New privacy-breaking attacks against phones on 4G and 5G cellular networks

Three new attacks can be used to track the location and intercept calls of phone users connected to 4G and 5G cellular networks, researchers from Purdue University and The University of Iowa have revealed.

About the attacks

Syed Rafiul Hussain, Mitziu Echeverria, Omar Chowdhury, Ninghui Li and Elisa Bertino have come up with three distinct attacks taking advantage of design weaknesses and implementation oversights of the cellular paging protocol:

• The ToRPEDO (TRacking via Paging mEssage DistributiOn) attack can be used to verify whether target device is present in a certain cell area and to enable
• The PIERCER (Persistent Information ExposuRe by the CorE netwoRk) attack, which enables an attacker with the knowledge of the victim’s phone number, a sniffer, and a fake base station in the victim’s geographical cell to associate the victim device’s IMSI with its phone number, and
• The IMSI-Cracking attack, which allows an attacker with the knowledge of the victim’s phone number to uncover the victim’s IMSI in less than 13 hours by performing a brute-force attack.

ToRPEDO and IMSI-Cracking are applicable to 4G and 5G networks. PIERCER can be leveraged against victims on a 4G network.

“For ToRPEDO to be successful, an attacker needs to have a sniffer in the same cellular area as the victim. If the number of possible locations that the victim can be in is large, the expense of installing sniffers (i.e., $200 each) could be an impediment to carrying out a successful attack,” the researchers explained.

“In a similar vein, for a successful PIERCER, the attacker needs to have a paging message sniffer and also a fake base station which would cost around $400. The IMSI-Cracking attack for 4G will be feasible only in cases where the attacker can carry out his attack without the victim noticing that his device is not receiving any notifications, for instance, when the victim is sleeping at night.”

They have validated TorPEDO against 4G networks of three Canadian service providers and all the US service providers (AT&T, Verizon, Sprint, T-Mobile) and PIERCER against one major US service provider and 3 major service providers of a South Asian country. They also believe that PIERCER may be feasible for other service providers in Europe, China and Russia, as they broadcast IMSIs (instead of randomly generated TMSIs – Temporary Mobile Subscriber Identities) in paging messages.

They have not tested the ToRPEDO and IMSI-Cracking attacks on 5G as there is currently a lack of deployed networks.

For more technical details about each attack, check out the researchers’ paper.

What now?

The researchers shared their findings with the GSMA, which represents the interests of mobile network operators across the globe, and they have acknowledged them.

Hussain told TechCrunch that it’s on the GSMA to fix the flaws that allow ToRPEDO and IMSI-Cracking attacks, but that carriers must implement a fix for PIERCER.

The researchers have also put forward a number of countermeasures against ToRPEDO and zeroed in on one that adds fake paging messages in order to perturb the paging message distribution. Once it’s implemented, the time and effort required to mount a successfull attack would simply be too much for most attackers.