Security researchers have revealed a recently discovered vulnerability in modern, high-speed cell networks, which they say can allow low-cost phone surveillance and location tracking.
The findings, revealed Wednesday at the Black Hat conference in Las Vegas, detail a cryptographic flaw in the protocol used in 3G and 4G LTE networks which enables mobile devices to connect with the cell operator.
It’s the latest blow to the long-held belief that modern cell standards and protocols are largely immune from tracking and monitoring, unlike the older 2G cell protocol which uses easy-to-crack encryption.
Ravishankar Borgaonkar and Lucca Hirschi, who co-authored the research, found a weakness in the authentication and key agreement, which lets a phone communicate securely with the subscriber’s cell network. The agreement protocol relies on a counter that’s stored on the phone operator’s systems to authenticate the device and to prevent replay attacks, but the researchers found that the counter isn’t well protected and partially leaks. That can allow an attacker to monitor consumption patterns, such as when calls are made and when text messages are sent, and track the physical location of a cell phone.
But the flaw doesn’t allow the interception of calls or text messages.
This flaw could pave the way for a next-generation of stingray devices, otherwise known as cell site (or IMSI) simulators.
These highly controversial surveillance devices are shrouded in secrecy, but are almost exclusively used by local police and law enforcement, often without warrants, in order to carry out indiscriminate cellular surveillance. They trick cell phones into downgrading to the weaker 2G standard to easily intercept communications and track locations of anyone nearby.
Borgaonkar told ZDNet that this flaw would allow attackers to build “next generation” stingray devices.
“Due to low-cost hardware and software setup, we would not be surprised to see criminal stalking and harassment to more mundane monitoring of spouse or employee movements, as well as profiling for commercial and advertisement purposes,” he said.
The hardware costs as little as $1,500, small change to any advanced hacker, and even less for a well-funded police department or intelligence unit.
Borgaonkar explained that a stingray-style attack could allow a remote attacker who’s only sporadically in the vicinity of a target to learn the target’s activity at any time. An attacker located at an embassy, for example (often where nation-state surveillance equipment is found) will be able to monitor the activity of consular staff even when they are not at the office.
Borgaonkar’s academic colleagues in Germany carried out several successful proof-of-concept attack on several European mobile networks.
Because the weakness is part of the 3G and 4G standard, the researchers say that the flaw “affects all operators worldwide,” and the majority of modern devices.
The researchers say that “very little” can be done to protect against these kinds of attacks, in part because mobile operating systems don’t detect radio-level attacks.
3GPP, a consortium of telecoms standard organizations which developed the vulnerable protocol, acknowledged the flaw and, according to the researchers, hope that the issue will be addressed in the upcoming 5G standards.
A spokesperson did not return a request for comment.