Vulnerabilities have been exposed in the GSM standard in the past, but those vulnerabilities usually required a bit of skill and know-how to exploit. Now researchers at the University of Birmingham and the Technical University of Berlin have found another flaw in the standard that could reveal the location of 3G devices using off-the-shelf gear.What is interesting about this development is how the researchers found that they did not need to perform exotic cryptographic actions or obtain security keys to carry out the attacks they performed. Using off-the-shelf and rooted femtocell which broadcast a 3G signal, two types of attacks were performed, the IMSI (International Mobile Subscriber Identity) paging attack, and the Authentication and Key Agreement (AKA) protocol attack.
“[These] kind of vulnerabilities usually look trivial once uncovered but often remain unnoticed for [a] long time, since they do not involve fancy cryptography but are caused by errors in the protocol logic.”
With the IMSI paging attack, it would force the device to reveal its IMSI in response to a temporary number (TMSI) request. This is somewhat similar to what authorities use with “IMSI catchers” in tracking cell phonemovements. In the AKA protocol attack, the authentication request would be sent to all phones in range. All the phones, except the targeted device would return with a synchronization failure.
“The captured authentication request can now be replayed by the adversary each time he wants to check the presence of [a device] in a particular area. In fact, thanks to the error messages, the adversary can distinguish any mobile station from the one the authentication request was originally sent to,”
The researchers tested the techniques against the networks of T-Mobile, Vodafone and O2 in Germany, as well as SFR in France. It would seem the attacks will work on any carrier that adheres to the 3G GSM standard. They found that these techniques would also allow tracking of movements within a building based on how they may position femtocells in the building.
In the past, the GSM standard has been compromised, allowing cloning and position tracking. These attacks are different say the researchers because these were merely exploiting a weakness in the protocol of the standard, not individual weakness of a device or its encryption.
3GPP, an industry group, is reviewing the research and will recommend a course of action that can work across the standard. It will take some time however, given how widespread GSM is in use. The researchers have outlined some possible fixes to the standard as well, which are under review and do not appear to be too difficult or expensive to implement. It will be interesting to see how this research evolves since IMSIs are unique identifiers used in GSM, UMTS and LTE standards.
The research teams will be outlining their finding at the ACM Conference on Computer and Communications Security in Raleigh, North Carolina next week.
Follow Us:
Twitter Facebook RSS