At NDSS Symposium 2019, a group of university researchers yesterday revealed newly discovered cellular network vulnerabilities that impact both 4G and 5G LTE protocols.
According to a paper published by the researchers, "Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information," the new attacks could allow remote attackers to bypass security protections implemented in 4G and 5G, re-enabling IMSI catching devices like "Stingrays" to intercept users' phone calls and track their location.
Here below, we have described all the three attacks, how they work, what are their impacts, and why you should be concerned about these attacks.
Short for "TRacking via Paging mEssage DistributiOn," TorPEDO is the most concerning attack that leverages paging protocol, allowing remote attackers to verify a victim device's location, inject fabricated paging messages, and mount denial-of-service (DoS) attacks.
When a device is not actively communicating with the cellular network, it enters an idle mode, sort of a low-energy mode that saves device battery power.
So, when you receive a phone call or an SMS message while your device is in the ideal mode, the cellular network first sends a paging message to notify the device of the incoming call or text.
It should be noted that paging messages also include a value called "Temporary Mobile Subscriber Identity" (TMSI) of the device that doesn't change frequently.
However, researchers find that if an attacker starts and then immediately cancels calls several times in a short period, the base station update TMSI value very frequently while sending the paging messages.
Therefore, an attacker sniffing the paging messages, through devices like Stingrays, can verify if a targeted cellular user is within a range of the interception or not.
The ToRPEDO attack impacts both 4G as well as the current version of 5G LTE protocol, and the researchers said they verified ToRPEDO against 3 Canadian service providers and all the US service providers.
Once with the knowledge of the victim's paging occasion from ToRPEDO attack, the attackers can also hijack the paging channel, enabling them to send fabricated emergency messages, mount a denial-of-service attack by injecting fabricated, empty paging messages, and thus blocking the victim from receiving any pending services.
In addition, the ToRPEDO attack also opens a door for two other new attacks—the PIERCER and IMSI-Cracking attacks, leading to the full recovery of the victim device's persistent identity (i.e., IMSI).
Exist due to a design flaw, PIERCER (Persistent Information ExposuRe by the CorE netwoRk) attack enables an attacker to associate the victim device's unique IMSI with its phone number.
With IMSI number in hands, the attackers can launch previously discovered attacks, potentially allowing them to snoop on victim's calls and location info using IMSI catchers like Stingrays and DRTBox even if the victim owns a brand new 5G handset, which is why one should be more concerned about these attacks.
According to a paper published by the researchers, "Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information," the new attacks could allow remote attackers to bypass security protections implemented in 4G and 5G, re-enabling IMSI catching devices like "Stingrays" to intercept users' phone calls and track their location.
Here below, we have described all the three attacks, how they work, what are their impacts, and why you should be concerned about these attacks.
ToRPEDO Attack — Location Verification, DoS, Inject Fake Alerts
Short for "TRacking via Paging mEssage DistributiOn," TorPEDO is the most concerning attack that leverages paging protocol, allowing remote attackers to verify a victim device's location, inject fabricated paging messages, and mount denial-of-service (DoS) attacks.
When a device is not actively communicating with the cellular network, it enters an idle mode, sort of a low-energy mode that saves device battery power.
So, when you receive a phone call or an SMS message while your device is in the ideal mode, the cellular network first sends a paging message to notify the device of the incoming call or text.
It should be noted that paging messages also include a value called "Temporary Mobile Subscriber Identity" (TMSI) of the device that doesn't change frequently.
However, researchers find that if an attacker starts and then immediately cancels calls several times in a short period, the base station update TMSI value very frequently while sending the paging messages.
Therefore, an attacker sniffing the paging messages, through devices like Stingrays, can verify if a targeted cellular user is within a range of the interception or not.
"If the attacker is aware of the victim's often-visited locations, then the attacker can set up sniffers on those locations to create the victim's cell-level mobility profile," the researchers said.
The ToRPEDO attack impacts both 4G as well as the current version of 5G LTE protocol, and the researchers said they verified ToRPEDO against 3 Canadian service providers and all the US service providers.
Once with the knowledge of the victim's paging occasion from ToRPEDO attack, the attackers can also hijack the paging channel, enabling them to send fabricated emergency messages, mount a denial-of-service attack by injecting fabricated, empty paging messages, and thus blocking the victim from receiving any pending services.
Piercer and IMSI-Cracking Attacks
In addition, the ToRPEDO attack also opens a door for two other new attacks—the PIERCER and IMSI-Cracking attacks, leading to the full recovery of the victim device's persistent identity (i.e., IMSI).
Exist due to a design flaw, PIERCER (Persistent Information ExposuRe by the CorE netwoRk) attack enables an attacker to associate the victim device's unique IMSI with its phone number.
"Some service providers use IMSIs instead of TMSIs in paging messages to identify devices with pending services," the researchers explained. "A simple manual testing revealed that it is possible to give the service provider the impression that the exceptional case is occurring which forces it to reveal the victim's IMSI."According to researchers, ToRPEDO attack also enables an attacker with the knowledge of the victim's phone number to retrieve the victim's IMSI, on both 4G and 5G, by launching a brute-force attack.
With IMSI number in hands, the attackers can launch previously discovered attacks, potentially allowing them to snoop on victim's calls and location info using IMSI catchers like Stingrays and DRTBox even if the victim owns a brand new 5G handset, which is why one should be more concerned about these attacks.