Over the past 18 months, revelations about wireless carriers selling smartphone location data to third parties have forced telecoms to promise reform. Worryingly, but perhaps not surprisingly, these user protections have been slow to actually materialize. Even if carriers shape up, though, an attacker can still track a smartphone's location and snoop on phone calls thanks to newly discovered flaws in 4G and even 5G protocols.

A group of researchers from Purdue University and the University of Iowa will present their findings Tuesday at the Network and Distributed System Security Symposium in San Diego. They note that their discoveries, first reported by TechCrunch, are particularly concerning since the 5G standard was specifically developed to better protect against these types of attacks.

"We were really surprised that though 5G promises enhanced security and privacy, it cannot guarantee that level, because it inherits many security policies and subprotocols from the previous generations, which are more error-prone," says Purdue's Syed Rafiul Hussain, one of the paper's authors. "It opens the door for an adversary to exploit these weaknesses."

The researchers, who also uncovered other vulnerabilities in the 4G network last year, describe a series of new protocol weaknesses that could be used in a variety of attacks. An exploit the researchers call Torpedo underlies the others; it preys on flaws in the "paging protocol" used to notify devices about incoming communications.

"Once a user's IMSI is exposed, an adversary can carry out more sophisticated attacks." Syed Rafiul Hussain, Purdue University

An idle device checks in with the nearest cellular base station for these pages at set increments, so it isn't killing battery life by checking constantly. But the researchers found that this predictability can be exploited. If an attacker wants to determine if a target is nearby, they can initiate a quick series of phone calls to a victim's deice to "sniff," or evaluate, the paging protocol communications. Both 4G and 5G have built-in protections against this type of surveillance, but researchers found that these obfuscation efforts fall short. An attacker can spot patterns in the paging messages that reveal which base station the device is closest to, and confirm that the victim is in the area.

Torpedo attacks could also allow a hacker to manipulate a target's paging channel to add or block paging messages, resulting in victims missing messages and calls. A hacker could also use the technique to spoof certain kinds of messages, like a fabricated Amber Alert message.

It gets worse. Researchers found that they could use Torpedo as a stepping stone in an "IMSI-cracking attack" that could allow a hacker to ascertain a victim's "international mobile subscriber identity" number. Your smartphone's subscriber identity number can be used to track a device more precisely, or monitor communications through rogue devices that impersonate cellphone towers—often called stingrays or "IMSI catchers." While stingrays have been a known privacy threat for years now, they are still prevalent around the US, deployed by law enforcement and attackers alike.

IMSI numbers are encrypted in 4G and 5G networks to protect them from such attacks, but the researchers again found that the protections are inadequate. They also found a carrier implementation issue, dubbed Piercer, that could expose IMSI numbers another way on the 4G network. They say that one US carrier, which they're not making public, is currently vulnerable to Piercer attacks.

"Once a user's IMSI is exposed, an adversary can carry out more sophisticated attacks including tracking the location and intercepting phone calls and SMS messages of the user," Purdue's Hussain says. "Average consumers are at the risk of exposing their privacy to malicious third parties who sell location data and other private information."

With the exception of the Piercer flaws, the vulnerabilities the researchers discovered would need to be fixed above the individual carrier level by the industry group GSMA, which oversees development of mobile data standards including 4G and 5G. GSMA told WIRED on Tuesday that it is aware of the research and is considering fixes for some of the issues, but disputes the practicality of the attacks.

LEARN MORE The WIRED Guide to 5G

"The findings suggest that a hacker could theoretically target a subscriber’s IMSI or unique identifier on a 4G network by sending multiple messages in quick succession and then monitoring the network to identify increased traffic against a specific subscriber," Ivette Lopez, a GSMA spokesperson, wrote in an email. "However, this approach in reality would have to be performed in a specific time slot and be based on trial and error, which would be an exhaustive and time-consuming process in order to be successful. The GSMA is working with 3GPP to consider attack detection options, if the threat level warrants and whether modifications could be made to the standards."