A few researchers from Purdue University and The University of Iowa have recently found three new security flaws in 4G and 5G protocols that can easily allow intruders to intercept calls and also track user’s device location.
The research paper titled, ‘Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information’ mentions the design weaknesses of the 4G/5G cellular paging protocol, which can be misused by attackers to identify victim’s presence in a particular cell area just from the victim’s soft-identity (e.g., phone number, Twitter handle) with a novel attack called ToRPEDO (TRacking via Paging mEssage DistributiOn) attack. This attack also highlights two other attacks, namely, the PIERCER and the IMSI-Cracking attack which can be carried out via the ToRPEDO attack.
The researchers in the paper state, “All of our attacks have been validated in a realistic setting for 4G using cheap software-defined radio and open-source protocol stack.”
According to TechCrunch, “Hussain, along with Ninghui Li and Elisa Bertino at Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa are set to reveal their findings at the Network and Distributed System Security Symposium in San Diego on Tuesday.”
The three security flaws in the 4G/5G cellular paging protocols
The ToRPEDO attack
The researchers have presented a ToRPEDO attack that exploits a 4G/5G paging protocol weakness. This enables the attacker to verify the victim’s presence in a particular cellular area and in the process identifies the victim’s paging occasion, if the attacker already knows the phone number. ToRPEDO can enable an adversary to verify a victim’s coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks.
PIERCER attack
This attack exploits a 4G paging deployment vulnerability that allows an attacker to determine a victim’s international mobile subscriber identity (IMSI) on the 4G network.
IMSI-Cracking attack
In this attack, the victim’s IMSI details are leaked for both 4G and 5G. The researchers, in the paper, have demonstrated how by using the ToRPEDO attack as a sub-step, attackers can retrieve a victim device’s persistent identity (i.e., IMSI) with a brute-force IMSI-Cracking attack.
One of the co-authors, Syed Rafiul Hussain, told TechCrunch, “Any person with a little knowledge of cellular paging protocols can carry out this attack.”
“According to Hussain, all four major U.S. operators — AT&T, Verizon (which owns TechCrunch), Sprint and T-Mobile — are affected by Torpedo, and the attacks can be carried out with radio equipment costing as little as $200”, the TechCrunch reports.
Hussain said the flaws were reported to the GSMA, an industry body that represents mobile operators. GSMA recognized the flaws, but a spokesperson was unable to provide comment when reached. It isn’t known when the flaws will be fixed.
One of the users wrote on HackerNews, “Most people consider the fact that your handset will readily talk to any base station that’s on the air to be a feature. Try to imagine how things would work if you had to authenticate and authorize every station on the network. It’s true that anyone who gets on the air and speaks the air protocol can screw with your phone. Those people are also violating multiple laws and regulations in the course of doing so.”
To know more about these flaws in detail, head over to the complete research paper.
Read Next
Security researchers discloses vulnerabilities in TLS libraries and the downgrade Attack on TLS 1.3
Remote Code Execution Flaw in APT Linux Package Manager allows man-in-the-middle attack
