On March 5, 2019, a group of researchers from Purdue University and the University of Iowa will present findings at the Network and Distributed System Security Symposium in San Diego. In 2018, the groups discovered a vulnerability in the 4G network. This year, the researchers from the two universities have discovered an attack vector in the newly implemented 5G network that can lead to attackers tracking location and spying on communications of cellular devices. This revelation is particular concerning because 5G has promised enhanced security and privacy over its predecessor. Currently there is not a patch for the vulnerabilities discovered. Fortunately the adoption of 5G has been slow and the holes have been identified.
Last year, the researchers uncovered the vulnerability named Torpedo within the 4G network. The vunerability is due to a weakness in one of its key protocols known as a “paging protocol”. The paging protocol, used in the 4G network, notifies devices about incoming communications, such as: phone calls, text messages, and video chats. A sleeping device will check in with the closest cellular station for paging at set increments. This checkin is normal, but the issue is that the transmissions are predictable, so an attacker can, for example, send multiple texts to the victim’s phone to sniff the paging protocol communications. Both 4G and 5G standards have protection against this type of attack, but obfuscation methods currently used are not enough to stop attackers. The attackers are still able to determine patterns in the paging process, which can reveal the closest cellular station and show the victims’s location.
A few weeks ago, the researchers determined that the Torpedo attack can be used to perform a “IMSI-cracking attack” on the 5G network. The IMSI-cracking attack can allow an attacker to uncover the victim’s IMSI or International Mobile Subscriber Identity Number. The IMSI is a unique identifier that can be used to determine the precise location of an individual and monitor communications with the use of a rouge device impersonating a cellular tower. This rouge device is typically referred to as a IMSI catcher or more commonly a stingray. In addition, once the actor has the victim’s IMSI more sophisticated attacks can be carried out, such as tracking the user’s location and selling confidential data that is intercepted.
The vulnerabilities found by the researchers will need to be fixed by the industry group GSMA, which is the organization that oversees mobile data standards. WIRED is reporting that, “GSMA is aware of the research and is considering fixes for some of the issues, but disputes the practicality of the attacks”. Ivette Lopez, a GSMA spokesperson went on to tell WIRED, “The findings suggest that a hacker could theoretically target a subscriber’s IMSI or unique identifier on a 4G network by sending multiple messages in quick succession and then monitoring the network to identify increased traffic against a specific subscriber. However this approach in reality would have to be performed in a specific time slot and be based on trial and error”.
In addition, the spokesperson for GSMA has stated that the vulnerabilities are present in an earlier version of the 5G standard. The researchers on the other hand, say that the improvements made by the GSMA have not patched the attack vector. Syed Rafiul Hussain from Purdue University has responded to the GSMA’s claim by saying, “We checked the change requests and it seems that even the new change is vulnerable to Torpedo attack in 5G”.
We are fortunate that the 5G network has not been widely adopted, because this vulnerability is a huge problem for a new standard that has promised improvements in both privacy and security for mobile users. The GSMA has a bit of time, but it is concerning that we have conflicting accounts of the effectiveness of patches for the vulnerabilities that can ultimately put cellular users data and privacy at risk.
Here at Thornton Technology we always suggest utilizing a VPN on all devices connected to the Internet, especially mobile devices. Using a VPN will provide a level of protection against interception of data transmission due to the encryption while porting through the tunnel, but a VPN is not sufficient to stop the location tracking and phone call sniffing of the potential victims. This vulnerability is deeply concerning due to the increase in mobile device utilization over the last five or so years where it is commonplace for users to transmit PII or Personally Identifiable Information. We hope that the GSMA are close to patching the vectors before attackers have the ability to exploit them.