A group of academics have discovered three new security flaws in 4G and 5G networks which they say could be used by attackers to intercept phone calls and track the locations of smartphone users.
This is the first time that vulnerabilities have been found that affect both 4G and the upcoming 5G standard in relation to law enforcement’s use of cell site simulators often referred to as “stingrays”.
Syed Raiful Hussain, Ninghui Li, Elisa Bertino, Mitziu Echeverria and Omar Chowdhury all contributed to a research paper titled “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information” which details how these new vulnerabilities can defeat even the latest protections in 5G designed to make it more difficult to spy on mobile users.
The researchers are set to reveal their findings at the Network and Distributed System Security Symposium in San Diego this week.
Torpedo, Piercer and IMSI-Cracking attacks
The first of the attacks the group discovered is called Torpedo which exploits a weakness in the paging protocol used by carriers to notify a phone before a call or text message comes through. The researchers found that several phone calls made and canceled within a short time period can trigger a paging message without alerting the target device to an incoming call and this can be exploited by an attacker to track a victim’s location. Once a victim’s paging location is known, an attacker can then hijack the paging channel to inject or deny paging messages.
Once the Torpedo attack has been carried out, attackers can then launch a Piercer attack which allows them to determine an international mobile subscriber identity (IMSI) on a 4G network. The IMSI-Cracking attack can then be used to force an IMSI number on both 4G and 5G networks where IMSI numbers are protected with encryption.
These attacks put even the newest 5G-capable devices at risk from stingrays and Hussain points out that all four major US carriers are affected by Torpedo. Attackers can carry out these attacks with just $200 worth of radio equipment.
Outside of the US, almost all cell networks are vulnerable to these attacks including several networks in Europe and Asia.
Hussain and the other researchers have reported these flaws to the GSMA and the industry body representing mobile operators will likely fix the Torpedo and IMSI-Cracking flaws first. Fixing the Piercer vulnerability will be up to carriers though Torpedo remains the priority as all of the other flaws depend on it to work.