From The Intercept:
But if the operator is O’Hanlon and not Verizon — that identity is compromised. “The IMSI is revealed during this interchange, during the early stages of the conversation. It’s not encrypted,” he says.
This type of activity is called passive monitoring, because it doesn’t require a specific active attack or malware. It only works in some cases, however.
O’Hanlon also developed a couple active attacks that would get the job done, one involving masquerading as the operator’s endpoint where the Wi-Fi call is being directed, and another using a man-in-the-middle attack to intercept it.
Apple is the only company that has taken steps to mitigate the privacy and security risk, he says — they added additional security protocols when he brought up the issue over the summer. It was addressed in iOS 10, though there are still ways to get around the protections. But the problem is less with the companies and more with the way the connections were set up in the first place.
Yet another time that Apple has dedicated engineering resources to better protect their customers whereas their major competitor has declined to do so. And this wasn’t even an Apple or Google problem, per se, but a protocol level issue.
Excited Pixels 