Now you, too, can snoop on mobe users from 3G to 5G with a Raspberry Pi and €1,100 of gizmos
Crypto-boffins' paper shows AKA protocol still broken
A protocol meant to protect smartphone users' privacy is vulnerable to fake base station attacks all the way from 3G to 5G, according to a group of international researchers. All the baddies need is a little over €1,100 worth of kit and a laptop.
The "Authentication and Key Agreement" protocol (aka AKA, hehe) is meant to provide security between mobile users and base stations, and was previously exploited by surveillance devices, such as the StingRay, used by cops and Feds.
Stingray phone stalker tech used near White House, SS7 abused to steal US citizens' data – just Friday thingsREAD MORE
In research published by the International Association for Cryptologic Research this month, boffins from ETH Zurich, Berlin Technical University and Norwegian research institute SINTEF Digital claimed they had found "a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do."
It is severe because it is a logical vulnerability in the protocol – which means it's not specific to one implementation of AKA, and is why it reaches all the way back to 3G implementations.
"AKA is a challenge-response protocol mainly based on symmetric cryptography and a sequence number (SQN) to verify freshness of challenges, preventing replay attacks," the boffins wrote.
Following the discovery of earlier vulnerabilities in cellular networks, particularly mobile phones' susceptibility to IMSI catchers (that is, fake base stations like StingRay), the body in charge of mobile phone standards, 3GPP, improved AKA for the 5G era with randomised asymmetric encryption to protect user identifiers sent during the pre-encryption handshake.
However, the new version still uses SQNs, and the paper said that's what the researchers attacked. They discovered that a lack of randomness and AKA's use of XOR allowed them to defeat the SQN protection mechanism.
"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."
Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.
This latest exploit can gain information on activities beyond the fake phone mast, if the victim reenters the area of the bogus base station.
"Even when [user equipment] are using mobile services outside the attack area, part of this activity may be leaked to some adversary using our attack the next time the UE enters again the attack area," the paper read. "Intuitively, this is because, independently of its location, the UE's activity has an effect on the counter SQN stored in the HN that will be leaked when the UE is (actively) under attack."
Rights groups challenge UK cops over refusal to hand over info on IMSI catchersREAD MORE
The vulnerability arises because an attacker can send authentication challenges to the UE at different times, to retrieve the SQN, and "by cleverly choosing several timestamps, the attacker is able to exploit [SQN] values... to break the confidentiality of SQN."
The researchers' proof of concept needed a laptop, a universal software radio peripheral, a smartcard reader, and the OpenLTE software. Excluding the laptop, they said the kit cost €1,140 (they note that the laptop could easily be replaced with a Raspberry Pi).
The authors – Ravishankar Borgaonkar of SINTEF Digital, Lucca Hirschi of ETH Zurich, and Shinjo Park and Altaf Shaik of the Technical University of Berlin – said they have notified 3GPP, the GSM Association; vendors Huawei, Nokia and Ericsson; and carriers Deutsche Telekom and Vodafone UK.
They said the GSMA and 3GPP told them remediation will be undertaken for future generations. However, the early implementations of 5G will probably suffer from the vulnerability. ®