A new cellular network vulnerability which affected both 4G and 5G LTE protocols was revealed by a team of University researchers at the NDSS Symposium 2019.
They have published a paper named “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.” It states that the new attacks permit the remote attackers to bypass security protections implemented in 4G and 5G, re-enabling IMSI catching devices like “Stingrays” to intercept users’ phone calls and track their location.
Let us take a look at the attacks, their working, impacts and the main concerns regarding the attacks
ToRPEDO Attack — Location Verification, DoS, Inject Fake Alerts
ToRPEDO stands for “TRacking via Paging mEssage DistributiOn.” This attack leverages paging protocol, letting the remote attackers to verify a victim device’s location, inject fabricated paging messages, and mount denial-of-service (DoS) attacks.
While the device does not communicate with the cellular network, it gets into an idle mode similar to a low-energy mode which saves device battery power.
When the device is in the idle mode and you receive a message or a phone call, the cellular network first sends a paging message to notify the device of the incoming call or text.
Along with the paging messages a value called “Temporary Mobile Subscriber Identity” (TMSI) of the device that doesn’t change frequently is also included.
If an attacker initiates and immediately cancels calls numerous times within a short period, the base station updates TMSI value very frequently while sending the paging messages.
So, an attacker who does sniffing the paging messages, through devices like Stingrays, can verify if a targeted cellular user is within a range of the interception or not.
The ToRPEDO attack affects 4G and 5G LTE protocol. The researchers also verified ToRPEDO against 3 Canadian service providers and all the US service providers.
On knowing the victim’s paging location from ToRPEDO attack, it is possible for the attackers to hijack the paging channel, allowing them to send fabricated emergency messages, mount a denial-of-service attack by injecting fabricated, empty paging messages, and thus blocking the victim from receiving any pending services.
Piercer and IMSI-Cracking Attacks
Two other new attacks—the PIERCER and IMSI-Cracking attacks can also be performed leading to the full recovery of the victim device’s persistent identity (i.e., IMSI).
This attack exists due to a design flaw, PIERCER (Persistent Information ExposuRe by the CorE netwoRk) attack allows an attacker to associate the victim device’s unique IMSI with its phone number.
ToRPEDO attack also enables an attacker who knows the victim’s phone number to retrieve the victim’s IMSI, on both 4G and 5G, by launching a brute-force attack.
When the attackers get the IMSI number they can launch previously discovered attacks, allowing them to snoop on victim’s calls and location info using IMSI catchers like Stingrays and DRTBox even if the victim owns a new 5G handset. This is the main reason why one should be worried about these attacks.