A team of researchers has disclosed their findings at the NDSS (Network and Distributed System Security) symposium 2019 held in San Diego, revealing that cellular networks have certain vulnerabilities that can potentially affect not only 4G but 5G LTE protocols to IMSI capturing attacks.
The findings of their research have been published in a paper titled “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.” Purdue University researchers Syed Rafiul Hussain, Elisa Bertino, and Ninghui Li and the University of Iowa researchers Mitziu Echeverria and Omar Chowdhury collectively conducted this research.
According to their research [PDF], the newly identified vulnerabilities can let remote attackers bypass the security layers in 4G and 5G due to which IMSI (International mobile subscriber identity) capturing devices such as Stingrays can easily intercept phone conversations of users to detect their location.
Reportedly, there are three types of attacks that can be launched using these vulnerabilities. In fact, Hussain, co-author of the paper and a member of the research team, claims that anyone having “a little knowledge of cellular paging protocols” can carry out the attack.
The first attack is called “Torpedo” and exploits the flaw in the paging protocol that alerts mobile phone users about incoming calls and messages. If a user starts and cancels calls multiple times within a brief period, a paging message can be sent without alerting the device to identify a call.
This lets attackers track the device’s location and also use the device to launch two other attacks. If a user’s paging is identified by an attacker, it becomes quite easy to hijack the paging channel or to reject paging messages. The attacker can also launch fake Amber alerts or completely block paging messages.
The second attack is called “Pierce” that lets an attacker determine the IMSI of the device on the 4G network. The third attack is IMSI-Cracking attack in which an attacker brute-force the encrypted IMSI number on both 4G and 5G networks. Hence, even the most recent and highly advanced 5G devices are at risk of Stingrays.
Hussain further explained that Torpedo affects all mainstream US operators including T-Mobile, Sprint, AT&T, and Verizon and an unnamed network us vulnerable to Piercer. If attacks are conducted via radio equipment, it will cost just $200.
It is worth noting that the flaws aren’t permanent but patches may not be released immediately. To fix Torpedo and IMSI-Cracking, the GSMA has to directly get involved in finding the solution while to deal with Piercer, the carriers will need to come forward.