That’s not how a VPN works. A VPN masks the information you are actually accessing by showing you query the VPN instead. To make a connection to a service you still need an address. This info is what they are using to identify your device.
Most traffic is already encrypted (httpS) so someone spying on you wouldn’t know the content of your communication only who you contact. But without a VPN a man in the Middle could see who you are contacting. E.g. looking up pornhub. With the VPN it only shows you looking up the VPN.
Right, that’s what I understood. So using a VPN, a CSS will be able to identify that my phone is active, but not the content I’m accessing, or who I am accessing it from, correct?
The previous comment said VPNs do nothing against this type of attack- were they just referring to identifying your device?
Right, that’s what I understood. So using a VPN, a CSS will be able to identify that my phone is active, but not the content I’m accessing, or who I am accessing it from, correct?
From my understanding your statement seems correct, but it’s also lacking a bit. Unless you also randomize your mac address (grapheneOS does this) they can still map your position and visiting times. Additionally not all of your phones data goes through the VPN, something like a phone call/SMS isn’t encrypted unless you’re using an app to make the call.
The previous comment said VPNs do nothing against this type of attack- were they just referring to identifying your device?
Yes, they are thinking of a VPN as a privacy tool, not strictly as a security tool as in your example. Privacy will be compromised.
These devices (CSS/Stingray) are going to see both your SIM IMSI number, and your device IMEI number. AFAIK, the MAC randomization that most modern phones do, is with your WiFi modem so that WiFi routers can’t track you.
If you put your SIM card into a new phone, and then login to your cell service provider portal with a computer or other device, you will observe that they know the model of phone you are using. They get this info from the IMEI when your phone talks to the tower. Since the CSS is a rogue tower, they get the same info.
CSS wouldn’t be used to spy on your network traffic; if they wanted your internet data, they’d have much simpler methods to collect it than CSS (and they wouldn’t be able to decode most of that data anyways in normal cases).
or who I am accessing it from
What do you mean by that?
Suggesting that a VPN could mitigate stuff relating to CSS is like wearing a floating vest 24/7 when flying in a Boeing plane: you might feel a bit safer with it on, but it’d probably be smarter to have a parachute instead.
