Security weaknesses in 5G, 4G and 3G could expose users’ locations

Fifth generation (5G) wireless test networks are barely in the ground and already researchers say they’ve uncovered new weaknesses in the protocol meant to secure it.

5G security is built around 5G AKA (Authentication and Key Agreement), an enhanced version of the AKA protocol already used by 3G and 4G networks.

A big issue this was supposed to address was the ease with which surveillance of 3G and 4G devices can be carried out using fake base stations known as IMSI catchers (International Mobile Subscriber Identity-catcher, sometimes called ‘StingRays’).

Disappointingly, according to a research paper, New Privacy Threat on 3G, 4G, and Upcoming 5G AKA Protocols, made public late last year, 5G AKA might not solve this thanks to deeper issues with the AKA protocol on which it is based.

As the name suggests, IMSI catchers work by tricking devices into connecting to them instead of the real base station, exploiting the fact that under GSM (the Global System for Mobile Communication mobile phone standard), devices prioritise closer and stronger signals.

Luring a smartphone to connect to a fake base gives attackers the power to identify the device’s owner, track their physical location, and potentially execute a downgrade attack by asking it to remove security such as encryption.

In doing this, IMSI catchers are aided by the fact that while the device will authenticate itself via its unique subscriber identity, the base station isn’t required to authenticate in return.

That sounds like an open invitation to hackers but it seemed logical in the early days of mobile networks when interoperability with lots of different companies’ base stations was a priority.

Under 5G, fake base stations would still in be possible, but the subscriber’s identity would be hidden using public key encryption managed by the mobile network.

Activity monitoring

Nevertheless, the researchers suggest that because some of 5G AKA’s architecture is inherited from standard 3G and 4G AKA, this encryption could be defeated by what the researchers call an “activity monitoring attack.”

Essentially, an attacker might use inference to identify an individual even when they can’t access that data directly by monitoring Sequence Numbers (SQNs), which are set every time a device connects to the mobile network.

By monitoring every occasion a target device enters the range of the IMSI catcher, the attackers can build up a picture of how that device is used, including when it is not in range. Specifically:

The attacker can relate the number of AKA session some UE [User Equipment] has performed in a given period of time to its typical service consumption during that period.

Although under 5G, an attacker can’t see the contents of communications or its metadata, the ability to model the pattern of a device’s connections might allow an eavesdropper to calculate the identity of a device.

For anyone worried about privacy, two pieces of good news emerge from all of this.

First, a new generation of IMSI catchers will be needed exploit these weaknesses, and these will also require a lot more time and sophistication to do the sort of location tracking that under 3G and 4G today seems to be quick and easy – this buys time for defenders.

The second is that the researchers are scrutinising 5G security in its first phase of deployment, making it possible to do something about the issue in the second phase, hopefully before there are any exploits:

Our findings were acknowledged by the 3GPP and GSMA and remedial actions are underway to improve the protocol for next generation.

There’s little doubt that IMSI catchers have become a popular technique for police, intelligence services and criminals to monitor people they’re interested in.

They’re also popular for espionage, with the US Department of Homeland Security (DHS) confirming it had found rogue access points in Washington suspected of having been planted by unfriendly nation states.