High-speed 5G mobile data networks may still very much be a work in progress, but they've already started rolling out in some US cities. As researchers comb through the 5G standard to see if it delivers not just on lightning speeds but improved security, they're finding that it still needs some shoring up.
At the Black Hat security conference in Las Vegas next week, a group of network communication security researchers will present findings on flaws in the 5G protections meant to thwart the surveillance devices known as stingrays. Also called "IMSI catchers" after the international mobile subscriber identity number attached to every cell phone, stingrays masquerade as legitimate cell towers. Once they trick a device into connecting to it, a stingray uses the IMSI or other identifiers to track the device, and even listen in on phone calls.
"One good thing in 5G is it was developed to fix the issues that allow fake base station attacks," says Ravishankar Borgaonkar, a research scientist at the Norwegian tech analysis firm SINTEF Digital. "The idea is that in 5G, stealing IMSI and IMEI device identification numbers will not be possible anymore for identifying and tracking attacks. But we found that actually 5G does not give the full protection against these fake base station attacks."
In the Clear
One of the 5G network's main improvements to thwart stingrays is a more comprehensive scheme for encrypting device data, so that it doesn't fly around in an easily readable, plaintext format. But the researchers found enough lapses in this setup to sneak a pair of 5G stingray attacks through.
When a device "registers" with a new cell tower to get connectivity, it transmits certain identifying data about itself. As with the current 4G standard, 5G doesn't encrypt that data. As a result, the researchers found that they could collect this information with a stingray, and potentially use it to identify and track devices in a given area.
The researchers found that they could use that unencrypted data to determine things like which devices are smartphones, tablets, cars, vending machines, sensors, and so on. They can identify a device's manufacturer, the hardware components inside it, its specific model and operating system, and even what specific operating system version an iOS device is running. That information could allow attackers to identify and locate devices, particularly in a situation where they already have a target in mind, or are looking for a less common model.
That degree of data exposure is problematic but not necessarily urgent, since it's general enough that only some devices would be specifically identifiable. Fifteen CCTV cameras in an area, or nine iPhone 8s, would likely be difficult to differentiate. But the researchers also found a second problem that compounds the issue.
It turns out that the same exposure that leaks details about a device also creates the opportunity for a man-in-the-middle, like a stingray, to manipulate that data. The telecom industry divides types of devices are divided into categories from 1 to 12 based on how sophisticated and complex they are; something like a smartphone is a 12, while simplistic Internet of Things devices might be a 1 or 2. One purpose of that categorization is to signal which data network a device should connect to. More complex, higher-category devices look for the 5G or 4G network, but low-category devices only accept 2G or 3G connections, because they don't need faster speeds.
The researchers found that they could use their first stingray attack to modify a device's stated category number during the connection process, downgrading it to an older network. At this point, older stingray attacks would apply, and a hacker could move forward with communication surveillance or more specific location tracking.
"For the attack, you are, say, connecting an iPhone as a simple IoT device," says Altaf Shaik, a researchers at the Technical University of Berlin. "You downgrade the service and bring the speed down. At that point a classic IMSI catcher will work again. This should not happen."
The ability to modify category data is actually not a flaw in the 5G specification itself, but an implementation issue perpetuated by carriers. If the system were set up to launch its security protections and data encryption earlier in the connection process, the attack would be moot. But carriers are mostly leaving this data in the clear and at risk for manipulation. Out of 30 carriers the researchers evaluated in Europe, Asia, and North America, 21 offered connections that were vulnerable to downgrading attacks. Only nine elected to build their systems for launching security protections earlier in the connection process.
The researchers even found that with a similar attack they could block devices from entering a "Power Saving Mode" usually triggered by a network message. Once a device has a stable data connection, it will often wait for a message from its network saying that it can stop scanning for cell connectivity and trying to reconnect, a power-hungry endeavor over time. But the researchers found that they could manipulate the unprotected device information exposed in 5G to suppress these messages and drain a device's battery five times faster than if it were in power saving mode—a potential safety issue for embedded devices like sensors or controllers.
The researchers disclosed the issues to the telecom standards body GSMA and hopes to work with carriers to encourage 5G implementations that apply security and data protections to the cell tower connection process as early in the interaction as possible.
"The GSMA is aware of these findings and is working with the wider community and relevant standards body (3GPP) to revise the specifications," Jon France, GSMA's head of industry security, told WIRED. "The revision will prevent this type of attack, as outlined, as it requires encryption to be setup before the information is sent."
Previous research has found other 5G protocol flaws that could have also been exploited for a stingray attack, but those have since been fixed. The hope is that these will be as well.
"GSMA acknowledged that they need to take action," SINTEF Digital's Borgaonkar says. "We weren't sure how 5G would change, but now we know that basically we can still build an IMSI catcher for 5G and pinpoint a target. Discussions are going on now, so hopefully they will change the standard."
There’s no doubt that 5G introduces many important, and long-needed, security protections. But with hundreds of millions of devices on the verge of joining the new network, there's precious little time left for rough drafts.
Updated August 5, 2019 at 2:30 pm ET to include comment from GSMA and to clarify that SINTEF Digital is a Norwegian company.