5G test networks may not prevent tracking of device identities using IMSI catchers

News by Jay Jay

Inherited weaknesses from the 3G and 4G AKA telecoms protocol means that 5G technology will be just as vulnerable to signal hijacking through IMSI catchers.

Security researchers have detailed several weaknesses in the protocol of fifth generation (5G) wireless test networks that may allow attackers to hijack smartphones, identify their owners and track real-time locations of such devices by deploying IMSI catchers.

These security weaknesses are already present in AKA protocols in existing 3G and 4G networks and even though the 5G AKA protocol will be more advanced, it will not be able to prevent the hijacking of smartphones because of deeper issues with the AKA protocol on which it is based, said researchers at network security solutions provider Sophos.

IMSI catchers (International Mobile Subscriber Identity-catcher), popularly known as fake base stations, are used across the world as first-choice mobile phone surveillance technology. Their purpose is to mimic real base stations installed by network operators and thereby trick mobile phones to connect to them instead of the real base stations.

Once a mobile phone connects to an IMSI catcher, the technology uniquely identifies the device as well as the identity of its owner. IMSI catchers can not only intercept communications and data transmitted from mobile phones, they can also track locations of such devices in real time.

"Luring a smartphone to connect to a fake base gives attackers the power to identify the device’s owner, track their physical location and potentially execute a downgrade attack by asking it to remove security such as encryption. In doing this, IMSI catchers are aided by the fact that while the device will authenticate itself via its unique subscriber identity, the base station isn’t required to authenticate in return," the researchers noted.

The arrival of 5G networks will alleviate many of these issues as mobile networks will be able to keep subscribers' identities private using public key encryption. Attackers will also not be able to intercept the contents of communications transmitted from mobile phones.

However, the researchers said that despite mobile devices being protected by encryption, an attacker could carry out "activity monitoring attacks" to bypass the protection and create a profile of how a mobile device is being used. This is because the 5G AKA protocol is an enhanced version of standard 3G and 4G AKA protocols and features their inherent weaknesses.

"By monitoring every occasion a target device enters the range of the IMSI catcher, the attackers can build up a picture of how that device is used, including when it is not in range. Specifically: The attacker can relate the number of AKA session some UE [User Equipment] has performed in a given period of time to its typical service consumption during that period.

"Although under 5G, an attacker can’t see the contents of communications or its metadata, the ability to model the pattern of a device’s connections might allow an eavesdropper to calculate the identity of a device," they added.

The researchers warned that since 5G networks will make it otherwise difficult for attackers to track devices and identify their owners with the ease with which they exploited 3G and 4G networks, cyber-criminals may introduce a new generation of IMSI catchers to bypass protections that will be introduced in the 5G AKA protocol.

According to Stefan Topuzov, a security expert at Secure Group, the best way for mobile phone users to stay clear of IMSI catchers is to install IMSI catcher-detecting apps in their phones that will ensure that such devices will connect only to whitelisted and legitimate cell towers, thereby preventing hackers from monitoring their devices.

"The good news about this proactive 5G research is that it's got people thinking and talking about the downsides of location tracking," Paul Ducklin, senior technologist at Sophos, told SC Media UK.

"Right now, lots of us are willingly allowing ourselves to be tracked pretty much all the time via our phones – for example, by leaving the location feature on so the GPS is always running, allowing apps unfettered access to our location data, rarely or never clearing browser cookies, staying logged in to online services even when we're not using them and announcing ourselves to passersby via Bluetooth," he added.

According to Ducklin, in order to avoid being tracked by malicious entities who may exploit weaknesses in 3G, 4G or 5G networks, mobile phone users should revisit all the other ways they've volunteered to let themselves be tracked by third parties. "Decide how much tracking you really need or want in your life and turn off or clear the settings and data you don't need," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews