Vulnerabilities in 4G, 5G network allow attackers to intercept calls and track phone locations
A group of researchers have discovered three new security vulnerabilities in 4G and upcoming 5G standard that allows attackers to intercept phone calls and identify locations of smartphone users, reports TechCrunch.
It is the first time that both 4G and the incoming 5G standard have been affected with such vulnerabilities. 4G and 5G network architecture are meant to provide faster speeds and better security, especially against law enforcement use of cell site simulators, known as “stingrays.”
For those unaware, a stingray also known as “cell site simulators” or “IMSI catchers,” is a mobile surveillance device that mimics a wireless carrier cell tower and send out signals to trick all nearby mobile phones and other cellular data devices into connecting to it automatically.
However, the new attacks can outdo newer protections that were alleged to make it more difficult to spy on phone users.
“Any person with a little knowledge of cellular paging protocols can carry out this attack,” said Syed Rafiul Hussain, one of the co-authors of the paper, told TechCrunch in an email.
Hussain, along with Ninghui Li and Elisa Bertino at Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa are set to disclose their findings at the Network and Distributed System Security Symposium in San Diego on Tuesday.
The paper titled “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information” talks about three kinds of attacks.
The first one is ToRPEDO (TRacking via Paging mEssage DistributiOn) attack, which exploits a 4G/5G paging protocol weakness to enable an attacker that knows a victim’s phone number to verify the victim’s presence in a particular cellular area and in the process identifies the victim’s paging occasion.
The attacker can hijack the victim’s paging channel, which would consequently allow the attacker to carry out a denial-of-service attack by injecting fabricated, empty paging messages, thus blocking the victim from receiving any pending services (e.g., SMS) or emergency messages (e.g., Amber alert).
ToRPEDO paves the way for another two attacks: Piercer, which exploits a 4G paging protocol deployment vulnerability to allow an attacker to determine a victim’s phone number with its IMSI (international mobile subscriber identity), say the researchers. Additionally, ToRPEDO can also enable an attacker to mount a brute-force IMSI-Cracking attack leaking a victim’s in both 4G and 5G networks, where IMSI numbers are encoded.
According to Hussain, even the newest 5G-capable devices are at risk from stingrays with more advanced devices believed to be capable of intercepting calls and text messages.
All four major U.S. operators such as AT&T, Verizon (which owns TechCrunch), Sprint and T-Mobile are affected by Torpedo, says Hussain. For instance, a successful ToRPEDO attack can be carried out installing sniffers costing as little as $200, while a successful Piercer attack can be carried out by having a paging message sniffer and a fake base station costing around $400. Besides the above, one more U.S. network is also vulnerable to the Piercer attack, which has not been named by Hussain.
Hussain says almost all the cell networks outside the U.S. are vulnerable to ToRPEDO and Piercer attacks since they both exploit flaws in the 4G and 5G standards. Many of the European and Asian networks are too vulnerable to such attacks.
The researchers are not releasing the proof-of-concept code to exploit the flaws due to the nature of the attacks, Hussain said. The flaws have been reported to the GSMA, an industry body that represents mobile operators, who have recognized the flaws, he added.
According to Hussain, the GSMA first needs to fix ToRPEDO and IMSI-Cracking flaws, while the fix for Piercer merely depends on the carriers. Since ToRPEDO is the precursor to the other flaws, it should be fixed on priority, said Hussain.