Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
Phone phreaking history through Captain Crunch's 2600 Hz whistle to modern IMSI catchers, vishing and CLI spoofing, Wi-Fi MITM on Indian airport SSIDs, SIM swap fraud under the TRAI 24-hour cool-off, NFC cloning with Flipper Zero and Proxmark, and QRJacking against UPI counters.
Mobile network attacks sit on a continuum that starts with John Draper blowing a 2600 Hz tone into a payphone in 1971 and ends with a fraudster in a Jamtara call centre porting a Mumbai accountant's SIM at 11 pm on a Friday and draining the salary account before the Monday office opens. The physics changed (PSTN tones, then GSM signalling, then LTE Diameter, then 5G slicing), but the playbook is steady: find a layer where authentication is weaker than the user expects, impersonate something the user trusts, and convert that trust into a transaction the user did not approve.
This topic covers the wireless and mobile attack surface as the digital forensics Mobile paper and the NFSU MSc course frame it. The arc runs from phone phreaking and call tampering through Wi-Fi man-in-the-middle attacks on Indian public networks, WEP and WPA recaps from the mobile client perspective, fake hotspots at airports and metro stations, IMSI catchers and the 4G to 2G downgrade, the SIM swap playbook under TRAI's 24-hour cool-off rule, NFC card cloning with Flipper Zero and Proxmark, and the QR fraud variants that dominate Indian high-street complaint filings. Cross-link references run to wireless network attacks (WEP/WPA/WPA3), mobile phone forensics, digital first responder and the chain of custody primer.
The 2600 Hz whistle started it; CLI spoofing keeps it running.
Phone phreaking is the historical root of every mobile network attack on the syllabus. John Draper, working under the handle Captain Crunch, discovered in 1971 that the plastic toy whistle packaged in Cap'n Crunch cereal produced a clean 2600 Hz tone. AT&T's analogue long-distance trunks used 2600 Hz as the in-band supervisory signal that meant "this trunk is idle". A phreaker who dialled a long-distance number, waited for the call to connect, then blew the whistle into the handset, dropped the trunk's billing state while keeping the voice path up. The next dialled digits, sent as multi-frequency MF tones from a blue box, set up a free call to anywhere on the network.
Three generations of boxes mattered. The blue box generated MF tones for free long-distance. The black box, on the called side, fooled the local exchange into never billing the caller. The red box generated the coin-deposit tones a payphone used to signal that a quarter had been inserted, so the payphone counted phantom coins. Steve Wozniak and Steve Jobs sold blue boxes at Berkeley before they founded Apple. The arc closed in 1980 when AT&T moved supervisory signalling out of band onto Common Channel Signalling System 7, ending the in-band attack class.
The modern descendant of phreaking is signalling-layer abuse on SS7 and Diameter. The attacker no longer whistles into a handset; the attacker rents an SS7 global title from a complicit carrier and sends crafted MAP messages to redirect SMS or query subscriber location. The economics are very different (the rental costs four figures a month rather than a cereal-box toy) and the targets are very different (a high-value mark rather than a free overseas call), but the trust model is the same: the telephone signalling layer assumes any participant is who they claim to be.
One open network, one ARP burst, one full session in clear.
The man-in-the-middle attack on public Wi-Fi is the most common path from "free internet" to credential theft. The setup needs three pieces: an open or weakly-shared-key SSID that several strangers use, a host on the same broadcast domain, and a tool that can rewrite Layer 2 forwarding. The walkthrough below is reconstructed from a 2024 internal red-team exercise at an Indian Tier-1 airport's airside lounge, run with carrier consent and a closed test SSID. Names and MACs are redacted.
The attacker's laptop joined the lounge's open SSID and ran arp-scan -l to enumerate active hosts on the /24. Five mobile clients and one printer were visible. The attacker ran bettercap -iface wlan0 and used the arp.spoof module to spoof the gateway MAC on the target client and the client MAC on the gateway, inserting the laptop between them at the ARP layer. net.sniff on plus https.proxy on brought the SSL stripping module up. From this point any HTTP request from the target client transited the attacker; any HTTPS request to a site without HSTS preload was downgraded by the proxy to HTTP and the response stripped of https:// URLs in anchors. Most legitimate banking sites are HSTS preloaded, but the auxiliary OAuth and tracker domains are not, and the user's session cookies on cross-domain hits were captured intact.
Same airport, same SSID, stronger signal: the phone never asks the user.
The fake hotspot pattern has a stable shape across Indian airports, metro stations, malls and cafés. A portable AP (Wi-Fi Pineapple, a flashed OpenWrt mini-router, or a laptop running hostapd) broadcasts the venue's SSID at higher transmit power than the venue's real AP. Phones with that SSID in their saved networks auto-associate. The first HTTP request triggers a captive portal that imitates the venue branding and asks for a phone number, an OTP, or a "verify your bank account to enable free Wi-Fi" prompt. Credentials harvested are sold downstream to SIM-swap and UPI-fraud crews. CERT-In's late-2024 wireless advisory named sustained campaigns at Delhi Metro, Bengaluru Metro and Hyderabad Metro stations with this exact pattern.
From the mobile client's perspective, the WEP and WPA layers below the hotspot matter mostly because of legacy exposure. Cafés and shops that still run a 2010-vintage Linksys WRT54G on WEP let any examiner with aircrack-ng recover the 104-bit key in under 15 minutes (the full walkthrough lives at wireless network attacks). Once the WEP key is recovered, the attacker is a normal client on the LAN and runs the same ARP-spoofing attack from Section 2. WPA2-PSK with a weak passphrase is recovered offline against a captured 4-way handshake or PMKID using hashcat -m 22000. WPA-TKIP is functionally obsolete; the Beck-Tews attack of 2008 broke MIC reuse in a 60-second window.
| Wi-Fi layer | Attack against mobile client | Indian exposure | Mitigation on the phone |
|---|---|---|---|
| Open SSID, no encryption | Passive sniffing, ARP-spoof MITM, captive-portal phish |
The radio layer impersonation that bridges Wi-Fi to mobile.
IMSI catchers are the cellular cousin of the rogue AP. The device impersonates a base station: it broadcasts a Mobile Country Code and Mobile Network Code that match a real operator (404 for Bharti Airtel, 405 for Reliance Jio, 405 for BSNL among others, allocated by the ITU) plus a Location Area Code that nearby phones consider plausible, at a transmit power higher than the legitimate cell at the spot. Phones in the area perform a routine cell re-selection and attach to the rogue cell. The first message in a GSM attach exchange carries the IMSI in clear; the catcher logs it, then either releases the phone back to the real network or holds the attach for surveillance.
The 4G to 2G downgrade is the practical lever the IMSI catcher needs against modern phones. LTE includes mutual authentication: the network authenticates the SIM with EPS-AKA and the SIM authenticates the network with the same exchange, so a rogue LTE cell cannot trivially impersonate the operator. GSM (2G) does not authenticate the network at all; the SIM authenticates to the network with a single challenge-response in COMP128, but the network sends no proof of its own identity. A catcher that advertises 2G at a strong signal and refuses or jams the LTE bands causes the phone to fall back, at which point the catcher is fully trusted. From 2G the catcher reads SMS in transit, listens to A5/1-encrypted voice (A5/1 is broken; A5/2 was withdrawn in 2007), and bounces calls through itself.
5G slice spoofing is the emerging variant. 5G stand-alone networks segment the radio into slices (eMBB for consumer broadband, URLLC for low-latency industrial, mMTC for massive IoT). A misconfigured operator core that does not authenticate the slice identifier sent in the Registration Request lets a malicious UE claim a privileged slice and receive routing it should not. The risk is operator-side rather than consumer-facing in current Indian 5G deployments, but the research is moving fast and CFSL Hyderabad has started fielding 5G specific training for examiners.
A new SIM, an OTP delay, and an account-drain race against the clock.
SIM swap fraud is the highest-loss mobile attack category in current Indian crime statistics. RBI's 2023 banking fraud bulletin attributed losses in the hundreds of crores to SIM-swap-enabled account takeovers, with public sector banks taking the largest exposure because of lower friction in legacy banking flows. The mechanics are mostly social engineering against the telco's customer service layer rather than radio-layer cryptography.
Tap-to-pay and scan-to-pay both inherit physical-world trust.
NFC card cloning is the short-range analogue of SIM swap: instead of porting a number, the attacker copies a card's identity onto a device the attacker controls. Three tools dominate the kit. The Proxmark3 RDV4 (around 30,000 INR landed in India) is the long-standing professional choice, with full ISO 14443 A/B and 15693 support, key recovery tools for MIFARE Classic, and DESFire authentication for weak deployments. The Flipper Zero (around 15,000 INR grey-market in India after the formal sales restrictions in some jurisdictions) is the consumer-grade entrant: smaller, with a screen, and packaged for one-tap clone-and-emulate against MIFARE Classic. Open-source firmware on a PN532 module costs under 2,000 INR and reaches the same MIFARE Classic recovery with more setup.
Three NFC attack patterns matter for examiners. First, simple cloning: a victim's MIFARE Classic transit card or office access card is read at close range (a bus queue, a shared elevator), the keys are recovered with the Hardnested or DarkSide attacks, and the card is emulated back to the legitimate reader. Older Bengaluru BMTC Smart Card and Delhi Metro Smart Card generations using MIFARE Classic were documented as cloneable in academic papers; modern deployments use DESFire EV2 or EV3 with AES key management. Second, relay attacks (ghost-and-leech): one device near the victim card reads its responses and a second device near the legitimate reader replays them in real time over a network link, completing a transaction without ever copying the card. Third, malicious tags: a sticker tag placed over a legitimate venue NFC tag (or simply on a poster) carries a URL that the victim phone auto-opens, dropping the user on a phishing site or triggering an intent:// deep link to a vulnerable app.
QR code attacks dominate Indian high-street fraud filings, and the dominant subset is QRJacking against UPI counters. The playbook is short: a fraudster prints a UPI QR pointing to a mule VPA on a sticker the same size as the merchant's legitimate QR; visits the shop during a busy moment; sticks the fraudulent QR over the original. Customers scan the wrong code and pay the mule. The merchant only notices at end-of-day reconciliation when the UPI receipts do not match the till count. NPCI's 2023 and 2024 advisories named QRJacking specifically and recommended laminated single-print QRs with the merchant's VPA and merchant name printed in large readable text above the code so customers can compare before tapping confirm.
An IMSI catcher most reliably succeeds against a modern LTE phone by:
CLI spoofing is the practical attack at the voice layer today. A VoIP provider that does not enforce its trunk's right to claim a number lets a customer set any Calling Party Number on outbound SIP INVITEs. The receiving carrier's signalling pipeline passes that number forward to the receiver's phone unchanged. The result is a call that displays "+91 011 2334 XXXX TRAI Delhi" on the recipient's screen while originating from a Telegram-bot-driven call centre operating out of a shared room. Indian victims, especially older subscribers, have been talked through "your number is being disconnected for SIM misuse" scripts that end in OTP disclosure or in TeamViewer install on a desktop. TRAI itself does not call subscribers; the legitimate TRAI domain runs only outbound messages from authorised header IDs on the DLT (Distributed Ledger Technology) registry. NCRB's 2023 crime in India bulletin recorded a sharp rise in vishing-driven cheating cases under IT Act Section 66D, with Karnataka, Maharashtra, Telangana and Delhi as the high-volume states.
The Indian anchor is the Karnataka State Cyber Crime Police Station's 2023 case file against a duo who ran exactly this attack from a parked car in Bengaluru's HAL Old Airport Road commercial district, lifting Razorpay merchant credentials from a small business owner connected to a café SSID. The case was filed under IT Act Sections 43, 66 and 66C, and CDR analysis from the connected café's CCTV plus telco tower data placed both accused at the location during the capture window. The cross-link to chain of custody covers how the seized laptops were imaged and transported.
Three MITM variants ride alongside ARP spoofing on a phone's Wi-Fi. Malicious VPN apps (the CamScanner Necro trojan from 2019, the SuperVPN credential-harvesting saga of 2020) reroute every flow through an attacker-controlled gateway, with the user's express permission to do so. Rogue base stations (the cellular IMSI-catcher angle) move the attack one layer down to the radio. Captive portals on fake hotspots collect credentials before any IP traffic is generated. The next sections take each in turn.
| High: every airport, metro, café free Wi-Fi |
| Avoid auto-join, treat any portal asking for OTP as hostile, use VPN |
| WEP | RC4 IV reuse, key recovered in 15 minutes | Long-tail residual on legacy retail and clinic routers | Phone cannot defend; do not connect; report router to owner |
| WPA / WPA2-PSK weak | Handshake or PMKID capture plus offline dictionary attack | Common on residential and small-business APs | Strong PSK is the operator's job; phone cannot enforce |
| WPA2 with KRACK-vulnerable client | Replay of message 3 forces key reinstall, plaintext recovery | Almost gone: patched in OS updates since late 2017 | Keep Android, iOS, ChromeOS and wpa_supplicant patched |
| Evil twin on any SSID | Same SSID, stronger signal, auto-associate, captive portal phish | High at Indian Tier-1 airports and metros per CERT-In 2024 | Disable auto-join, forget public networks, use mobile data when uncertain |
| Enterprise WPA2-Enterprise without cert pinning | eaphammer / hostapd-wpe relay, MSCHAPv2 hash capture | Documented in 2024 Mumbai BFSI red-team exercise | EAP-TLS with strict server-cert validation; pin the corporate CA |
The Wireless Public Key Infrastructure angle is short. Enterprise-grade WLAN uses 802.1X with an EAP method, ideally EAP-TLS, against a RADIUS server. The client presents a certificate the corporate CA issued; the server presents a certificate the client is configured to trust against a pinned CA fingerprint. There is no shared password, so a captive-portal phish or a PSK-handshake capture does not apply. The failure mode in Indian deployments is clients (especially BYOD Android handsets) that do not validate the server certificate, which lets a rogue AP using eaphammer accept any client credential and replay it. CFSL and NFSU lab exercises specifically test EAP-TLS configuration on a laptop and a phone as a practical assignment.
WLAN hardening for an Indian small-office deployment is short and actionable: WPA3-Personal if every client supports it (Android 10+, iOS 13+, Windows 10 1903+); WPA3 transition mode if some clients are older; a PSK of 16+ random characters generated by a password manager; WPS disabled in the router admin UI; the admin password changed from the vendor default; and firmware patched to a release dated after mid-2019 (Dragonblood mitigations). The router should not advertise its SSID in a hidden state (hidden SSIDs are not a security control), and MAC filtering is not a security control either.
Diameter is SS7's successor on the LTE control plane. The protocol carries authentication, billing and policy between operator nodes. Diameter inherited the SS7 trust model in which any participant on the inter-operator network is implicitly trusted to make legitimate requests, which is why operator-side Diameter firewalls and signalling-edge filtering became a regulatory expectation after the 2017 wave of European SS7 fraud reports. Indian operators run Diameter edge filters under DoT guidance, but cross-border roaming routes still surface advisories where a small foreign operator's lax filtering is the entry point.
The forensic artefact a user can observe is small but real: the phone's status bar dropping to 2G or E for an extended period in a location with normal LTE coverage. The status bar drop is the single most reliable IMSI catcher tell available to a non-specialist. Apps like SnoopSnitch (Android, root preferred) and CellularPrivacy AIMSICD log cell tower IDs, BCCH frequencies and unusual paging behaviour and flag suspicious patterns; both are imperfect but useful for survey work.
The TRAI cool-off is the highest-leverage defensive control in the chain. RBI's December 2022 master direction on digital banking security further required banks to apply additional friction (step-up authentication, fresh device binding, transaction velocity limits) for the first 24 to 72 hours after any registered mobile number change on file. Banks that implemented the friction (HDFC, ICICI, Axis among the early movers) cut their SIM-swap-attributable losses sharply; banks that treated the SMS OTP on the new SIM as sufficient continued to lose. Public sector bank losses in 2023 remained elevated for exactly this reason.
The reissuance process inside Airtel, Jio and BSNL is the operational ground truth examiners need. Aadhaar biometric at a retail outlet is the strongest tier and is hard to bypass without an insider. OTP-to-existing-number is medium and fails when the attacker has already started the social engineering pretext. Customer-service IVR plus document upload is the weakest tier and is where most documented SIM-swap fraud originates. The 2023 Maharashtra cyber cell raid on a Mumbai SIM card racket recovered over 3,000 SIMs activated against KYC documents the rightful holders had never seen, and named both reseller-side and call-centre-side accomplices.
CEIR (Central Equipment Identity Register), DoT's national portal for stolen mobile reporting, is the complementary control. A victim of a SIM swap who notices the silent SIM logs into ceir.gov.in, reports the original IMEI as compromised, and the network blocks that IMEI from re-attaching across all Indian operators. CEIR plus the TRAI cool-off plus RBI's bank-side friction is the three-legged defensive stool against the swap playbook. Cross-link to mobile phone forensics for the forensic side of recovered devices.
| QR fraud variant | Mechanics | Indian context | Defence |
|---|---|---|---|
| QRJacking (overlay) | Fraudster sticks own UPI QR over merchant's at the counter | Common at small kiranas, tea stalls, autos | Laminate QR, print VPA in large text above code, daily reconciliation |
| Malicious QR poster | QR on lamp post or poster redirects to phishing URL or APK download | Used in fake job, fake refund, fake KYC campaigns | Preview URL before opening, treat any QR-driven APK as hostile |
| Request-money confusion | Victim is sent a 'scan to receive' QR that is in fact a 'pay request'; victim approves the debit | Dominant pattern in Telegram and WhatsApp UPI scams | Never approve UPI requests for incoming money; receivers do not need to approve |
| UPI Collect Request via push | Attacker sends a UPI Collect request that the victim approves thinking it is a refund | Documented across NPCI advisories 2022 to 2024 | Read the request screen carefully; debit vs credit is shown but missed |
| NFC tag overlay | Sticker tag placed over a legitimate venue tag carries a phishing URL | Less common in India but growing in metro stations | Disable NFC auto-launch in phone settings; tap to read URL first |
The Indian anchor knits the section together. CFSL Hyderabad's 2024 case work included a Hyderabad-based QRJacking ring that operated across 60 small shops in Banjara Hills and Jubilee Hills, with mule VPAs cycled weekly through a Telegram-coordinated network. The investigation triangulated the QR replacement events with shop CCTV, UPI transaction logs from PhonePe and Google Pay, and CDR data on the burner phones used by the mule operators. Charges were filed under IT Act Sections 66C and 66D plus BNS Section 318 (cheating) and BNS Section 319 (cheating by personation). The case file is cited in the digital forensics sample paper as a representative example of how mobile network attacks and physical-world fraud converge.