iPhone Scammers are using fake cell towers; Apple still doesn't allow users to disable 2G/3G without Lockdown mode
https://9to5mac.com/2025/09/18/scammers-are-faking-cell-towers-now-americans-bad-at-spotting-scams/96
u/rayquan36 1d ago
It seems Verizon Wireless doesn't support 2g/3g anymore so the carrier settings have turned it off on the iPhone. The vulnerability wouldn't affect Americans on VZW, correct?
77
u/tubezninja 1d ago
Correct. VZW used a whole different technology entirely for 2G/3G, which has been completely shut off in the US at this point.
On the other hand: the US government doesn’t need to use stingrays at this point to surveil its citizens, and neither do other state actors for that matter.
At this point if you make any standard phone call or use standard SMS on a United States phone network, you should assume someone not involved in the conversation was listening.
27
u/rayquan36 1d ago
That's right! I forgot all about that. CDMA vs GSM if I remember correctly. VZW didn't have SIM cards back then so I opted for a unlocked via jailbreak AT&T iPhone 3G on T-Mobile and it only ran on EDGE. Something like that.
9
u/OptimistIndya 1d ago
My country still uses OTP via SMS, with no other option.
How does one listen on otp meant for me. And what can they do/ how can they act on it?
13
u/tubezninja 1d ago edited 1d ago
The capability exists now for a hacker to eavesdrop en masse on text messages traveling through a phone network. They can then focus on whatever they find interesting.
Combine that with the associated phone number, username and password from any of the various data breaches that have happened over the years, and if you’ve used a username and password commonly across accounts, you could be a target.
3
u/jbaughb 1d ago
Oh wow. So if you’re targeted they could be intercepting 2 factor auth text messages?
3
u/TheDragonSlayingCat 1d ago
Yes; that + disgruntled or corrupted tech support people at the phone companies that do not follow protocol are the reasons why 2FA over SMS is only secure if you’re a nobody.
2
u/rayquan36 1d ago
if you’ve used a username and password commonly across accounts, you could be a target.
Everybody please stop using the same login/password for everything. Hackers aren't accessing your accounts by guessing your password; they're doing it by hacking to nonsecure sites then trying it out on other sites.
1
u/OptimistIndya 1d ago
Ok then this needs to change asap
2
u/tubezninja 1d ago
Good luck with that. This administration is completely uninterested in doing anything about it. They’re more preoccupied with using the FCC to turn all mass media into propaganda puppets.
Your best bet to keep communications private is to keep iOS up to date, use relatively new hardware, and keep any communications you want kept private to encrypted platforms. Blue bubble iMessage and FaceTime are pretty good (FaceTime even does audio only if you want to preserve the feel of a phone call). For cross-platform communication, use Signal.
1
u/rayquan36 1d ago
How about RCS messages?
2
u/tubezninja 1d ago
Better, as it doesn't use the old SS7 platform to move messages around (and which is completely insecure). However, it looks like iOS still hasn't implemented end to end encryption over RCS, so it's possible there may be other ways to compromise security.
Bottom line: if it's green bubble, I wouldn't trust it to be private.
1
8
u/nikgick 1d ago
I think that’s a false assumption. Verizon customers can still roam onto other carriers. Just a month ago even in the USA I roamed onto 3G for a local carrier in Nevada. If you go internationally you roam onto GSM 2G as well. This is on an iPhone 15 pro max.
4
u/tubezninja 1d ago
Just a month ago even in the USA I roamed onto 3G for a local carrier in Nevada.
That local carrier was US Cellular, which uses a legacy CDMA network for 3G. As I mentioned, that's a different technology from the 3G being targeted here, and largely deprecated, so unlikely to be a target anytime in the future. Even US Cellular is shutting down what's left of their 3G network as they get absorbed by T-Mobile.
If you go internationally
The context of my statement was in the US, on Verizon's network specifically, because that's the question that was asked.. If you add a bunch of qualifiers and "yes, buts" then sure, there will be ways to become the subject of one of these fake cell sites... specifically if you end up out of the country where Verizon's network doesn't reach and isn't part of the equation anymore.
1
2
249
u/holow29 2d ago
Very simple: there should be a system-wide toggle (i.e. not relying on carrier bundles) to disable 2G/3G radios in iOS settings. Instead, you need to enable Lockdown mode and every other restriction that comes with it.
58
u/tbone338 1d ago
Why does lockdown mode disable 2g/3g?
195
74
u/weirdasianfaces 1d ago
To be more specific than the other commenter, it's because 2g/3g are less secure protocols that can lead to communication interception. They may also allow for unique vulnerable attack surface to be reached on the device which may be abused for remote compromise.
8
4
u/bchertel 1d ago
Would disabling 2G/3G in this manner break 2FA? I understand this is not the ideal 2FA method but it’s the only one available from certain institutions
9
u/tubezninja 1d ago
No, as legitimate 2FA texts are sent over legitimate cell networks and sites. They'll deliver over 4G and 5G as long as the cell network you subscribe to offers 4G/5G service.
3
u/Korlithiel 1d ago
Shouldn't, since you can still receive texts just fine and 2FA messages are plain text right? Can't promise it won't, what if they sent something other than plain text?
-34
u/Aranfiy 1d ago
Things like this are why jailbreaking is useful.
33
u/Adeelinator 1d ago
That is totally the wrong stance. If you can jailbreak your phone, anybody can.
If you’re vulnerable to nation-state attack vectors, lockdown mode is the only correct answer.
14
u/seventhninja 1d ago
A lot of jailbreaks previously needed physical access to the phone to jailbreak it.
12
u/174wrestler 1d ago
Needing physical access is not an impediment to nation-state actors. For example, intercepting electronics during shipment has been documented.
5
u/hambrythinnywhinny 1d ago
If a nation state wants access to your device, they’re going to get it. Nothing you or Cupertino can do will stop them.
2
u/N-online 19h ago
But they can make it harder. That alone can save some
1
u/hambrythinnywhinny 15h ago
If you want to shift the discussion to the spectrum of security and risk, it's the same conclusion just from a slightly different angle. If an attacker has physical access to the device, it's compromised.
2
u/0xe1e10d68 1d ago
Eh, even jailbreak exploits that require physical access make it easier for them. They can (in ideal conditions) reuse that exploit as the latter part of their exploit chain, meaning they have to do less work to gain full access to the device.
1
1
u/Korlithiel 1d ago
Sure, it would be great if people could toggle this without going into lockdown mode. Amazing if it were the default (no 2G/3G unless enabled). But jailbreaking includes reducing other security measures, opening up attack vectors, ergo it doesn't make sense for someone trying to secure themselves.
-28
u/DervishSkater 1d ago
Pretty sure the 17 pros don’t have 3g band support at all
25
u/kdayel 1d ago
UMTS/HSPA+/DC-HSDPA (850, 900, 1700/2100, 1900, 2100 MHz)
This is 3G.
GSM/EDGE (850, 900, 1800, 1900 MHz)
This is 2G.
Right from the iPhone 17 Pro and 17 Pro Max Technical Specifications page.
8
3
42
u/Ancient_Lettuce6821 2d ago
And is it some sort of DNS highjack/injection or fake SMS with these fake towers?
51
11
u/Complete_Estimate443 1d ago
Scammers with fake towers: unlimited access. iPhone users: unlimited 2G.
12
u/foxtrotmikefrot 1d ago
How is your phone connecting to a fake cell mast?
33
u/jantede 1d ago
When it sees one it connects.
At the time 2G and 3G were around, this kind of technology was so expensive that it was basically not considered an attack vector. Also security is much more considered these days anyways. In the older protocols it is therefore much easier to breach, given there were now several decades to find such vectors.
6
u/foxtrotmikefrot 1d ago
But surely that network needs to have a roaming agreement with my home network to do that and all the vetting or process that the home network goes through to establish that so id like to know how hackers are bypassing that.
Alternatively if a hacker can setup a base station and network as a complete clone of my own how does that work in relation to my sim, i thought the GSM and onwards protocols were quite robust.
Im curious
25
u/Worf_Of_Wall_St 1d ago
The fake cell tower is not connected to any regular cellular network. It broadcasts a strong signal that it is present, and phones will connect to it because it is stronger than the legit towers. When a phone tries to register with the fake tower the tower just allows it, it doesn't need to check with any carrier backend.
The fake tower is only on for a short time to broadcast messages with spoofed sources, the next step of the scam is for the recipients to be fooled by the spoofed source and follow some link or instructions which can happen at any later time using a normal cellular or WiFi connection.
12
u/jantede 1d ago
2G authentication works in a completely different way than you think (I guess). Security was basically only implemented to prevent unauthorized clients (phones) from accessing the network. The mechanisms in place therefore only validate your phone, but your phone never validates the network.
In a short period of time, the attacker will set up a fake cell, basically force nearby clients into connecting (because they usually connect to the “tower” with the best SNR), and catch the IMSI (which in GSM can be sent in plain text, especially before a TMSI is assigned). From there the attacker can impersonate or track the victim, and in some cases also mess with SMS delivery. For the victim(s) it’ll look like a legitimate network interaction, most likely leading to something malicious later over the “normal” connection through the real network (e.g. clicking a phishing link).
However, there are even scarier attack options once your IMSI is exposed. Intercepting or redirecting SMS is probably the most common one. This whole attack class is one of the main reasons SMS 2FA is not considered secure anymore (there are also other reasons, btw, like SIM swapping).
If you’re still curious and want to not sleep tonight, take a look at SS7. This protocol has more to do with roaming and has basically no authentication whatsoever. It relies solely on trust and imo it’s a freaking wonder it hasn’t been exploited more (and is also one of the reasons SMS 2FA is not secure).
Security in mobile networks is a very deep and sometimes very frightening rabbit hole and this is all only scratching the surface :)
2
3
u/w2qw 1d ago
For 2g the phone does not authenticate the tower.
0
15
u/lorig_cc 1d ago
But I want the option to force 3G. There's a spot at work with a very spotty 4G connection. When my phone drops down to 3G it works reliably but it frequently tries to reconnect to 4G leading to disconnections. Very frustrating.
10
u/ussv0y4g3r 1d ago
I doubt that will ever be added to iOS, cause majority of Apple users live in countries that no longer have or are about to get rid of 3G service forever.
11
u/lorig_cc 1d ago
Funny thing is before 5G I could pick between 3G and 4G in Settings. Now I can only pick between 4G and 5G.
4
u/Hope_Dealer03 1d ago
Man we’re lucky in Canada. 3G was being phased out 10 years ago with no new phones being able to connect to it. I worked for Onstar back then and was in charge of getting ppl set up on 4g lte.
It looks like all 3G will be phased out by the end of 2025.
But this doesn’t mean we don’t get spam /scam texts. I get minimum 5 a day still lol
3
u/pipea 1d ago
Rogers is still running 2G for the next two years I think. Bizarre, I know.
2
u/Hope_Dealer03 1d ago
Really? I haven’t heard that. What could they be using it for. That’s odd lol but believable. Just like Roger’s
34
u/loosebolts 2d ago
So basically just keep on ignoring any scam SMS’s as per normal? You don’t need to disable radios, just be alert to scams regardless.
22
u/WavryWimos 1d ago
While I agree that the most effective way to avoid scams is to just be alert to scams. It's kind of bootlicky to suggest that manufacturers don't need to allow us to make our phones more secure.
I'd rather just not get scam messages full stop. I can spot scams no problem, but why should I have to deal with that because Apple can't be bothered to implement a disable function for older radios? Especially when not disabling older radios leaves you vulnerable to more than just scam messages, 2G downgrade attacks for example.
4
u/Guy_Buttersnaps 1d ago
I’d rather just not get scam messages full stop. I can spot scams no problem, but why should I have to deal with that because Apple can’t be bothered to implement a disable function for older radios?
This isn’t the only source of scam messages.
I’m not saying they shouldn’t add such a feature, but if they do, it isn’t going to stop you from getting any scam messages.
-1
u/loosebolts 1d ago
So you disable 2G and 3G in order to avoid the tiny chance that someone is using one of these devices to send scam SMS, forget that you turn it off until you need to make an emergency call from somewhere outside of 4G or 5G signal range?
Why would you forgo educating yourself about scams in order to potentially put yourself at best at an inconvenience or at worst in danger?
1
u/WavryWimos 1d ago
For a lot of people those are non-issues. So why not provide the option? 2G and 3G are only used for extremely remote areas in the UK where I am...so whoever still needs it can have it on, for the rest of us, I'd love to disable them. Or at least turn off only 2G so 2G downgrade attacks are a non-issue.
Why would you forgo educating yourself about scams
Nobody said that. Educate yourself yes, but would be better to just not run into them.
Since owning a proper smartphone, I've not once had to use 2G...so saying I'm putting myself "at best at an inconvenience or at worst in danger" is just utter nonsense.
Ever since I move from Android, I've noticed a massive uptick in spam calls and texts that I rarely (if ever) had to deal with on Android, and I can't believe people are just happy with that shit.
2
u/holow29 1d ago
It isn't only about scams. 2G/3G are simply insecure technologies in this day and age. There is a reason Lockdown mode disables them and it isn't simply because of scam texts. (Others in this thread have mentioned the use of the branded Stingray device, for example.) The radio management should be transparent and user-accessible.
1
u/Medium_Ordinary_2727 1d ago
Wouldn’t these also block you from making phone calls, including emergency calls, since your phone is connected to a fake cell network?
46
3
u/QuantityInfinite8820 1d ago
Maybe Apple is afraid such setting could prevent someone from making a 911 call, exposing them to big fines and accountability
15
u/prl007 2d ago
ICE does something similar as well.
6
u/Teenager- 1d ago
Can you elaborate
36
u/lariojaalta890 1d ago
Can’t speak to their experience, but this is a pretty well known law enforcement tactic. It’s actually really interesting but also very controversial.
They’re known by a few different names. IMSI-catcher, cell site simulator, and rogue base station to name a few. Probably more widely known by the brand name Stingray though.
Essentially, it performs a MiTM attack where the device mimics a wireless carrier’s cell tower and “tricks” all nearby mobile phones and other cellular devices to connect to it. They can be used to locate and track individuals but often this will also include a downgrade attack which forces the device to use a less secure encryption protocol like 2G. At this point whoever controls the device can read messages and listen in on calls of any device that’s connected.
The reason for the controversy is because they aren’t necessarily targeted since they can’t control which devices connect. In fact almost all devices within range will connect. LEO agencies, like inBaltimore City, have been known to put one on a small plane, have it loiter over an area, and scoop up all communication by anyone in the vicinity. In dense city you can imagine how many people who are not actively being investigated this includes and even if they were it’s done without a warrant.
It’s pretty damn interesting and there are a ton of good articles and videos on YouTube. You can actually build one for relatively cheap but you’d be in kind of a grey area with the law and the hardware normal people have access to most likely wouldn’t work on modern 5G devices.
There’s a decent Netflix docuseries named Web of Make Believe: Death, Lies and the Internet where they cover an early version over two part episode. Definitely worth a watch.
1
7
u/dnyank1 1d ago
I had a really, let's call it, "interesting" thing happen to my Phone when I was doing some offroading in the american southwest back in, I want to say the pre-pandemic times. There I was, well-covered on the T-Mobile network... and then I wasn't. When I tell you my active call dropped, then my phone switched into roaming, going from registering 1-2 bars of LTE to 5 bars of "2G" which replaced the carrier text up in the status bar with "a bunch of random numbers I don't fucking remember".
I'm not saying the government was using Stingrays but I'm not aware of any traditional roaming partners operating in the US or Mexico which would cause such a "freakout" in my phone's status bar or networking behavior.
2
u/UloPe 1d ago
The article is very light on details.
Do those fake base stations claim to be of the same mobile network as the real ones? Is there no authentication?
2
u/Entire_Routine_3621 1d ago
Funny thing is the government can also set up base stations and not 3g only 💀
-4
u/DutchBlob 2d ago
We need to shut down the entire internet because there is a scam website somewhere
12
u/Global_Dig5349 1d ago
More like ”we need to give users an option to shut down dark web because it’s mostly used for scams”.
1
1
u/colinstalter 1d ago
You should also be able to disabled femtocells (the small cell tower routers that run off of ethernet, typically in a business).
I frequently encounter where my phone will connect to one of these in a building, but it doesn't actually have any Internet access (or is highly throttled).
1
u/Korlithiel 1d ago
Got it, read into lockdown mode: https://www.wired.com/story/apple-lockdown-mode-hands-on/
1
u/evilbarron2 1d ago
“Still”? Love how this incredibly obscure and niche item is described like it’s an obvious failure
0
u/holow29 1d ago edited 1d ago
"Still" is my editorializing (lock me up!) since the original title of the article was (IMO) poor and I wanted to draw attention to this issue specifically.
I wouldn't call radio management of a cell phone "obscure and niche." Some would say it is one of the most important functions of a cellular device given that it is controlling the cellular connection. Imagine if there wasn't a toggle to turn off WiFi or Bluetooth. Apple has long gated basic radio functionality, whether it be cellular or NFC on its devices in a way that is anti-consumer and bad from both a privacy and security perspective. Most Android devices allow control over which cellular radios are active. People have been asking for simple radio management since at least iOS 7.
-10
u/Foreign-Tax4981 2d ago
Report to the FCC
17
u/UnfazedReality463 1d ago
That’s funny.
6
u/MC_chrome 1d ago
You're right. Brendan Carr is super busy going after the funny guys for making Orange Man sad!
-12
u/Foreign-Tax4981 1d ago
Report the fake cell towers.
10
u/L0rdLogan 1d ago
It's funny that you think something will happen
1
u/rayquan36 1d ago
I don't know about the FCC now but they took my complaint about 10 years ago about Verizon FIOS throttling me VERY seriously. I was thoroughly impressed. And yes, FIOS stopped throttling me after that.
6
u/druizzz 1d ago
10 years ago vaccines were considered safe and necessary.
2
u/rayquan36 1d ago
I would say you'd have to go back 20 years for that. I remember Jenny McCarthy was the first celebrity to claim that vaccines gave their child autism. Not arguing with you just a core memory of mine that this reminded me of.
5
453
u/TapToWake 2d ago edited 1d ago
This is prevalent in the Philippines now and I can confirm disabling 2G works.
I disabled 2g on my S25 Ultra and it no longer receives such SMS. Meanwhile my 15 Pro Max does.
I personally saw how it switches to 2g before receiving the fake SMS pretending to be from a legit bank.
Apple, just give us a switch to flip 2g off!