It’s hard to talk about the vulnerabilities in cellular technology without increasing the amount of fear, uncertainty, and doubt. There is already much uncertainty around cell-site simulators (CSS, aka Stingrays), their capabilities, and how widely they are used. Partly this is because of the veil of secrecy that has surrounded the workings of commercial cell-site simulators thanks to the widespread use of non-disclosure agreements by the manufacturing companies like Rayzone and Harris Corporation. The privacy threats posed by CSSs are undoubtedly dire, but we need to keep our hypothesis about their capabilities and the scope of their use grounded in facts and research.
One good source for research about potential capabilities for cell site simulators has been academia. A number of fantastic papers explore vulnerabilities in 2G, 3G, and 4G which are potentially the same ones exploited by commercial CSSs.
The upcoming 5G protocol for cellular communications promised many improvements over the current 4G standard, including a claim that it would protect mobile users from cell-site simulators. But here’s the catch: new research suggests that it won’t. Researchers from ETH Zurich and Technische Universität Berlin have discovered that a flaw in the Authentication and Key Agreement (AKA) protocol (used in 3G, 4G, and the upcoming 5G standard) allows for a new privacy attack against all variants of the protocol.
The AKA protocol is the mechanism by which a phone and tower mutually verify each other’s authenticity and establish shared keys to protect future communications. Previous generations of the AKA protocol used in 3G and 4G have already been shown to be insufficient by some of the same researchers, who have demonstrated attacks exploiting information leaks allowing an attacker to derive the subscriber’s location. These attacks are likely the same ones used by newer generations of cell-site simulators that purportedly work natively on the 4G standard, such as the Hailstorm.
The standards body in charge of 5G—the 3rd Generation Partnership Project, or 3GPP—has improved AKA to mitigate those well-known privacy issues. However, the researchers say, they have been able to find a new vulnerability that affects all versions of the AKA, including in the upcoming 5G standard. And what's more, the researchers say that this new attack “breaches subscribers’ privacy more severely than known location privacy attacks do.”
The newly discovered vulnerability allows an attacker who can intercept mobile traffic in the area (meaning anyone with a software-defined radio costing around $500) to monitor individual subscriber activity, such as the number of outgoing calls or SMSs sent in a given amount of time (but not the metadata or contents of the messages.) On top of that, the technique can tell an attacker how many calls or text messages an individual victim sent even if the victim is not near the attacker when the calls or texts are sent. Instead, after the first time the victims enters the attack area and subsequently leaves the area, even past call and text activity would become vulnerable as soon as the victim and their device re-enters the attack area.
What’s even more troubling is this attack provides a new way to track a user’s location not just over 3G and 4G, but even over 5G. Location tracking seems to be the most common use for IMSI catchers by American law enforcement and this vulnerability could provide the next generation of CSSs with a way to track user location, even over 5G.
It’s important to keep in mind here that, for cases of lawful intervention from law enforcement agencies, there are better ways than this attack technique to get location information, such as getting a warrant and getting the information directly from the phone companies. People working outside the legal system, such as spies and criminals, cannot get warrants and cannot typically work directly with the phone companies. Law enforcement does not need the location-finding capabilities of an IMSI catcher unless they are trying to circumvent the legal system.
Of course, there are already known attacks that allow for tracking a mobile user’s location over 4G. However, this attack would continue to work even if the currently known vulnerabilities in 4G were fixed.
The researchers have notified members of the 5G standards body about their discovery and expect it to be fixed in the next iteration of the protocol.