Flaws in cellular networks expose 4G and 5G devices to attacks by IMSI

Flaws in cellular networks

A team of researchers revealed their findings at the 2019 symposium on NDSS (Network and Distributed System Security) in San Diego, which revealed that cellular networks have certain vulnerabilities that may affect IMSI capturing attacks not only 4 G but 5 G LTE protocols.

The findings of their research have been published in a paper titled “Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information.” Purdue University researchers Syed Rafiul Hussain, Elisa Bertino, and Ninghui Li and the University of Iowa researchers Mitziu Echeverria and Omar Chowdhury collectively conducted this research.

The newly identified vulnerabilities may allow remote attackers to bypass security layers in 4 G and 5 G, which allow IMSI (International Mobile Subscriber Identity) capturing devices such as Stingrays to easily intercept user phone conversations to detect their location, according to their research [PDF].

Three types of attacks can be launched using these vulnerabilities, reportedly. Hussain, the paper’s co-author and a member of the research team, claims that anyone with “a little knowledge of cellular paging protocols” can carry out the attack.

The first attack is called “Torpedo” and exploits the defect in the paging protocol, which alerts mobile phone users to incoming calls and messages. If a user starts and cancels multiple calls within a short period of time, a paging message can be sent to identify a call without alerting the device. This allows attackers to track the location of the device and to launch two other attacks using the device.

If an attacker identifies a user’s paging, it is easy to hijack the paging channel or reject paging messages. The attacker can also launch fake Amber alerts or block paging messages completely. The second attack is called “Pierce,” which allows an attacker to determine the device’s IMSI on the 4 G network.

The third attack is IMSI-Cracking, where an attacker brute-forces the encrypted IMSI number on both 4 G and 5 G networks. Even the latest and most advanced 5 G devices are therefore at risk of Stingrays. It should be noted that the flaws are not permanent, but patches may not be immediately released.

In order to fix Torpedo and IMSI-Cracking, the GSMA must be directly involved in finding the solution while the carriers must come forward to deal with Piercer.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.