2G always on (Android)

Good luck getting that request actioned. 👀😂

I know, but I've gotta try to request it! I just moved from Lebara because their carrier settings with Pixel phones disabled WiFi calling - can't believe I've switched and run straight into another carrier setting mistake!

Hi @ked239,

Welcome to the Community!

2G isn’t something that we offer so it wouldn’t work at a network level and it isn’t something that we can turn off. 

Which handset are you using?

Kash

Hi Kash, 

I am using a Pixel 6; there is a widening ability on Android devices for the phone user to be able to "Allow 2G," however in the operator settings, iD have set this to always on (see screenshot). This was likely just an oversight, or because having 2G could be beneficial when roaming, were we to ignore the potential security threats. All that needs to happen is that one setting needs to be changed at the operator level to allow users to make the choice on 2G themselves.

Thanks!

Is this a case of where being able to use the phone to make an emergency call takes priority over security? 

Do the security experts who advise 2G is turned off explain why?

Hey @ked239,

iD Mobile is a 3G or higher network (soon to have 4G and 5G only by end of 2024).

We use Three UK and they do not support the 2G bandwith.

Mohammed

I need to be able to turn off 2G too. 

I can't use my phone properly as the other person can't hear me. 

Some googling says to turn off 2G and that might help 

I have same issue that id seem to be forcing me to have it on. 

Pixel 7 Pro 

Hi @SBreeze 

Unfortunately as mentioned above, 2G isn’t something that we offer so it wouldn’t work at a network level and it isn’t something that we can turn off.

Sorry about this.

Tom

You need to buy a current phone😉

Then why do I see the same thing as in the screen shot, saying that Id requires it on? 

I don’t think the iD Mobile network profile provide for your device allows you to turn off 2G, @SBreeze. 

The setting is sort of irrelevant anyway, because iD Mobile do not have any 2G mobile network infrastructure. Their network partner, Three UK, only have 3G, 4G and 5G mobile network infrastructure. 

Is your device using the latest Android version, and latest Android patches?

Yes all up to date. Android 14 with January patch 

Hi @SBreeze,

Are you able to test the SIM in a different handset to check if you have the same issue?

We can get a replacement SIM sent to see if that improves things or you can collect one from Curry’s.

Kash

The setting offers protection against impersonation (someone with a base station box pretending to be a Three base station on 2G). See Android users can now disable 2G to block Stingray attacks (bleepingcomputer.com)

To your point, given Three and iD do no offer 2G, they should not be forcing 2G always on. 

I have a retail Pixel 7a phone. It was on O2 sim only until last month.

On O2, I was allowed to toggle the “Allow 2G” setting on and off as I wished (their carrier settings/profile did not restrict its use). The default was that it was turned on but I could (and did) turn it off.

On iD, the toggle line is greyed out (with Allow 2G turned on) as their carrier settings/profile has restricted its use.

Okay, thanks @NorthStu.
How commonly is the “Stringray” deception used in the UK?

https://source.android.com/docs/security/features/cellular-security/disable-2g#:~:text=Disabling%202G%20is%20an%20important,disable%202G%20on%20their%20device.

Come on guys, give us the freedom to DISABLE 2G and secure our phones better

What about when you are roaming, yes if it's not offered then at least let us turn it off if it's a security risk.

ID Mobile - this is most certainly a ‘you’ problem. Please seek an update from someone with technical knowledge of SIM settings who can get this setting disabled for us. 

Thank you.

ID this is actually a ridiculous response as you say yourself you don't use the 2G network. You're putting the data security of all your customers at risk for a feature that you yourself don't even use. 

There is no reason to force 2G to be enabled, and only creates vulnerabilities in your own network. 

Please consult a network security technician immediately and have this resolved. 

Hi @Richard Gaskell, @BenF, @Adam Walter & @Charliebrown 

We do not have any plans to enable the option to turn off a network (2G) that we do not have access to, sorry about this.

Tom

Hi Tom, thanks for your reply. 

What do you mean by ‘we do not have access to’? My phone’s 2G toggle is greyed out with the message underneath it: ‘iD requires 2G to be available’. This suggests to me that iD is very much in control of whether this setting is configurable by users. 

Thanks,

Adam.

This NEEDS to be sorted on your end iD! This is a potential breach of the Information Commissioners Office (ICO) guidelines in relation to cyber security. I WILL be taking this to them if you don't get off your pervervial butt, accept that the company NEEDS to do the smallest amount of work and unlock every customer's ability to turn off the ability to connect to VERY INSECURE 2G networks. It doesn't matter how much or little the Stingray exploit is used. It's a security vulnerability! FIX IT. 

Hi @MrSquishie,

We don’t offer 2G and even so 3G will also be removed as we continue to improve our 4G and 5G service.

You are welcome to take this further should you wish to do so.

Kash

@Kash, it does NOT matter if iD mobile, Three Mobile or whoever else is providing the service and that service has never provided a 2G service! It doesn't matter if you as a service provider are going to be removing 3G service soon! The Stingray exploit is exploitible on ANY device that has the CAPABILITY of connecting to a 2G network. That's the reason it's an exploit! Can we please get an actual service technician here, we're going round in circles since the representatives here obviously can't understand why the Stingray exploit is dangerous to EVERYONE who CANNOT TURN OFF 2G on their SIM!

Let's put it as simply as possible:

You as a person don't want your personal data being intercepted by unauthorised people, yes? Of course you don't!

So, you go travelling to another country, with a SIM card where you haven't turned off 2G capabilities. 

While in that different country, your device connects to a spoofed carrier mast. The person in control of the spoofed mast sees your device has has connected to their mast and downgrades the connection from 4G/5G to 2G, forcing your device to stay connected to the spoofed mast that is now connected by 2G. 

With your device now connected to the spoofer's mast in 2G, they can now implement a simple yet clever man-in-the-middle attack, collecting everything you do while connected to that spoofed mast; login credentials, saved cookies, unencrypted app data etc etc. 

The person who was running the spoofed mast now has all the data they could need to access your accounts, scam people with YOUR accounts and potentially even get access to your online banking account using stolen login keys from the copied cookies!

iD Mobile ***NEEDS*** to configure it to allow customers to turn off 2G on their SIM settings. We know iD Mobile never provided a 2G service, it doesn't matter! What matters is the potential for iD Mobile customers having explicit personal data collected by people running spoofed masts and those customers potentially loosing their entire life's savings due to a configuration that is iD Mobile's (and Three's) responsibility to change. It's also the responsibility of the carrier to announce the dangers of the Stingray exploit and the reason why the 2G option NEEDS to be disabled. 

Unless this is fixed, iDmobile are forcing customers to suffer a security vulnerability that could easily be fixed.

Even though the Three network has never used 2G, the fact that the operator settings don't allow you to turn off 2G is a security vulnerability. It doesn't matter that Three (and iD) don't use 2G, it's the fact that a hacker can force connection to an insecure 2G network that's the problem. This is because without the ability to disable this setting, the phone still allows connection to a malicious 2G network. Google make this clear themselves here: https://source.android.com/docs/security/features/cellular-security/disable-2g#are_users_still_vulnerable_if_their_carriers_no_longer_support_2g

There's also more extensive information from Google about the exploit here: https://security.googleblog.com/2024/08/keeping-your-android-device-safe-from.html, which also states "It is important to note that users are still vulnerable to this type of fraud as long as mobile devices support 2G, regardless of the status of 2G in their local carrier."

Updating the network settings provided by iD to allow 2G support to be turned off on the phone would eliminate this particular vulnerability.

If you think this isn't a problem because your network doesn't use 2G, then you've misunderstood the issue. This should be referred to a security team within iD mobile, or iD should speak to security specialists in Three if they don't understand the issue themselves.