New security flaw impacts 5G, 4G, and 3G telephony protocols

By Catalin Cimpanu for Zero Day | January 31, 2019 -- 15:52 GMT (07:52 PST) | Topic: Security

5G

A new vulnerability has been discovered in the upcoming 5G cellular mobile communications protocol. Researchers have described this new flaw as more severe than any of the previous vulnerabilities that affected the 3G and 4G standards.

Further, besides 5G, this new vulnerability also impacts the older 3G and 4G protocols, providing surveillance tech vendors with a new flaw they can abuse to create next-gen IMSI-catchers that work across all modern telephony protocols.

This new vulnerability has been detailed in a research paper named "New Privacy Threat on 3G, 4G, and Upcoming5G AKA Protocols," published last year.

According to researchers, the vulnerability impacts AKA, which stands for Authentication and Key Agreement, a protocol that provides authentication between a user's phone and the cellular networks.

The AKA protocol works by negotiating and establishing keys for encrypting the communications between a phone and the cellular network.

Current IMSI-catcher devices target vulnerabilities in this protocol to downgrade AKA to a weaker state that allows the device to intercept mobile phone traffic metadata and track the location of mobile phones.

The AKA version designed for the 5G protocol --also known as 5G-AKA-- was specifically designed to thwart IMSI-catchers, featuring a stronger authentication negotiation system.

SEE: How 5G will transform business (ZDNet special report) | Download the report as a PDF (TechRepublic)

But the vulnerability discovered last year by academics from SINTEF Digital Norway, ETH Zurich, and the Technical University in Berlin allows surveillance tech vendors to create a new class of IMSI-catchers.

We say "a new class" because this vulnerability doesn't allow the same type of tracking as old IMSI-catchers. Instead of intercepting mobile traffic metadata, this new vulnerability reveals details about a user's mobile activity, such as the number of sent and received texts and calls, allowing IMSI-catcher operators to create profiles for each smartphone holder.

Furthermore, attackers can keep track of users, even when they move away from the fake base station (IMSI-catcher device), and later briefly return in the station's coverage, with the AKA protocol leaking updated phone activity states.

"We stress that those activity patterns can be monitored remotely for a long time even if, most of the time, subscribers move away from the attack areas," said the research team.

Tracking mobile activity stats may not look dangerous, but in their paper, the researchers think otherwise, claiming the new attack can be used to spy on politicians or embassy officials:

Assuming an adversary having a fake base station nearby an embassy, he not only can learn the officials' activity when they are at the office during working hours, but also when they are not, including during evening and nights (e.g., at home) or during business trips. Therefore, such an attacker may learn if targets use different SIMs cards for private use (no activity at home). It may also infer if some specific time periods (e.g., one evening and night) were specifically busy (a lot of calls or SMSswere made yielding a big rise of SQN).

The technique can also be used for better ad targeting:

Consider for instance a shop that is willing to know more about its customers (e.g., for improving ads targeting) using fake base stations. This kind of scenario has already been re-ported [24] (using Wi-Fi capabilities of smartphones) and exploited [25] in real shops. Our attack causes a new threat in that context since it leaks to the shop typical customers' mobile consumption during time periods between customers' visit.

Furthermore, with enough IMSI-catchers deployed in an area, this new vulnerability can be easily adapted into a location-tracking attack by observing when a phone profile associated with a known user enters and leaves the coverage of the fake mobile base stations deployed in an area.

In addition, this new vulnerability can be exploited using off-the-shelve electronics equipment at smaller costs than before.

For their paper, researchers tested the new attack against a 4G network, due to the lack of 5G equipment on the market, but the attack would definitely work on 5G systems when they're going to be deployed.

"We followed the responsible disclosure procedure and reported our findings to the 3GPP [the standards body behind 5G], GSM Association (GSMA), several manufacturers (Ericsson, Nokia, and Huawei), and carriers (Deutsche Telekom and Vodafone UK)," the research team said.

"Our findings were acknowledged by the 3GPP and GSMA, and remedial actions are underway to improve the protocol for next generation," they added. "While 5G AKA will suffer from our attack in the first deployment of 5G (Release 15, phase 1), we are still hopeful that 5G AKA could be fixed before the deployment of the second phase (Release 16, to be completed by the end of 2019)."

This research, while describing the most severe vulnerability impacting the upcoming 5G protocol, isn't the only one touching on 5G's problematic security issues.

For example, two other academic studies from French and Finnish researchers also found that IMSI-catcher attacks are still possible against the upgraded 5G-AKA protocol, despite 3GPP's claims.

Three other research papers [1, 2, 3] also looked at the 5G-AKA protocol and found numerous other security issues, despite 3GPP and mobile telecommunications providers claiming that security would be at the top of their mind when designing 5G.

Related stories: