Researchers Discover Vulnerabilities in 4G and 5G Networks

A joint team of researchers from Purdue University and Iowa State University has identified several new vulnerabilities in 4G and 5G technologies that can be exploited to intercept calls and track users’ locations. These issues affect both 4G and the more secure fifth-generation (5G) mobile communication standard. The attack methods developed by the researchers can bypass the security measures in 5G that are designed to make it harder to track mobile device users. According to the researchers, “anyone with minimal knowledge of cellular protocols” could carry out these attacks.

How the Attacks Work

The first method, called ToRPEDO (TRacking via Paging mEssage DistributiOn), exploits a flaw in the protocol mobile operators use to notify devices of incoming calls or text messages. The researchers found that making and canceling several calls in a short period triggers the sending of a paging message without notifying the device of an incoming call. An attacker can use this to determine a user’s location. With this information, the attacker could intercept the paging channel, substitute messages, or block them entirely.

ToRPEDO also enables two additional attacks: Piercer (which allows the identification of the international IMSI number in 4G networks) and IMSI-Cracking, which can be used to brute-force encrypted IMSIs in 4G and 5G networks.

Impact and Scope

According to the researchers, the vulnerability affects the four largest mobile operators in the United States (AT&T, Verizon, Sprint, and T-Mobile), as well as several operators in Europe and Asia. The equipment needed to carry out these attacks is relatively inexpensive, costing around $200. The researchers do not plan to publish proof-of-concept code to avoid putting users at risk.

The team has already reported the vulnerabilities to the GSM Association (GSMA), the international organization representing mobile operators. The GSMA has acknowledged the problem but has not specified when it will be fixed.

Background and Industry Response

In June of the previous year, a group of researchers from Ruhr University and New York University published a report describing three types of attacks exploiting vulnerabilities in the 4G LTE standard. In December 2018, experts from the International Association for Cryptologic Research disclosed a vulnerability in the AKA protocol, which allows tracking of subscribers in 3G to 5G networks.

The GSM Association is an organization that unites about 700 GSM mobile operators from 218 countries. It develops various standards and recommendations for GSM operators, plays a leading role in removing technical and technological barriers to the creation and development of customer services based on the GSM standard, and actively promotes the spread of GSM networks in developing countries.