conejota - Fotolia
Researchers identify 4G and 5G network protocol flaw
Attackers could identify the network cell a user’s device is located in and potentially steal its IMSI number
Researchers from Purdue University and the University of Iowa have identified a flaw in the implementation of 4G and 5G mobile networks that could enable an attacker to steal a smartphone’s identity.
In their paper Privacy attacks to the 4G and 5G cellular paging protocols using side channel information, the researchers described how they created a proof-of-concept attack called ToRPEDO (TRacking via Paging mEssage DistributiOn), which used low-cost hardware and software.
“All of our attacks have been validated in a realistic setting for 4G using cheap software-defined radio and open source protocol stack,” said the researchers.
According to the researchers, the attack relies on a weakness in the paging protocol that a 4G or 5G network uses to wake up a smartphone. The protocol is used to wake up the mobile when there is an incoming call, SMS or a message or update via messaging apps.
“In cellular networks, when a device is not actively communicating with a base station, it enters an idle, low-energy mode to conserve battery power,” the researchers wrote in the paper. “When there is a phone call or an SMS message, it needs to be notified. This is achieved by the paging protocol.”
The paging protocol assigns a random temporary mobile subscriber identity (TMSI), and the researchers found that because the TMSI is changed infrequently, it is possible for an attacker to learn exactly when a device wakes up to check for paging messages and to discover the device’s geographical location.
Read more about mobile network security
- A report released through the government’s 5G Testbeds and Trials programme has recommended the UK rethink its mobile security strategy.
- Mobile devices are often personal, so it is difficult to get end-users to do the right thing. IT should take the reins to ensure that security is not compromised.
The researchers also said that ToRPEDO enables an attacker with knowledge of the victim’s phone number to retrieve the international mobile subscriber identity (IMSI) by launching a brute-force attack.
They said a ToRPEDO-based attack relies on the ability to send multiple messages or phone calls to a targeted device. These messages can be sent discreetly, so the user is unaware that the attack is taking place.
However, the researchers noted: “For ToRPEDO to be successful, an attacker needs to have a network sniffer device in the same cellular area as the victim. If the number of possible locations that the victim can be in is large, the expense of installing sniffers ($200 each) could be an impediment to carrying out a successful attack.”