Hacker News new | past | comments | ask | show | jobs | submit login
New flaws in 4G, 5G allow attackers to intercept calls and track phone locations (techcrunch.com)
264 points by wyldfire 28 days ago | hide | past | web | favorite | 56 comments



I'd really love if people would stop calling everything mobile standard some number followed by a G.

There are literally no known commercial scale deployments of '5G' technology out there - its largely on paper with many technical and practical details to be worked out - and the deployments discussed even when they do go hot, will be small, literally, these are microcells, something effectively the size of a oversized wifi hotspot. What has been deployed, is effectively LTE-Advanced, with extra channel bonding and MIMO. Beyond that, the 5G standard isn't even finalized yet.

We're still solidly in the '4G' era, and we (in the US) don't even have 100% saturation for LTE coverage, much less LTE-Advanced.


> I'd really love if people would stop calling everything mobile standard some number followed by a G.

It can be useful to have different labels for the "generations" when they're incompatible. Analog (1G) is incompatible with traditional GSM (2G), which is incompatible with UMTS (3G), which is incompatible with LTE (4G). So if your new network only has 4G but your old phone only has 2G and 3G, you know it won't work and you have to buy a new phone.


There are pretty substantial differences between AMPS and NMT, GSM and CDMA, EV-DO and EDGE.

CDMA for example was designed to evolve from AMPS (so was D-AMPS or TDMA, which was another 2g technology), so you could put CDMA and Analog carriers in the same site infrastructure. The 'nG' label is virtually meaningless is most discussions. It also leaves out discussion of PHS, and others, which were clearly 2g technologies.


Something like 99.98% of people would have no idea what "3GPP rev14" is.

As a person who works in the industry: There are pretty much no actual 5G systems in use. There are carriers in the US building microcell sized, DAS type LTE-Advanced things on utility poles and similar.


As usual, it's technical jargon used for marketting purpose. That's why they don't use it responsably, and that's why geeks complain without realizing the goal is not to be right, but to make money.


But aren't 4G, 5G etc. not actually marketing terms that on a technical level only imply some broad capabilities (e.g. possible download rate > X MBit/s), while the actual standards providing those are not called 4G/5G?


> Confusion has been caused by some mobile carriers who have launched products advertised as 4G but which according to some sources are pre-4G versions, commonly referred to as '3.9G', which do not follow the ITU-R defined principles for 4G standards, but today can be called 4G according to ITU-R.

https://en.wikipedia.org/wiki/4G#IMT-Advanced_requirements

4G is defined in an ITU paper basically. And telcos started to use it for networks that were pretty far from 4G. Then ITU simply said, that okay, sure, use that, because they don't care.


Well, complaining is not the problem, the problem is that usually people here preach to the choir.

HN should seek out and submit high quality precisely communicated pages about the concrete instance of "news" that the fluffpages post. But instead all we get is the complaining.


While I agree that 5G standard is still not finalized, in Qatar Ericsson will start deploying 5G gNodeBs starting by end of Q2. Nokia is modernizing the core network to a fully virtualize one and intercompatibility is mostly solved in this network.

It's usually a cat-and-mouse game, with some commercial deployments solidifying some portions of the standards, while themselves accommodating other portions of the standards from other networks as the technology matures in the upcoming years.


It depends if you’re talking daily conversation or technical. For daily use, ?G is great. Imagine how confused layman people would be if the top left of their phone alternatingly showed GPRS, EDGE, UMTS, HSPA, LTE or LTE-A depending on their connection. What the hell do all these things mean? And which was better than which again? 1-4G communicates much clearer that ‘this is faster/less delay/more stable’.


> Imagine how confused layman people would be if the top left of their phone alternatingly showed GPRS, EDGE, UMTS, HSPA, LTE or LTE-A depending on their connection

I don't know what kind of phone you have, but I have seen 2G. H, E, LTE and LTE+ in the top bar of my phone quite often.


I thought there are some public tests already, and phones that already support it.


Perhaps? It's not really mainstream technology, and it's like two years from actual rollout.


Calling them V4.0, Version5, 4G, or 5th Generation isn't the largest issue with cellphone technologies...


I thought it's live in South Korea?


Most people consider the fact that your handset will readily talk to any base station that's on the air to be a feature. Try to imagine how things would work if you had to authenticate and authorize every station on the network. It's true that anyone who gets on the air and speaks the air protocol can screw with your phone. Those people are also violating multiple laws and regulations in the course of doing so.


It's not that simple. Both 3G and 4G have mutual authentication. You need to trick the handset into downgrading the protocol if you want it to talk to your own fake base station.


Jamming should be enough. But depending on the frequencies used, one band might not be enough.


I mean you can do authentication without doing it per base station... the real reason we don’t have anything like this is because it’s a lot of work to make this work well worldwide and because a lot of governments are not interested in making spoofing base stations harder on themselves.


Shouldn't we just fix this one layer above? Just like the internet treat the network as hostile and use strong encryption to connect to your network provider. If someone uses a stingray you use their bandwidth but they see nothing because you're running encrypted VoLTE.


It's astart but from my understanding implementing strong encryption on the layer above does little to mitigate physical location tracking issues that arise from spoofed towers.


Nothing short of removing all devices identifiers (IMSI, IMEI, etc) and using an untraceable payment system for network access (eg blinded tokens) will mitigate the location tracking ability of the carriers.

The perfect is the enemy of the good and cops do use stingrays for a reason. But targeted government surveillance is only one privacy threat, and carriers have no compunctions about bulk selling your location to the mass surveillance industry.


This is about unauthorized people tracking you not carriers.


Yes, and I did recognize I was talking about a different vulnerability by saying that the perfect is the enemy of the good. But if we're talking about protocol vulnerabilities, why skip over the deep flaw of having fixed identifiers in the first place?

Heck, simply removing the IMEI so that users don't have to buy a new burner phone (/mifi) along with every burner SIM would be a vast improvement!

Really I'm just pointing out the larger context, as it's important to keep in mind. Shoring this up will make the keystone cops have to go get a warrant, but won't help versus the NSA, parallel construction, or GoogleNexis. It probably won't even make private investigators have to eat lunch in their cars again.


Much of the data you'd want to protect is meta data (location and access times).

If you can't trust your network entry point on mobile, you're really just screwed in many un-patchable ways. Mobile-to-mobile mesh networking could help, but I can't imagine that being widespread unless it's done in a layer outside user control or visibility, taking you back to square one.


>...and because a lot of governments are not interested in making spoofing base stations harder on themselves.

See Norway's fumble[0] for a principal example.

[0] - https://www.thelocal.no/20150309/norway-police-broke-law-wit...


There is per-basestation authentication. The basestation receives a key that is derived from your permanent key within your SIM card.

Roaming is a bit special, but this still holds. You then trust both operators, not just your home operator.


From 3G on, every base station is authenticated and virtually all traffic on the air is encrypted.

There are issues with stingrays - but these happen due to protocol edge-cases before authentication is established. [Edit: this paper uses side channels to collect information, but that's what a sniffer can do]

Every base station is authenticated.

In most countries, all connections are encrypted.


Sorry, I haven't kept up on my phreaking - is there encryption for 3G which hasn't been broken yet?


Not sure about 3G algorithms - but that's why 4G moved on to AES.

What exactly are you trying to say? Worrying customers can easily enforce 4G. Networks should drop 2G and 3G, but still, things are getting better.


I'm saying it doesn't matter whether everything is authenticated and encrypted, it's all vulnerable. Even if 4G wasn't, you can just downgrade and then crack.


Where exactly vulnerable against which type of attacker?

In 4G there are location and identity leaks, and denial of service (which is why smartphones and carriers should drop 2G and 3G).

Or is this a "technology is all bad" kind of comment?


I consider it more to be a 'why oh why do these protocols continue to be designed and specified in such a way as to be known to be vulnerable to eavesdropping' kind of comment.


What? I mean your provider ships you a computer that's dedicated to authentication your device on the network (a sim card) - it shouldn't be infeasible to authenticate the nodes when you can bootstrap off an actual trusted device.

With roaming, your provider could cross sign other providers - and for long range/international roaming you could maybe allow forwarding of encrypted requests for authentication over an untrusted channel.

That would probably be enough for some level of (location) tracking - but there'd be no need to allow any regular traffic over such links. In theory. In practice, that'd probably be too expensive, and you'd get better service and security relying on wlan and something like signal....


Maybe your phone could trust all base stations operated by AT&T and T-Mobile, instead of manually verifying each one.


OK but what you are suggesting is a fully authenticated air interface and a massive PKI deployment, which while not impossible for future protocols face obvious hurdles.


Aren't SIM cards the perfect way to do a PKI?


Right? More like s/massive PKI/_a_ PKI


What happens when you travel internationally?


Just add another root certificate to your local store, like with a web browser.


Yeah I'm sure the cops and the lawyers will stop the bad guys using the power of the law.


It seems like this method requires a known phone number. And can track people based on knowing the phone number in advanced. That is quite a high bar, and very different from the standard stingray attack.

That is, older attacks allow you to collect all IMSI's in the area. Instead, this attack allows you to track a given phone-number, and retrieve the IMSI that belongs to a given phone number.

Edit: it seems like an Email address or twitter handle also works. What is needed is some way to trigger a message on the phone. That still requires knowing some identity up-front though.


> Edit: it seems like an Email address or twitter handle also works. What is needed is some way to trigger a message on the phone. That still requires knowing some identity up-front though.

Marginal. No barrier at all for targeted attacks (phishing, stalking, intelligence etc.).


A very large use-case for stingrays by american police was to have them running nearly continuously. Then, when a crime occurred, they would go back and examine the captured data to see who was nearby during the crime.

Such post-hoc tracking is not possible with this method.

Similarly, if all you know is "I don't trust the bearded guy who just disembarked the plane" it could be hard to get to an identity that will trigger his phone. With a traditional 'What IMSI's are in the area' capture, you just need to follow them long enough that one IMSI stands out as always being available. This attack doesn't enable that either.


> A very large use-case for stingrays by american police was to have them running nearly continuously. Then, when a crime occurred, they would go back and examine the captured data to see who was nearby during the crime

Do you have a link for this? It's difficult to Google


https://theintercept.com/2016/10/18/how-chicago-police-convi...

The officer requested use of a “digital analyzer” to locate the new burner phones at “any time of the day or night … without geographical limitation in the State of Illinois.” The request was approved.

I recall similar things happened in New York

Perhaps 'a very large use case' was too strong a phrasing though.


not a high bar at all for large companies.... they probably get that information at a dime a dozen....


Based on the paper, the title is clickbait; it does not talk about intercepting calls at all. It does mention that one of the attacks in the paper can enable "further attacks", but if call interception was one of them, I'd imagine that they'd say so explicitly.


The author of the paper, cited in the report, said, "Any person with a little knowledge of cellular paging protocols can carry out this attack... such as phone call interception, location tracking, or targeted phishing attacks."


The article mentions you need to brute-force 29 bits using an oracle. It doesn't mention this is an active oracle. That is, it requires interaction with the UE (target phone).

This makes the brute-force attack quite a bit harder, as you need to be in contact with the target phone for the duration of the attack (you don't need to do the attack in one go though).


This is nothing new, this has been a thing since SMS paging channels which was included in CDMA2000.


One man's "flaw" is another TLA's "feature"... ;-)


If by flaw they mean feature.


[removed]


Actually that is a link to a terrible PDF-rendering web page. This is the original paper.

http://homepage.divms.uiowa.edu/~comarhaider/publications/LT...


Thanks Huawei.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: