High-speed 5G mobile data networks may still very much be a work in progress, but they've already started rolling out in some US cities. As researchers comb through the 5G standard to see if it delivers not just on lightning speeds but improved security, they're finding that it still needs some shoring up.

At the Black Hat security conference in Las Vegas next week, a group of network communication security researchers will present findings on flaws in the 5G protections meant to thwart the surveillance devices known as stingrays. Also called "IMSI catchers" after the international mobile subscriber identity number attached to every cell phone, stingrays masquerade as legitimate cell towers. Once they trick a device into connecting to it, a stingray uses the IMSI or other identifiers to track the device, and even listen in on phone calls.

"One good thing in 5G is it was developed to fix the issues that allow fake base station attacks," says Ravishankar Borgaonkar, a research scientist at the Norwegian tech analysis firm SINTEF Digital. "The idea is that in 5G, stealing IMSI and IMEI device identification numbers will not be possible anymore for identifying and tracking attacks. But we found that actually 5G does not give the full protection against these fake base station attacks."

In the Clear

One of the 5G network's main improvements to thwart stingrays is a more comprehensive scheme for encrypting device data, so that it doesn't fly around in an easily readable, plaintext format. But the researchers found enough lapses in this setup to sneak a pair of 5G stingray attacks through.

When a device "registers" with a new cell tower to get connectivity, it transmits certain identifying data about itself. As with the current 4G standard, 5G doesn't encrypt that data. As a result, the researchers found that they could collect this information with a stingray, and potentially use it to identify and track devices in a given area.

The researchers found that they could use that unencrypted data to determine things like which devices are smartphones, tablets, cars, vending machines, sensors, and so on. They can identify a device's manufacturer, the hardware components inside it, its specific model and operating system, and even what specific operating system version an iOS device is running. That information could allow attackers to identify and locate devices, particularly in a situation where they already have a target in mind, or are looking for a less common model.

That degree of data exposure is problematic but not necessarily urgent, since it's general enough that only some devices would be specifically identifiable. Fifteen CCTV cameras in an area, or nine iPhone 8s, would likely be difficult to differentiate. But the researchers also found a second problem that compounds the issue.

It turns out that the same exposure that leaks details about a device also creates the opportunity for a man-in-the-middle, like a stingray, to manipulate that data. The telecom industry divides types of devices are divided into categories from 1 to 12 based on how sophisticated and complex they are; something like a smartphone is a 12, while simplistic Internet of Things devices might be a 1 or 2. One purpose of that categorization is to signal which data network a device should connect to. More complex, higher-category devices look for the 5G or 4G network, but low-category devices only accept 2G or 3G connections, because they don't need faster speeds.

The researchers found that they could use their first stingray attack to modify a device's stated category number during the connection process, downgrading it to an older network. At this point, older stingray attacks would apply, and a hacker could move forward with communication surveillance or more specific location tracking.