A team of researchers has disclosed their findings at the NDSS (Network and Distributed System Security) symposium 2019 held in San Diego, revealing that cellular networks have certain vulnerabilities that can potentially affect not only 4G but 5G LTE protocols to IMSI capturing attacks.
The findings of their research have been published in a paper titled “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.” Purdue University researchers Syed Rafiul Hussain, Elisa Bertino, and Ninghui Li and the University of Iowa researchers Mitziu Echeverria and Omar Chowdhury collectively conducted this research.
According to their research [PDF], the newly identified vulnerabilities can let remote attackers bypass the security layers in 4G and 5G due to which IMSI (International mobile subscriber identity) capturing devices such as Stingrays can easily intercept phone conversations of users to detect their location.
Reportedly, there are three types of attacks that can be launched using these vulnerabilities.
In fact, Hussain, co-author of the paper and a member of the research team, claims that anyone having “a little knowledge of cellular paging protocols” can carry out the attack.
Damn the ToRPEDO
When there is a call, text or push notification to be delivered to an idle device, the network’s Mobile Management Entity (MME) mechanism asks the nearest base station to the device to broadcast a paging message, which includes the Temporary Mobile Subscriber Identity (TMSI) of the device.
The TMSI is randomly assigned by the MME and is used to cloak the IMSI from side-channel attacks.
The TMSI is supposed to change on a regular basis; however, previous sniffing attacks have been demonstrated that take advantage of the fact that this is not always the case.
The TMSI is randomly assigned by the MME and is used to cloak the IMSI from side-channel attacks.
The TMSI is supposed to change on a regular basis; however, previous sniffing attacks have been demonstrated that take advantage of the fact that this is not always the case.
“An attacker places multiple phone calls to the victim device in a short period of time and sniffs the paging messages,” the researchers explained. “If the most frequent TMSI among the paging messages appears frequently enough, then the attacker concludes that the victim device is present.”
These attacks are mitigated if the TMSI is changed frequently and if the MME uses random, unpredictable values for any new TMSI; however, ToRPEDO shows that even if different and unrelated TMSIs are used in every two subsequent paging messages, it’s possible to carry out a similar attack to verify whether a victim user is present in a geographical cell.
“ToRPEDO … is able to verify whether a victim device is present in a geographical cell with less than 10 calls, even under the assumption that the TMSI changes after each call,” according to researchers. “Furthermore, in the process, the attacker learns exactly when a device wakes up to check for paging messages and seven bits of information of the device’s IMSI.”
Rather than sniffing the link between a call made by the attacker and the resulting paging message, as earlier attacks have done, the ToRPEDO takes advantage of the fact that the paging protocol requires synchronization between the base station and the device.
“The LTE paging protocol uses a paging cycle of T frames, each of which is 10ms long,” said the report.
“The default value of T is 128. Each device has a Paging Frame Index (PFI), which is determined by its IMSI, and the device wakes up only once during a paging cycle, at the frame indexed by its PFI.
The base station broadcasts the paging message for the device at these frames.
When multiple calls for a device are made, their corresponding paging messages will occur in frames indexed by the same PFI.
When the base rate of paging messages is low, that is, paging messages only appear in a small fraction of all frames, the attacker can identify which PFI is ‘too busy,’ and thus the victim device’s PFI.”
ToRPEDO leverages all available information, including the exact delay between the time when the call is made and the time when the paging message is observed, and the exact number of paging records in each frame. ToRPEDO calculates the likelihood of seeing the observations of paging messages when the victim device’s PFI takes any one value, as well as when the victim’s device is not present.
“If the ratio between the top two candidates’ likelihood is above a predefined threshold, we can conclude that the user is present in the current cell and the user’s PFI is the candidate with the highest likelihood,” researchers said. “In our experiments, this approach yields the highest accuracy (100 percent) while requiring only eight phone calls on average.”
With ToRPEDO, the attacker can detect the victim’s presence in any cellular area, provided that the attacker has a sniffer in that area; and, it can enable the attacker to detect the connection status (i.e., idle/connected) of the victim’s device.
Beyond imprecise location-tracking and device status, ToRPEDO opens the door to much more serious attacks. For instance, once the attacker knows the victim’s paging occasion from ToRPEDO, the attacker can hijack the victim’s paging channel.
“This would consequently enable the attacker to mount a denial-of-service attack by injecting fabricated, empty paging messages, thus blocking the victim from receiving any pending services (e.g., SMS). The attacker can also inject fabricated emergency messages (e.g., Amber alert) using paging channel hijacking,” said researchers.
Also, the researchers were able to validate that a tweet mentioning the victim’s Twitter handle triggers paging if the victim sets the Twitter app with push notifications on. This allows the attacker to associate a Twitter persona with a specific phone and phone number – and this likely extends to other services with push notifications, allowing he or she to start building a personal profile of the victim.
Pierce attack
The second attack is called “Pierce” that lets an attacker determine the IMSI of the device on the 4G network.
The third attack is IMSI-Cracking attack in which an attacker brute-force the encrypted IMSI number on both 4G and 5G networks.
Hence, even the most recent and highly advanced 5G devices are at risk of Stingrays.
Hussain further explained that Torpedo affects all mainstream US operators including T-Mobile, Sprint, AT&T, and Verizon and an unnamed network us vulnerable to Piercer.
If attacks are conducted via radio equipment, it will cost just $200.
It is worth noting that the flaws aren’t permanent but patches may not be released immediately.
To fix Torpedo and IMSI-Cracking, the GSMA has to directly get involved in finding the solution while to deal with Piercer, the carriers will need to come forward.