Newly discovered vulnerabilities in 4G and 5G networks could be used to intercept phone calls and track users’ locations, according to researchers at Purdue University and the University of Iowa.
“5G is trying to enforce stronger security and privacy policies than predecessors. However, it inherits many of its characteristics from previous generations, so it’s possible that vulnerabilities that exist in those generations will trickle down to 5G,” said Syed Rafiul Hussain, a postdoctoral researcher in computer science at Purdue.
Cellular networks attempt to conserve energy by only scanning for incoming calls, texts and other notifications periodically. The time periods at which the device looks for incoming communications, known as the paging occasion, are fixed; they’re designed into the 4G or 5G cellular protocol. If several calls are placed and cancelled in a short period of time, when the device isn’t scanning for incoming messages, a paging message can be triggered without notifying the device.
In an attack the researchers have dubbed ToRPEDO adversaries can use this paging message to track a victim’s location and then inject fake paging messages and stop calls and texts from coming in. The findings were presented on February 26 at the Network and Distributed Security Symposium in San Diego.
ToRPEDO can enable an adversary to verify a victim’s coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks. In 4G and 5G, it is also plausible for an adversary to retrieve a victim device’s persistent identity (i.e., IMSI) with a brute-force IMSI-Cracking attack while using ToRPEDO as an attack sub-step.
“It doesn’t require an experienced hacker to perform this attack,” Hussain said. “Anyone with a little knowledge of cellular paging protocols could carry it out.”
Hussain said the IMSI-Cracking attack is a huge blow for 5G because it bypasses the network’s new security policies to protect users’ IMSIs from exposure.
Torpedo can be carried out via the networks of all four major U.S. cellular companies (AT&T, Verizon, Sprint and T-Mobile), according to the paper.
The researchers’ investigation on 4G paging protocol deployments also identified an implementation oversight of several network providers which enables the adversary to launch an attack, named PIERCER, for associating a victim’s phone number with its IMSI; subsequently allowing targeted user location tracking.
PIERCER will likely soon be fixed by the networks vulnerable to it, Hussain said. The industry group that oversees the development of mobile data standards, GSMA, is working to fix ToRPEDO.
“Unfortunately, their proposed fixes are still vulnerable to the torpedo attack, which could have a lasting effect on the privacy of 5G users,” Hussain said.
The report, which can be obtained by contacting Purdue, also discusses potential countermeasures against the presented attacks.