antennas, basebands, SIM identity, carrier signalling, roaming logic and legacy network compatibility. A lot of that sits below the layer most people think of as phone security.

Below the OS. Below the VPN. Below app permissions. Below the lock screen.

The antenna has always been part of the attack surface.

VULNERABILITY 01

You Are Carrying a Radio Array
A modern phone is not one radio. It is a collection of radios.

Cellular. Wi-Fi. Bluetooth. GPS/GNSS. NFC. Ultra-wideband. Multiple LTE and 5G bands. Multiple receive chains. Carrier aggregation. MIMO antenna paths. Roaming logic. Emergency calling logic. Legacy fallback logic.

A 2012 antenna-engineering slide already showed how crowded a phone PCB had become. UWB, RFID, FM, 2G/3G cellular, diversity receive, WLAN, Bluetooth, DVB-H and GPS were all competing for space inside a handheld device. That was 2012.

Mobile-phone PCB showing multiple antenna systems competing for space inside a single handset.Image 2: Mobile-phone PCB showing multiple antenna systems competing for space inside a single handset. Adapted from IEEE AP-S Distinguished Lecture Program, 2012; © IMST GmbH. All rights reserved.

Today the problem is larger.
5G did not reduce the radio surface. It expanded it. More bands. More antennas. More tuning. More baseband logic. More decisions made automatically before the user sees anything.
That matters because your apps are not the first thing talking to the outside world.The modem is.

VULNERABILITY 02

The Downgrade Attack Still Matters
A brand-new 5G phone still has to live in the real world.

Coverage is uneven. Buildings block signal. Underground spaces degrade it. Crowded venues overload networks. Rural areas and roaming environments may still rely on older infrastructure. Even where 2G and 3G are being phased out, many devices and carrier profiles still retain legacy compatibility unless it is explicitly disabled.

That legacy matters.

An attacker does not always need to defeat 5G directly. They can try to move the device away from it.

False base stations and hostile RF environments can exploit the phone's need to maintain service. If stronger modern coverage is denied or degraded, and a weaker legacy path is allowed, the phone may be pushed toward a less secure network generation.

2G/GSM is the obvious risk. It was designed for a different era. It lacks the mutual authentication users expect from modern networks. Its legacy encryption options, including A5/1 and A5/2, have been publicly attacked for years.

The victim does not tap a malicious link. They do not install malware. They do not approve a permission prompt. Their signal bars may look normal.

The attack happens at the radio layer.

VULNERABILITY 03

IMSI Catchers Do Not Need Your Password
An IMSI catcher, also known as a Stingray or cell-site simulator, is a rogue base station.

Its purpose is not to guess your password. Its purpose is to make your phone identify itself.

Mobile networks rely on subscriber identity. Your SIM and device participate in attachment and authentication processes before your apps are involved. A rogue base station attacks that trust boundary. It broadcasts like infrastructure. Your phone evaluates it like infrastructure. Under the wrong conditions, your phone can be persuaded to reveal identifying information or attach to a hostile network environment before you have any meaningful visibility.

This is why a VPN is not the answer here.

A VPN protects IP traffic after connectivity exists. An IMSI catcher targets the cellular identity and radio attachment process before that tunnel matters.

The exposure is not your browser session. The exposure is that your device exists, where it is, and which subscriber identity or device identity it can be linked to.

VULNERABILITY 04

5G Improved Things. Legacy Did Not Disappear.
5G was designed with better subscriber identity protection than previous generations. That is true.

But 5G does not erase LTE. It does not erase roaming. It does not erase carrier implementation gaps. It does not erase fallback behaviour. It does not erase 2G where the device still supports it.

5G identity protection helps on genuine 5G connections. But a 5G-capable device can still be exposed through non-5G paths, especially where downgrade or fallback behaviour is possible.

The security of your 5G phone is not determined only by 5G. It is determined by the weakest network generation your phone is allowed to use, the carrier settings it accepts, the country you are in, the roaming partner you attach to and the RF environment around you.

The device in your hand may be modern. The trust chain around it may not be.

VULNERABILITY 05

SS7: The Network Behind the Network
SS7 is not an app-layer issue. It is not a phone setting. It is part of the signalling world that lets carriers route calls, deliver SMS, manage roaming and locate subscribers across networks. It was designed for a closed telecom environment where operators trusted each other. That assumption did not survive the modern telecom ecosystem.

SS7 weaknesses have been used for location tracking, surveillance and SMS interception. This is why SMS-based two-factor authentication is a weak choice for anything important.

The problem is not only whether your phone is infected. The problem is whether the signalling path delivering your one-time code can be manipulated before the message reaches you.

No malware on the handset. No handset exploit. No notification.

This is not theoretical. In 2017, German banking customers were hit when attackers abused SS7 to redirect SMS transaction codes used for payment approval. And in 2024, the EFF was still warning that SS7 remains a live risk because telecom providers stay connected to it for international roaming, enabling SMS interception and location tracking.

That is legacy telecom trust being abused in a world it was never designed for.

VULNERABILITY 06

Your Body and Environment Change the Radio Conditions
The human body affects antenna performance. That is not speculation. That is RF engineering.

Your hand, head, pocket, bag, car, building, basement or crowded venue can absorb energy, detune antennas, distort radiation patterns and weaken signal quality. The phone then tries to maintain service. It may adjust transmit power. It may change band. It may move cell. It may fall back where fallback is allowed.

Human-Mobile Interaction

The human body affects RF exposure and antenna performance.Image 3: The human body affects RF exposure and antenna performance. Original IntSpired illustration. Concept informed by IEEE AP-S DLP 2012 / IMST GmbH antenna-engineering material.

Most of the time, that is normal radio behaviour. But in a hostile environment, radio conditions can be shaped.

Airports. Hotels. Underground car parks. Conference centres. Border zones. Executive venues. Sensitive meetings. Crowded places where users already expect poor reception.

That is useful cover for RF-layer manipulation.

What To Do

Disable 2G if your device and carrier settings allow it. On newer Android devices this may be exposed directly in network settings. On iPhone, Apple's Lockdown Mode turns off 2G and 3G cellular support, though it is designed for high-risk users and changes other device behaviour too.

Stop using SMS-based two-factor authentication on important accounts. Use an authenticator app, passkey or hardware security key instead.

Use Signal or another properly end-to-end encrypted messenger for sensitive calls and messages. If the transport layer is compromised, content encryption still matters.

Do not treat a VPN as RF-layer protection. A VPN helps with IP traffic after connectivity is established. It does not stop your phone identifying itself to cellular infrastructure before that tunnel exists.

Change your threat model in hostile environments. Conferences, sensitive meetings, border crossings, executive travel, investigative work and high-value business venues all deserve more caution than normal daily use.

Do not treat aeroplane mode as high-assurance RF silence. It is useful for reducing normal radio activity, but it still depends on the device, operating system and radio settings behaving as expected. For higher assurance, power the device off and physically separate it from the sensitive environment.

The Point
2012 was the year the smartphone became normal. The security briefing never came with it.

The world adopted the smartphone as a personal computer, camera, wallet, map, identity layer and communications hub. Underneath, it remained a radio device. A modem. A SIM. A set of antennas. A stack of legacy protocols. A negotiation with whatever network environment surrounds it.

From 2G to 5G, the story is not that everything is broken. The story is that part of the attack surface sits below where most users are looking.

Below the apps. Below the OS. Below the VPN.

The antenna is not just for signal.

The antenna is part of the attack surface.

It always was.

IntSpired® | Offensive Cyber & Wireless Security | UK

We test your defences the way adversaries would, under formal authorisation, to uncover what is actually exploitable.

favicon intspired.co.uk

Top comments (0)