A report from TechCrunch details three new serious security flaws in both 4G and 5G networks and one of them affects all four major US carriers in addition to many more networks around the world. The vulnerabilities allow attackers to track a user’s location as well as intercepting phone calls.
Interestingly, the flaws discovered by researchers at Purdue University and the University of Iowa impact both 4G and 5G. Syed Rafiul Hussain, Ninghui Li, Elisa Bertino, Mitziu Echeverria, and Omar Chowdhury previously shared their findings with the major US wireless carriers and are set to present their research at the Distributed System Security Symposium in San Diego tomorrow.
“Any person with a little knowledge of cellular paging protocols can carry out this attack,” said Syed Rafiul Hussain, one of the co-authors of the paper, told TechCrunch in an email.
the first is Torpedo, which exploits a weakness in the paging protocol that carriers use to notify a phone before a call or text message comes through. The researchers found that several phone calls placed and cancelled in a short period can trigger a paging message without alerting the target device to an incoming call, which an attacker can use to track a victim’s location. Knowing the victim’s paging occasion also lets an attacker hijack the paging channel and inject or deny paging messages, by spoofing messages like Amber alerts or blocking messages altogether, the researchers say.
Torpedo also allows attackers to leverage two more flaws:
Piercer, which the researchers say allows an attacker to determine an international mobile subscriber identity (IMSI) on the 4G network; and the aptly named IMSI-Cracking attack, which can brute force an IMSI number in both 4G and 5G networks, where IMSI numbers are encrypted.
The researchers say that an attacker only needs about $200 worth of equipment to take advantage of the Torpedo flaw. Notably, many other networks around the globe are vulnerable to these attacks as well.
Given two of the attacks exploit flaws in the 4G and 5G standards, almost all the cell networks outside the U.S. are vulnerable to these attacks, said Hussain. Several networks in Europe and Asia are also vulnerable.
The researchers aren’t publishing the proof-of-concept code at this point for security reasons. In addition to carriers, they also shared the flaws with GSM association.
Fixes will require work from both carriers and the GSM association.
Hussain said the Torpedo and IMSI-Cracking flaws would have to be first fixed by the GSMA, whereas a fix for Piercer depends solely on the carriers. Torpedo remains the priority as it precursors the other flaws, said Hussain.