Wireless and Mobile Network Attacks: Phreaking, SIM Swap, NFC and QR

Phone phreaking is the historical root of every mobile network attack in the forensic examiner's casebook. John Draper, working under the handle Captain Crunch, discovered in 1971 that the plastic toy whistle packaged in Cap'n Crunch cereal produced a clean 2600 Hz tone. AT&T's analogue long-distance trunks used 2600 Hz as the in-band supervisory signal that meant "this trunk is idle". A phreaker who dialled a long-distance number, waited for the call to connect, then blew the whistle into the handset, dropped the trunk's billing state while keeping the voice path up. The next dialled digits, sent as multi-frequency MF tones from a blue box, set up a free call to anywhere on the network.

Three generations of boxes mattered. The blue box generated MF tones for free long-distance. The black box, on the called side, fooled the local exchange into never billing the caller. The red box generated the coin-deposit tones a payphone used to signal that a quarter had been inserted, so the payphone counted phantom coins. Steve Wozniak and Steve Jobs sold blue boxes at Berkeley before they founded Apple. The arc closed in 1980 when AT&T moved supervisory signalling out of band onto Common Channel Signalling System 7, ending the in-band attack class.

The modern descendant of phreaking is signalling-layer abuse on SS7 and Diameter. The attacker no longer whistles into a handset; the attacker rents an SS7 global title from a complicit carrier and sends crafted MAP messages to redirect SMS or query subscriber location. The economics are very different (the rental costs four figures a month rather than a cereal-box toy) and the targets are very different (a high-value mark rather than a free overseas call), but the trust model is the same: the telephone signalling layer assumes any participant is who they claim to be.

CLI spoofing is the practical attack at the voice layer today. A VoIP provider that does not enforce its trunk's right to claim a number lets a customer set any Calling Party Number on outbound SIP INVITEs. The receiving carrier's signalling pipeline passes that number forward to the receiver's phone unchanged. The result is a call that displays "+91 011 2334 XXXX TRAI Delhi" on the recipient's screen while originating from a Telegram-bot-driven call centre operating out of a shared room. Indian victims, especially older subscribers, have been talked through "your number is being disconnected for SIM misuse" scripts that end in OTP disclosure or in TeamViewer install on a desktop. TRAI itself does not call subscribers; the legitimate TRAI domain runs only outbound messages from authorised header IDs on the DLT (Distributed Ledger Technology) registry. NCRB's 2023 crime in India bulletin recorded a sharp rise in vishing-driven cheating cases under IT Act Section 66D, with Karnataka, Maharashtra, Telangana and Delhi as the high-volume states.

The man-in-the-middle attack on public Wi-Fi requires three elements: an open or weakly-shared-key SSID shared by multiple clients, a host on the same broadcast domain, and a tool capable of rewriting Layer 2 forwarding. The sequence below is reconstructed from a 2024 red-team exercise at an Indian Tier-1 airport's airside lounge, conducted under carrier consent on a closed test SSID, with names and MACs redacted.

The attacker's laptop joined the lounge's open SSID and ran arp-scan -l to enumerate active hosts on the /24. Five mobile clients and one printer were visible. The attacker ran bettercap -iface wlan0 and used the arp.spoof module to spoof the gateway MAC on the target client and the client MAC on the gateway, inserting the laptop between them at the ARP layer. net.sniff on plus https.proxy on brought the SSL stripping module up. From this point any HTTP request from the target client transited the attacker; any HTTPS request to a site without HSTS preload was downgraded by the proxy to HTTP and the response stripped of https:// URLs in anchors. Most legitimate banking sites are HSTS preloaded, but the auxiliary OAuth and tracker domains are not, and the user's session cookies on cross-domain hits were captured intact.

1. Join open SSID, enumerate the segment
   arp-scan -l on the connected interface lists every responsive host on the broadcast domain. The gateway, the DHCP server, and every active client appear with MAC and vendor. Filters down to interesting clients (phones, laptops) within seconds.
2. Insert at the ARP layer with bettercap
   bettercap arp.spoof.targets and arp.spoof.fullduplex on send gratuitous ARP frames that tell the target the gateway lives at the attacker's MAC and tell the gateway the target lives at the attacker's MAC. The Layer-2 forwarding table now routes both directions through the attacker.
3. Strip TLS where possible, log where not
   https.proxy on rewrites HTTP responses to strip https:// URLs, downgrading any non-HSTS-preloaded site to plain HTTP for the client. HSTS-preloaded domains (banking, large SaaS) resist downgrade; cookies on third-party trackers and auxiliary OAuth flows usually do not.
4. Inject a malicious payload only against authorised targets
   On a red team the inject phase is limited and scoped. A real attacker would push a JavaScript keylogger into any HTTP response or rewrite a download URL to a trojan installer. The forensic value of this step is the artefact pattern it leaves on the victim device.
5. Tear down cleanly: stop arp.spoof, then disassociate
   Stopping arp.spoof.fullduplex restores the legitimate ARP entries within the OS cache timeout. A clean tear-down leaves the segment as it was; a sloppy tear-down leaves stale ARP entries that an examiner can correlate with the laptop's MAC.

The Indian anchor is the Karnataka State Cyber Crime Police Station's 2023 case file against a duo who ran exactly this attack from a parked car in Bengaluru's HAL Old Airport Road commercial district, lifting Razorpay merchant credentials from a small business owner connected to a café SSID. The case was filed under IT Act Sections 43, 66 and 66C, and CDR analysis from the connected café's CCTV plus telco tower data placed both accused at the location during the capture window. The cross-link to chain of custody covers how the seized laptops were imaged and transported.

Three MITM variants ride alongside ARP spoofing on a phone's Wi-Fi. Malicious VPN apps (the CamScanner Necro trojan from 2019, the SuperVPN credential-harvesting saga of 2020) reroute every flow through an attacker-controlled gateway, with the user's express permission to do so. Rogue base stations (the cellular IMSI-catcher angle) move the attack one layer down to the radio. Captive portals on fake hotspots collect credentials before any IP traffic is generated. The next sections take each in turn.

The fake hotspot pattern has a stable shape across Indian airports, metro stations, malls and cafés. A portable AP (Wi-Fi Pineapple, a flashed OpenWrt mini-router, or a laptop running hostapd) broadcasts the venue's SSID at higher transmit power than the venue's real AP. Phones with that SSID in their saved networks auto-associate. The first HTTP request triggers a captive portal that imitates the venue branding and asks for a phone number, an OTP, or a "verify your bank account to enable free Wi-Fi" prompt. Credentials harvested are sold downstream to SIM-swap and UPI-fraud crews. CERT-In's late-2024 wireless advisory named sustained campaigns at Delhi Metro, Bengaluru Metro and Hyderabad Metro stations with this exact pattern.

From the mobile client's perspective, the WEP and WPA layers below the hotspot matter mostly because of legacy exposure. Cafés and shops that still run a 2010-vintage Linksys WRT54G on WEP let any examiner with aircrack-ng recover the 104-bit key in under 15 minutes (the full walkthrough lives at wireless network attacks). Once the WEP key is recovered, the attacker is a normal client on the LAN and runs the same ARP-spoofing attack from Section 2. WPA2-PSK with a weak passphrase is recovered offline against a captured 4-way handshake or PMKID using hashcat -m 22000. WPA-TKIP is functionally obsolete; the Beck-Tews attack of 2008 exploited TKIP's MIC countermeasure, which rekeys the session if two bad MIC codes arrive within 60 seconds, requiring the attacker to space guesses at least 60 seconds apart; the full attack takes approximately 12-15 minutes.

The Wireless Public Key Infrastructure angle is short. Enterprise-grade WLAN uses 802.1X with an EAP method, ideally EAP-TLS, against a RADIUS server. The client presents a certificate the corporate CA issued; the server presents a certificate the client is configured to trust against a pinned CA fingerprint. There is no shared password, so a captive-portal phish or a PSK-handshake capture does not apply. The failure mode in Indian deployments is clients (especially BYOD Android handsets) that do not validate the server certificate, which lets a rogue AP using eaphammer accept any client credential and replay it. CFSL Hyderabad and similar labs test EAP-TLS configuration on laptops and phones as a standard practical exercise.

WLAN hardening for an Indian small-office deployment is short and actionable: WPA3-Personal if every client supports it (Android 10+, iOS 13+, Windows 10 1903+); WPA3 transition mode if some clients are older; a PSK of 16+ random characters generated by a password manager; WPS disabled in the router admin UI; the admin password changed from the vendor default; and firmware patched to a release dated after mid-2019 (Dragonblood mitigations). The router should not advertise its SSID in a hidden state (hidden SSIDs are not a security control), and MAC filtering is not a security control either.

IMSI catchers are the cellular equivalent of the rogue AP. The device impersonates a base station: it broadcasts a Mobile Country Code and Mobile Network Code that match a real operator (404 for Bharti Airtel, 405 for Reliance Jio, 405 for BSNL among others, allocated by the ITU) plus a Location Area Code that nearby phones consider plausible, at a transmit power higher than the legitimate cell at the spot. Phones in the area perform a routine cell re-selection and attach to the rogue cell. The first message in a GSM attach exchange carries the IMSI in clear; the catcher logs it, then either releases the phone back to the real network or holds the attach for surveillance.

The 4G to 2G downgrade is the practical lever the IMSI catcher needs against modern phones. LTE includes mutual authentication: the network authenticates the SIM with EPS-AKA and the SIM authenticates the network with the same exchange, so a rogue LTE cell cannot trivially impersonate the operator. GSM (2G) does not authenticate the network at all; the SIM authenticates to the network with a single challenge-response in COMP128, but the network sends no proof of its own identity. A catcher that advertises 2G at a strong signal and refuses or jams the LTE bands causes the phone to fall back, at which point the catcher is fully trusted. From 2G the catcher reads SMS in transit, listens to A5/1-encrypted voice (A5/1 is broken; A5/2 was withdrawn in 2007), and bounces calls through itself.

5G slice spoofing is the emerging variant. 5G stand-alone networks segment the radio into slices (eMBB for consumer broadband, URLLC for low-latency industrial, mMTC for massive IoT). A misconfigured operator core that does not authenticate the slice identifier sent in the Registration Request lets a malicious UE claim a privileged slice and receive routing it should not. The risk is operator-side rather than consumer-facing in current Indian 5G deployments, but the research is moving fast and CFSL Hyderabad has started fielding 5G specific training for examiners.

Diameter is SS7's successor on the LTE control plane. The protocol carries authentication, billing and policy between operator nodes. Diameter inherited the SS7 trust model in which any participant on the inter-operator network is implicitly trusted to make legitimate requests, which is why operator-side Diameter firewalls and signalling-edge filtering became a regulatory expectation after the 2017 wave of European SS7 fraud reports. Indian operators run Diameter edge filters under DoT guidance, but cross-border roaming routes still surface advisories where a small foreign operator's lax filtering is the entry point.

The forensic artefact a user can observe is small but real: the phone's status bar dropping to 2G or E for an extended period in a location with normal LTE coverage. The status bar drop is the single most reliable IMSI catcher tell available to a non-specialist. Apps like SnoopSnitch (Android, root preferred) and CellularPrivacy AIMSICD log cell tower IDs, BCCH frequencies and unusual paging behaviour and flag suspicious patterns; both are imperfect but useful for survey work.

SIM swap fraud is the highest-loss mobile attack category in current Indian crime statistics. RBI's 2023 banking fraud bulletin attributed losses in the hundreds of crores to SIM-swap-enabled account takeovers, with public sector banks taking the largest exposure because of lower friction in legacy banking flows. The mechanics are mostly social engineering against the telco's customer service layer rather than radio-layer cryptography.

1. Step 1: KYC harvest
   The attacker sources the target's KYC documents (Aadhaar copy, PAN, driving licence) from a phishing site, a leaked database, or a corrupt insider at a small KYC vendor. The target's MSISDN, full name, parent's name and last billed amount are valuable; the attacker only needs enough to satisfy a customer-service script.
2. Step 2: Loss claim to telco
   The attacker calls the telco IVR or walks into a reseller posing as the customer, claims the SIM is lost or damaged, and requests a replacement. Aadhaar-based eKYC since 2017 is supposed to require biometric verification at the port; small resellers and informal points-of-sale have been documented bending or skipping this step.
3. Step 3: SIM activation flip
   Once the telco approves, the old SIM goes inactive within an hour or two. The new SIM, in the attacker's phone, attaches to the network and starts receiving the victim's voice and SMS. The victim sees a sudden loss of signal on a working phone, which is the one chance to notice the swap.
4. Step 4: TRAI 24-hour cool-off
   TRAI's 2018 mandate (tightened in 2019 and 2022) requires that for 24 hours after a SIM swap, OTP-bearing transactions on the MSISDN are blocked. The window is the rightful subscriber's chance to call the telco, prove identity, and dispute the swap before banking-grade authentication reactivates on the new SIM.
5. Step 5: Account drain after cool-off
   If the cool-off expires without dispute, the attacker initiates banking password resets, UPI device re-bindings and email account recoveries. SMS OTPs land on the new SIM in the attacker's phone. The drain typically completes within hours after the cool-off lifts, with funds layered through mule accounts and routed to cash-out points (UPI to wallet to e-commerce voucher is a common laundering chain in Indian filings).

The TRAI cool-off is the highest-leverage defensive control in the chain. RBI's December 2022 master direction on digital banking security further required banks to apply additional friction (step-up authentication, fresh device binding, transaction velocity limits) for the first 24 to 72 hours after any registered mobile number change on file. Banks that implemented the friction (HDFC, ICICI, Axis among the early movers) cut their SIM-swap-attributable losses sharply; banks that treated the SMS OTP on the new SIM as sufficient continued to lose. Public sector bank losses in 2023 remained elevated for exactly this reason.

The reissuance process inside Airtel, Jio and BSNL is the operational ground truth examiners need. Aadhaar biometric at a retail outlet is the strongest tier and is hard to bypass without an insider. OTP-to-existing-number is medium and fails when the attacker has already started the social engineering pretext. Customer-service IVR plus document upload is the weakest tier and is where most documented SIM-swap fraud originates. The 2023 Maharashtra cyber cell raid on a Mumbai SIM card racket recovered over 3,000 SIMs activated against KYC documents the rightful holders had never seen, and named both reseller-side and call-centre-side accomplices.

CEIR (Central Equipment Identity Register), DoT's national portal for stolen mobile reporting, is the complementary control. A victim of a SIM swap who notices the silent SIM logs into ceir.gov.in, reports the original IMEI as compromised, and the network blocks that IMEI from re-attaching across all Indian operators. CEIR plus the TRAI cool-off plus RBI's bank-side friction is the three-legged defensive stool against the swap playbook. Cross-link to mobile phone forensics for the forensic side of recovered devices.

NFC card cloning is the short-range analogue of SIM swap: instead of porting a number, the attacker copies a card's identity onto a device the attacker controls. Three tools dominate the kit. The Proxmark3 RDV4 (around 30,000 INR landed in India) is the long-standing professional choice, with full ISO 14443 A/B and 15693 support, key recovery tools for MIFARE Classic, and DESFire authentication for weak deployments. The Flipper Zero (around 15,000 INR grey-market in India after the formal sales restrictions in some jurisdictions) is the consumer-grade entrant: smaller, with a screen, and packaged for one-tap clone-and-emulate against MIFARE Classic. Open-source firmware on a PN532 module costs under 2,000 INR and reaches the same MIFARE Classic recovery with more setup.

Three NFC attack patterns are relevant for examiners. In simple cloning, a victim's MIFARE Classic transit card or office access card is read at close range in a crowded setting, the keys are recovered using Hardnested or DarkSide attacks, and the card is emulated against the legitimate reader. Older Bengaluru BMTC Smart Card and Delhi Metro Smart Card generations using MIFARE Classic were documented as cloneable in academic papers; modern deployments use DESFire EV2 or EV3 with AES key management. Second, relay attacks (ghost-and-leech): one device near the victim card reads its responses and a second device near the legitimate reader replays them in real time over a network link, completing a transaction without ever copying the card. Third, malicious tags: a sticker tag placed over a legitimate venue NFC tag (or simply on a poster) carries a URL that the victim phone auto-opens, dropping the user on a phishing site or triggering an intent:// deep link to a vulnerable app.

QR code attacks dominate Indian high-street fraud filings. In the most common variant, QRJacking, a fraudster prints a UPI QR pointing to a mule VPA on a sticker sized to match the merchant's legitimate QR and affixes it over the original during a busy period. Customers scan the wrong code and pay the mule. The merchant only notices at end-of-day reconciliation when the UPI receipts do not match the till count. NPCI's 2023 and 2024 advisories named QRJacking specifically and recommended laminated single-print QRs with the merchant's VPA and merchant name printed in large readable text above the code so customers can compare before tapping confirm.

A 2024 CFSL Hyderabad case provides a representative example. CFSL Hyderabad's 2024 case work included a Hyderabad-based QRJacking ring that operated across 60 small shops in Banjara Hills and Jubilee Hills, with mule VPAs cycled weekly through a Telegram-coordinated network. The investigation triangulated the QR replacement events with shop CCTV, UPI transaction logs from PhonePe and Google Pay, and CDR data on the burner phones used by the mule operators. Charges were filed under IT Act Sections 66C and 66D plus BNS Section 318 (cheating) and BNS Section 319 (cheating by personation). The case is a representative example of how mobile network attacks and physical-world fraud converge, frequently cited in forensic training materials.