A team of researchers from the University of Colorado and the National Institute of Standards and Technology (NIST) has developed a method for remotely identifying mobile phones to ensure they have not been tampered with during manufacturing, thereby reducing the risk of espionage.
Researchers consider smartphones to be among the most important devices to protect from cyberattacks and data leaks. However, they firmly believe it is extremely difficult to verify that a phone has not been tampered with without risking damage. Therefore, given the impossibility of knowing whether a phone has been tampered with or not, they created a database to analyze electromagnetic waves.
Smartphones emit a range of electromagnetic waves when connected to cell towers. Therefore, using specialized SIM cards and base station simulators, researchers can instruct a group of reliable phones—that is, devices that have not been tampered with—to transmit the exact same signals. In this way, researchers can create a database that shows the shape of these signals for different phone models, essentially creating digital fingerprints for each model.
Then, by comparing the signals emitted from an unknown device with the database, experts can determine whether the mobile phone has been altered, i.e., whether its signals do not match any of the trusted fingerprints.
Researchers tested this process on several high-end smartphones, and surprisingly, the results were accurate in over 95% of cases. Furthermore, because this method focuses on the fundamental electromagnetic behavior of devices, it is not limited to current 4G and 5G networks but can be applied to future generations of mobile phone technologies.
Thanks to this initiative, author Amya Ramadurgakar states in the study that "this work demonstrates a fundamental approach to obtaining a highly accurate, reliable, and stable digital fingerprint for a commercially available smartphone in order to verify that it has not been tampered with or compromised before being released to the market." Therefore, if this method continues to be used, "mobile devices will be authenticated before being delivered to users who require the highest levels of security."