Very little is perfect, but sometimes it can take time to find the flaws. Did you know that that 4G and 5G networks are vulnerable to call interception and caller location tracking?
What’s This All About?
The cellular paging protocol balances a cellular device’s energy consumption and quality of service by allowing the device to periodically poll for services while in its idle, low-power state. The precise polling time periods are fixed by design in the 4G/5G cellular protocol. This means that paging weaknesses can be exploited by an attacker near the victim to associate the victim’s identity (e.g., phone number, Twitter handle) and gain access to the phone. What is troublesome is that for a modest cost -- about $200 to $400 of radio equipment -- the victim’s device can be attacked.
The researchers discovered that if several phone calls are set up and canceled in a short period of time, this can trigger a paging message without notifying the victim’s device to an incoming call. The attacker can use this to track the victim’s location. Knowing the victim’s location also allows the attacker to hijack the paging channel and insert or deny paging messages. This can be accomplished through spoofing messages like Amber alerts or blocking messages altogether.
Enter ToRPEDO
Using an attack mechanism referred to as ToRPEDO (TRacking via Paging mEssage DistributiOn), attackers can detect the victim’s presence in any cellular area. ToRPEDO exploits a weakness in the paging protocol used by carriers to notify a phone that a call or text is coming. The attacker needs a sniffer in that area to enable him or her to detect the connection status (idle/connected) of the victim’s device.
The ToRPEDO tool opens up the victim’s device to more serious attacks. For example, once the attacker knows the victim’s paging occasion by using ToRPEDO, he or she can hijack the victim’s paging channel.
ToRPEDO enables an attacker to verify a victim’s location information, substitute their own paging messages, and ultimately produce denial-of-service attacks. The paper authors believe they can demonstrate that it’s possible for an attacker to retrieve a victim device’s persistent identity -- the International Mobile Subscriber Identity (IMSI), which is a unique number, usually fifteen digits. The IMSI identifies a GSM subscriber. IMSI cracking works against all 4G and 5G networks vulnerable to ToRPEDO.
Then There Is PIERCER
ToRPEDO also enables two other new attacks that lead to full recovery of the device’s IMSI. The researchers identified an implementation oversight of several network providers which enables the attacker to launch PIERCER, for associating a victim’s phone number with its IMSI, subsequently allowing targeted user location tracking.
The researchers discovered that some service providers use IMSIs instead of TMSIs in paging messages.Temporary Mobile Subscriber Identity (TMSI) is a temporary identification number used in GSM networks instead of the IMSI to ensure the privacy of the mobile subscriber. Using ToRPEDO, an attacker who knows a phone number can use a sniffer and a fake base station in the victim’s cell area to associate the victim device’s IMSI with its phone number. The attacker then hijacks the victim’s paging channel and places a single silent phone call. The attacker’s sniffer can capture the IMSI when the paging IMSI is sent, completing the attack.
PIERCER can enhance prior attacks that require knowledge of the victim’s IMSI, to a level where just knowing the victim’s phone number is sufficient to mount an attack.
Where’s the Fix?
The mobile community was publically informed of these issues at the Network and Distributed Systems Security Symposium recently held in San Diego. The researchers have shared the discoveries of the flaws with mobile carriers as well as the GSM Association.
One of the concerns is that cell site simulators called “stingrays” can defeat newer protections that can make it more difficult to listen to phone calls. The GSMA will have to fix the flaws found in ToRPEDO and IMSI cracking flaws. Fixing PIERCER depends entirely on each of the mobile carriers. The opinion is that fixing ToRPEDO should be a high priority for GSM network operators. The attacks work best when the device user is asleep or not using their cell phone which can be a long period of vulnerability time.