Privacy-breaking flaws in the 4G and 5G mobile protocols could allow attackers to intercept calls, send fake amber alerts or other notifications, track location and more, according to a research team from Purdue University and the University of Iowa.

In a paper presented at Mobile World Congress in Barcelona this week, the researchers explained that the issues arise from weaknesses in the cellular paging (broadcast) protocol. They started with the fact that when a mobile device is in its idle, low-power state, it will conserve battery life partly by polling for pending services only periodically.

“When a cellular device is not actively communicating with a base station, it enters an idle, low-energy mode to conserve battery power,” Elisa Bertino, Omar Chowdhury, Mitziu Echeverria, Syed Rafiul Hussain and Ninghui Li explained. “When there is a phone call or an SMS message for the device, it needs to be notified. This is achieved by the paging protocol, which strives to achieve the right balance between the device’s energy consumption and timely delivery of services such as phone calls.”

The researchers uncovered three connected types of attacks that use this paging mechanism. The primary attack, dubbed ToRPEDO (short for TRacking via Paging mEssage DistributiOn), can be used to verify the location of a specific device. Attackers could also inject fake paging messages and mount denial-of-service (DoS) attacks, the team said.

Two other attacks enabled by ToRPEDO, the IMSI-Cracking attack and PIERCER (short for Persistent Information ExposuRe by the CorE netwoRk), allow an adversary to fully uncover the victim’s unique International Mobile Subscriber Identity (IMSI) number, if the phone number is known — opening the door to targeted user location-tracking.

Damn the ToRPEDO

When there is a call, text or push notification to be delivered to an idle device, the network’s Mobile Management Entity (MME) mechanism asks the nearest base station to the device to broadcast a paging message, which includes the Temporary Mobile Subscriber Identity (TMSI) of the device.

The TMSI is randomly assigned by the MME and is used to cloak the IMSI from side-channel attacks. The TMSI is supposed to change on a regular basis; however, previous sniffing attacks have been demonstrated that take advantage of the fact that this is not always the case.

“An attacker places multiple phone calls to the victim device in a short period of time and sniffs the paging messages,” the researchers explained. “If the most frequent TMSI among the paging messages appears frequently enough, then the attacker concludes that the victim device is present.”

These attacks are mitigated if the TMSI is changed frequently and if the MME uses random, unpredictable values for any new TMSI; however, ToRPEDO shows that even if different and unrelated TMSIs are used in every two subsequent paging messages, it’s possible to carry out a similar attack to verify whether a victim user is present in a geographical cell.

“ToRPEDO … is able to verify whether a victim device is present in a geographical cell with less than 10 calls, even under the assumption that the TMSI changes after each call,” according to researchers. “Furthermore, in the process, the attacker learns exactly when a device wakes up to check for paging messages and seven bits of information of the device’s IMSI.”

Rather than sniffing the link between a call made by the attacker and the resulting paging message, as earlier attacks have done, the ToRPEDO takes advantage of the fact that the paging protocol requires synchronization between the base station and the device.

“The LTE paging protocol uses a paging cycle of T frames, each of which is 10ms long,” said the report. “The default value of T is 128. Each device has a Paging Frame Index (PFI), which is determined by its IMSI, and the device wakes up only once during a paging cycle, at the frame indexed by its PFI. The base station broadcasts the paging message for the device at these frames. When multiple calls for a device are made, their corresponding paging messages will occur in frames indexed by the same PFI. When the base rate of paging messages is low, that is, paging messages only appear in a small fraction of all frames, the attacker can identify which PFI is ‘too busy,’ and thus the victim device’s PFI.”

ToRPEDO leverages all available information, including the exact delay between the time when the call is made and the time when the paging message is observed, and the exact number of paging records in each frame. ToRPEDO calculates the likelihood of seeing the observations of paging messages when the victim device’s PFI takes any one value, as well as when the victim’s device is not present.

“If the ratio between the top two candidates’ likelihood is above a predefined threshold, we can conclude that the user is present in the current cell and the user’s PFI is the candidate with the highest likelihood,” researchers said. “In our experiments, this approach yields the highest accuracy (100 percent) while requiring only eight phone calls on average.”

With ToRPEDO, the attacker can detect the victim’s presence in any cellular area, provided that the attacker has a sniffer in that area; and, it can enable the attacker to detect the connection status (i.e., idle/connected) of the victim’s device.

Beyond imprecise location-tracking and device status, ToRPEDO opens the door to much more serious attacks. For instance, once the attacker knows the victim’s paging occasion from ToRPEDO, the attacker can hijack the victim’s paging channel.

“This would consequently enable the attacker to mount a denial-of-service attack by injecting fabricated, empty paging messages, thus blocking the victim from receiving any pending services (e.g., SMS). The attacker can also inject fabricated emergency messages (e.g., Amber alert) using paging channel hijacking,” said researchers.

Also, the researchers were able to validate that a tweet mentioning the victim’s Twitter handle triggers paging if the victim sets the Twitter app with push notifications on. This allows the attacker to associate a Twitter persona with a specific phone and phone number – and this likely extends to other services with push notifications, allowing he or she to start building a personal profile of the victim.

IMSI-Cracking and PIERCER

ToRPEDO also enables two other new attacks that lead to full recovery of the device’s IMSI.

The seven bits of information about the device’s IMSI that ToRPEDO uncovers allows the IMSI-Cracking attack for 4G/5G. It uses ToRPEDO to enable an attacker with the knowledge of the victim’s phone number to retrieve the victim’s IMSI by launching a brute-force attack.

“Identifying the victim’s paging occasion with ToRPEDO additionally leaks the trailing seven IMSI bits for U.S. subscribers, leaving 24 bits for the attacker to guess,” the team explained. “Using a brute-force attack and two oracles (one for 4G and another for 5G) we designed, the attacker can guess the victim’s IMSI in less than 13 hours.”

For PIERCER, the researchers found that some service providers use IMSIs instead of TMSIs in paging messages. Using ToRPEDO as an attack sub-step, an attacker who knows a phone number can use a sniffer and a fake base station in the victim’s cell to associate the victim device’s IMSI with its phone number.

“An attacker initiates PIERCER by identifying the victim’s paging occasion and current cell-level location with ToRPEDO,” according to the paper. “The attacker then installs a paging message sniffer and a fake base station in the victim’s cell. After which the attacker hijacks the victim’s paging channel and then places a single silent phone call. Vulnerable operators will send paging_imsi after two failed attempts with paging_tmsi (due to hijacked paging channel). The attacker’s sniffer can capture the IMSI when paging_imsi is sent; completing the attack.”

PIERCER can enhance prior attacks that require knowledge of victim’s IMSI, to a level where just knowing the victim’s phone number is sufficient to mount an offensive.

IMSI cracking works against all 4G and 5G networks vulnerable to ToRPEDO.

PIERCER has been validated against one major U.S. service provider and three major service providers in a South Asian country – and there may be other vulnerable networks around the world. “We have also noticed the similar pattern of broadcasting IMSIs in paging messages by three German, four Austrian, one Icelandic, two Chinese and one Russian service providers and speculate that PIERCER may be feasible for those service providers,” the team said.

Mitigations

Fortunately, each of the attacks have specific inherent mitigations.

“For ToRPEDO to be successful, an attacker needs to have a sniffer in the same cellular area as the victim. If the number of possible locations that the victim can be in is large, the expense of installing sniffers (i.e., $200 each) could be an impediment to carrying out a successful attack,” the researchers explained.

They added, “In a similar vein, for a successful PIERCER, the attacker needs to have a paging message sniffer and also a fake base station which would cost around $400.”

And, “the IMSI-Cracking attack for 4G will be feasible only in cases where the attacker can carry out his attack without the victim noticing that his device is not receiving any notifications, for instance, when the victim is sleeping at night.”

Still, the paper sheds light on an inherent design weakness of the 4G/5G cellular paging protocol and the deployment oversight of several network operators in using IMSI numbers for paging.

“All of our attacks have been validated in realistic setting for 4G using cheap software-defined radio and open-source protocol stack,” the researchers noted.

Interested in learning more about mobile enterprise security threats and best practices? Don’t miss our free Threatpost webinar this Wednesday, Feb. 27 at 2 p.m. ET.

Patrick Hevesi of Gartner; Mike Burr of Google Android; and David Richardson from Lookout will join Threatpost senior editor Tara Seals.

They’ll discuss the top evolving threats and risks that are unique to this work-from-anywhere environment; best practices for addressing them; and new challenges on the horizon, such as 5G services.