New privacy threats have been uncovered by security researchers that could allow every device operating on 3G networks to be tracked.

The vulnerabilities could be exploited with cheap commercial off-the-shelf technology to reveal the location of phones and other 3G-capable devices.

The flaws affected the latest 3G networks that were hardened by discarding GSM interoperable networks that were long known to be vulnerable to interception techniques.

Attackers did not need to perform cryptographic operations nor possess security keys to instigate the attacks.

“[These] kind of vulnerabilities usually look trivial once uncovered but often remain unnoticed for [a] long time, since they do not involve fancy cryptography but are caused by errors in the protocol logic," the researchers wrote in a paper.

The 3G global industry watchdog, the 3GPP, is investigating the research. It was reportedly informed of the flaws about six months ago, but lengthy revision processes for global mobile phone protocols could explain why fixes have not been circulated and implemented.

Researchers told SC that there were other more disruptive attacks on 3G networks that did not attack 3G protocol logic and instead relied on other weaknesses such as interoperability between GSM and 3G, or poor security design of femtocell devices.

The research was led by chief researchers at the University of Birmingham and with later collaboration from the Technical University of Berlin.

They will detail the flaws at the ACM Conference on Computer and Communications Security event this month.



Attacks

Two attacks were conducted using off-the-shelf kit and a rooted — or modified — femtocell unit which broadcasted a 3G signal. The attacks were made by intercepting, altering and injecting 3G Layer-3 messages into communication between the base station and mobile phones in both directions.

The research team took pains to emulate a real-world scenario under the environment, and they tested the attacks techniques against network providers including T-Mobile, Vodafone and O2 in Germany, and French outfit SFR.

SC was told the attacks would work against any provider that adhered to the 3G standard.

One attack, the IMSI paging attack, forced mobile devices to reveal the static identity (IMSI) in response to a temporary number (TMSI) paging request which contained the IMSI, a number which was assumed was known to the attacker.

This would reveal the presence of devices in a monitored area, breaking anonymity and ‘unlinkability’ by revealing the IMSI and TMSI correlation.

The tampered sessions might be noticed by users who attempted to place a phone call or send a text message when an authentication request or IMSI paging request was injected.

In the Authentication and Key Agreement (AKA) protocol attack, the same authentication request would be injected to all phones in range causing all but the targeted device – which would return a Mac failure -- to respond with synchronisation failures.

“The captured authentication request can now be replayed by the adversary each time he wants to check the presence of [a device] in a particular area. In fact, thanks to the error messages, the adversary can distinguish any mobile station from the one the authentication request was originally sent to,” the paper stated.

In tests, the authentication requests were obtained by placing six phone calls to a target’s phone and listening to the communication with osmocom-bb.

The researchers wrote that the attacks could be used to track staff movements within a building.



"[The employer] would first use the femtocell to sniff a valid authentication request. This could happen in a different area than the monitored one. Then the employer would position the device near the entrance of the building. Movements inside the building could be tracked as well by placing additional devices to cover different areas of the building," they wrote.



"If devices with wider area coverage than a femtocell are used, the adversary should use triangulation to obtain finer position data.”

Not the same

Previous attacks have been established that allow locations to be gleaned and calls to be intercepted on both GSM and 3G networks.

However the new attacks were notable in that they targeted the protocol logic and were independent of device weaknesses or the need to break weak cryptographic functions.

The closest attack to the current research was made by Muxiang Zhang and Yuguang Fang which demonstrated how attackers could redirect a target's outgoing traffic to different networks, such as one with weak encryption or which charges higher rates.

The feat was possible because phones did not authenticate their serving networks.

It differed from the University of Birmingham and Technical University of Berlin research, the paper stated, because the attack focused on “impersonation, service theft and data confidentiality” rather than privacy issues in 3G.

Proposed fixes

The researchers proposed what they said were unique fixes for the vulnerabilities which introduced an “unlinkability” session key which was an additional key used in the AKA protocol and IMSI paging procedure fixes.

It also included modifications to error messages that would prevent the attacks.

Both fixes use public-key cryptography which would need to be deployed by cellular operators within their networks.

The proposed public key infrastructure was lightweight and changes to the adopted protocols were minimal, the researchers told SC.

The fixes would also not be expensive. “The solutions we propose show that privacy friendly measures could be adopted by the next generation of mobile telephony standards while keeping low the computational and economical cost of implementing them.”