Eleven flaws found in 5G protocol that could enable real-time location tracking
Researchers have yet to receive a response from the GSMA over their security claims
Security flaws in the 5G communications protocol could enable users' locations to be tracked in real-time. And some of the flaws uncovered by researchers at Purdue University and the University of Iowa could also be used on 4G networks.
In addition to tracking a target's location, the flaws could be used to spoof emergency alerts, mount man-in-the-middle attacks and invoke spurious mobile billing.
However, the security flaws would also require a significant amount of work to take advantage of them. For example, to take advantage of the vulnerabilities highlighted in the paper, attackers would need to erect a malicious base station.
The 5G control-plane consists of a number of critical procedures... which are leveraged by fundamental cellular services
Part of the problem, they argue, is that while the 5G security stack contains many enhancements, they haven't been tested in an adversarial environment and also carry over a number of security features from 4G LTE and its predecessors.
"The 5G control-plane consists of a number of critical procedures (such as initial registration, deregistration and paging) which are leveraged by fundamental cellular services, such as voice calling, SMS, data and billing… Vulnerabilities in the initial registration procedure may have serious consequences on those services, such as man-in-the-middle attacks and spurious mobile billing."
Furthermore, the researchers note, the 5G protocol lacks a robust, formal specification, which means that implementations are therefore "prone to ambiguity and under-specification"; there are multiple inter-dependent sub-protocols; and, "the standard often states security and privacy requirements in an abstract way", requiring complex assumptions to be made.
In order to test some of these complexities, the researchers developed a tool they called 5GReasoner, based on an earlier LTEInspector tool used to interrogate 4G network security.
There is no open-source 5G protocol stack, which prevents us from testing our attacks in a testbed
Vulnerabilities found include flaws in the ‘network-access stratum (NAS) layer potentially enabling eavesdropping on messages; a denial-of-service attack against targets taking advantage of NAS counter desynchronisation; neutralising the user's temporary mobile subscriber identity (TMSI), enabling a target to be tracked; and, even cutting off a device.
Security flaws in the radio resource control (RRC) layer enable what has been called the lullaby attack, in which the attackers intermittently forces a targeted device to release its connection with the legitimate network. Repeatedly switching the device from idle to its connected state and back will cause its battery to deplete faster.
RRC is a 3G-era protocol, which lacks integrity protection, the authors note.
The 5G protocol lacks a robust, formal specification, which means that implementations are therefore prone to ambiguity and under-specification
Cross-layer attacks, meanwhile, can expose a device's TMSI and can be used to track the device and, hence, the user.
The authors indicate that there may be further security issues with 5G yet to be uncovered as there are currently few 5G networks on which to experiment.
"In addition, there is no open-source 5G protocol stack, which prevents us from testing our attacks in a testbed," they warn. Likewise, it is unclear whether defences to any of these or future security flaws can be deployed without altering the protocol.
The disclosures, they add, have all been reported to the GSMA mobile industry trade association, but they have yet to receive a response.
It's not the first time that security flaws have been found in the 5G communications protocol. A series of security flaws were uncovered earlier this year, with fixes unavailable before the first implementations were rolled out.
There have also been warnings that state-backed entities could target early 5G network implementations.