These new techniques allow the use of communication intercepting devices again
During a recent event dedicated to network
security experts, a team of researchers unveiled a set of
vulnerabilities in mobile networks that impact 4G and 5G LTE protocols.
In their research, entitled “Privacy attacks
against 4G and 5G cell phone protocols,” experts say that new attack variants
could allow remote access to telecommunications by evading security measures implemented
in these protocols, which brings back again the possible use of IMSI devices (like
the known StingRay)
for the interception of mobile telephony signals.
Then, network security and ethical hacking
specialists from the International Institute of Cyber Security describe how
these new attack variants work:
- Torpedo attack
This attack exploits the paging protocol in
mobile telephony, allowing malicious users to trace the location of the
victim’s device. Because of this, attackers can inject specially designed paging
messages to generate denial-of-service
(DoS) conditions.
If a device does not establish active
communication with a cellular network, it enters into a kind of battery saving
mode. Before a call or text message reaches a device, the cellular network
sends it a paging message to recognize the incoming call or message; this
message also includes a value known as the Temporary Mobile Subscriber Identity
(TMSI), this value does not change very frequently.
Network security specialists found that if an
attacker calls and hangs phonecalls repeatedly over a short period of time, the
database updates the TMSI value more often than usual when sending the paging
messages. If an attacker detects these search messages using an IMSI device, it
can verify whether the victim is within a range where it is possible to
intercept their communications.
Network security specialists say the Torpedo
attack impacts 4G and 5G protocols; they also add that this attack was tested
against mobile phone service providers in the United States and Canada.
- IMSI cracking and Piercer attacks
In addition to the aforementioned, the Torpedo
attack seems to enable two other variants of attacks, called IMSI cracking and
PIERCER.
Persistent Information Exposure by the Core
Network (PIERCER) attack exists due to a design error and allows attackers to
link the victim’s IMSI to their phone number.
“Some service providers use IMSI instead of
TMSI in paging messages to identify devices with outstanding services,” the
experts mention in their paper. A manual test revealed that it is possible to
give the service provider the impression that an exceptional case is occurring
that forces him to disclose the victim’s IMSI,” the experts concluded.
With the victim’s IMSI number, attackers can
launch other variants of previously discovered attacks, thereby using IMSI
receptors to have full access to victims’ phone communications.
