Researchers reveal new privacy attack against 3G, 4G, and 5G mobile users

5G cellular mobile communications, when implemented, are expected to provide high bandwidth, low latency, energy savings, better connectivity, but security and privacy must also be assured.

The security challenges are many but, luckily for us all, researchers are already probing the draft standard for weaknesses.

Much of the research has focused on the security and privacy of 5G AKA, the Authenticated Key Exchange standardized by the 3rd Generation Partnership Project (3GPP) for 5G.

A new, logical vulnerability in AKA

Among the most recent papers with this focus is one by researchers from SINTEF Digital (Norway), ETH Zürich and the Technical University of Berlin, who revealed a new privacy attack against all variants of the AKA protocol (including 5G AKA).

This attack could be performed via next generation IMSI catchers – essentially fake mobile towers – and would allow attackers to:

  • Monitor users’ mobile activity (e.g., number of calls, SMSs sent in a given time);
  • Create profiles based on that information;
  • Use these profiles to monitor their activity remotely even if the users move away from the attack areas.

Attackers could, for example, spy on embassy officials: learn their activity when they are at the office during working hours, but also when they are at home or on business trips.

“Therefore, such an attacker may learn if targets use different SIMs cards for private use (no activity at home). It may also infer if some specific time periods (e.g., one evening and night) were specifically busy (a lot of calls or SMSs were made yielding a big rise of SQN),” they explained.

Depending on the number of IMSI catchers deployed by the attackers in an area, they could also effectively map the movements of the targets as they leave the coverage of one fake base station and enter that of another.

Proven feasibility of the attack and expected fixes

The attackers demonstrated the practical feasibility of their attack on commercial 4G networks in several European countries by using a laptop, a Universal Software Radio Peripheral and a PC/SC capable smartcard reader with commercial USIM cards (total cost: about 1140 euros).

privacy attack 5G

“Our attack affects all 3G and 4G devices currently deployed all over the world and future 5G devices (according to the specification),” they added.

The researchers have shared their findings with the 3GPP, the GSM Association (GSMA), several manufacturers (Ericsson, Nokia, and Huawei), and carriers (Deutsche Telekom and Vodafone UK).

“Our findings were acknowledged by the 3GPP and GSMA and remedial actions are underway to improve the protocol for next generations,” they noted.

“While 5G AKA will suffer from our attack in the first deployment of 5G (i.e., Release 15, phase 1), we are still hopeful that 5G AKA could be fixed before the deployment of the second phase (Release 16, to be completed by the end of 2019).”