
New flaws in 4G, 5G allow attackers to intercept calls and track phone locations - wyldfire
https://techcrunch.com/2019/02/24/new-4g-5g-security-flaws/
======
Aloha
I'd really love if people would stop calling everything mobile standard some
number followed by a G.

There are literally no known commercial scale deployments of '5G' technology
out there - its largely on paper with many technical and practical details to
be worked out - and the deployments discussed even when they do go hot, will
be small, literally, these are microcells, something effectively the size of a
oversized wifi hotspot. What has been deployed, is effectively LTE-Advanced,
with extra channel bonding and MIMO. Beyond that, the 5G standard isn't even
finalized yet.

We're still solidly in the '4G' era, and we (in the US) don't even have 100%
saturation for LTE coverage, much less LTE-Advanced.

~~~
sametmax
As usual, it's technical jargon used for marketting purpose. That's why they
don't use it responsably, and that's why geeks complain without realizing the
goal is not to be right, but to make money.

~~~
blattimwind
But aren't 4G, 5G etc. not actually marketing terms that on a technical level
only imply some broad capabilities (e.g. possible download rate > X MBit/s),
while the actual standards providing those are not called 4G/5G?

~~~
pas
> Confusion has been caused by some mobile carriers who have launched products
> advertised as 4G but which according to some sources are pre-4G versions,
> commonly referred to as '3.9G', which do not follow the ITU-R defined
> principles for 4G standards, but today can be called 4G according to ITU-R.

[https://en.wikipedia.org/wiki/4G#IMT-
Advanced_requirements](https://en.wikipedia.org/wiki/4G#IMT-
Advanced_requirements)

4G is defined in an ITU paper basically. And telcos started to use it for
networks that were pretty far from 4G. Then ITU simply said, that okay, sure,
use that, because they don't care.

------
shereadsthenews
Most people consider the fact that your handset will readily talk to any base
station that's on the air to be a feature. Try to imagine how things would
work if you had to authenticate and authorize every station on the network.
It's true that anyone who gets on the air and speaks the air protocol can
screw with your phone. Those people are also violating multiple laws and
regulations in the course of doing so.

~~~
radicaldreamer
I mean you can do authentication without doing it per base station... the real
reason we don’t have anything like this is because it’s a lot of work to make
this work well worldwide and because a lot of governments are not interested
in making spoofing base stations harder on themselves.

~~~
pedrocr
Shouldn't we just fix this one layer above? Just like the internet treat the
network as hostile and use strong encryption to connect to your network
provider. If someone uses a stingray you use their bandwidth but they see
nothing because you're running encrypted VoLTE.

~~~
Teever
It's astart but from my understanding implementing strong encryption on the
layer above does little to mitigate physical location tracking issues that
arise from spoofed towers.

~~~
mindslight
Nothing short of removing all devices identifiers (IMSI, IMEI, etc) and using
an untraceable payment system for network access (eg blinded tokens) will
mitigate the location tracking ability of the carriers.

The perfect is the enemy of the good and cops do use stingrays for a reason.
But targeted government surveillance is only one privacy threat, and carriers
have no compunctions about bulk selling your location to the _mass_
surveillance industry.

~~~
dcow
This is about unauthorized people tracking you not carriers.

~~~
mindslight
Yes, and I did recognize I was talking about a different vulnerability by
saying that the perfect is the enemy of the good. But if we're talking about
protocol vulnerabilities, why skip over the deep flaw of having fixed
identifiers in the first place?

Heck, simply removing the IMEI so that users don't have to buy a new burner
phone (/mifi) along with every burner SIM would be a vast improvement!

Really I'm just pointing out the larger context, as it's important to keep in
mind. Shoring this up will make the keystone cops have to go get a warrant,
but won't help versus the NSA, parallel construction, or GoogleNexis. It
probably won't even make private investigators have to eat lunch in their cars
again.

------
rocqua
It seems like this method requires a known phone number. And can track people
based on knowing the phone number in advanced. That is quite a high bar, and
very different from the standard stingray attack.

That is, older attacks allow you to collect all IMSI's in the area. Instead,
this attack allows you to track a given phone-number, and retrieve the IMSI
that belongs to a given phone number.

Edit: it seems like an Email address or twitter handle also works. What is
needed is some way to trigger a message on the phone. That still requires
knowing some identity up-front though.

~~~
blattimwind
> Edit: it seems like an Email address or twitter handle also works. What is
> needed is some way to trigger a message on the phone. That still requires
> knowing some identity up-front though.

Marginal. No barrier at all for targeted attacks (phishing, stalking,
intelligence etc.).

~~~
rocqua
A very large use-case for stingrays by american police was to have them
running nearly continuously. Then, when a crime occurred, they would go back
and examine the captured data to see who was nearby during the crime.

Such post-hoc tracking is not possible with this method.

Similarly, if all you know is "I don't trust the bearded guy who just
disembarked the plane" it could be hard to get to an identity that will
trigger his phone. With a traditional 'What IMSI's are in the area' capture,
you just need to follow them long enough that one IMSI stands out as always
being available. This attack doesn't enable that either.

~~~
JoeSmithson
> A very large use-case for stingrays by american police was to have them
> running nearly continuously. Then, when a crime occurred, they would go back
> and examine the captured data to see who was nearby during the crime

Do you have a link for this? It's difficult to Google

~~~
rocqua
[https://theintercept.com/2016/10/18/how-chicago-police-
convi...](https://theintercept.com/2016/10/18/how-chicago-police-convinced-
courts-to-let-them-track-cellphones-without-a-warrant/)

The officer requested use of a “digital analyzer” to locate the new burner
phones at “any time of the day or night … without geographical limitation in
the State of Illinois.” The request was approved.

I recall similar things happened in New York

Perhaps 'a very large use case' was too strong a phrasing though.

------
rocqua
The article mentions you need to brute-force 29 bits using an oracle. It
doesn't mention this is an _active_ oracle. That is, it requires interaction
with the UE (target phone).

This makes the brute-force attack quite a bit harder, as you need to be in
contact with the target phone for the duration of the attack (you don't need
to do the attack in one go though).

------
oggy
Based on the paper, the title is clickbait; it does not talk about
intercepting calls at all. It does mention that one of the attacks in the
paper can enable "further attacks", but if call interception was one of them,
I'd imagine that they'd say so explicitly.

~~~
moooooky
The author of the paper, cited in the report, said, "Any person with a little
knowledge of cellular paging protocols can carry out this attack... such as
phone call interception, location tracking, or targeted phishing attacks."

------
rootsudo
This is nothing new, this has been a thing since SMS paging channels which was
included in CDMA2000.

------
1024core
One man's "flaw" is another TLA's "feature"... ;-)

------
jamisteven
If by flaw they mean feature.

------
throway88989898
[removed]

~~~
shereadsthenews
Actually that is a link to a terrible PDF-rendering web page. This is the
original paper.

[http://homepage.divms.uiowa.edu/~comarhaider/publications/LT...](http://homepage.divms.uiowa.edu/~comarhaider/publications/LTE-
torpedo-NDSS19.pdf)

------
scoot_718
Thanks Huawei.

