Hussain, Bertino and Li named to GSMA Mobile Security Research Hall of Fame
This work led to the discovery of three new privacy attacks to the 4G and 5G cellular paging protocols, which are primarily used to send notifications about incoming services (e.g., phone calls, SMS, and data). Researchers identified that attackers can exploit a side-channel information in the paging protocol to find a victim's location and retrieve the device's permanent identifier (the International Mobile Subscriber Identity, or IMSI) which is used as the prime arsenal for surveillance. The attackers must only know the victim’s phone number or social network handle to carry out the attacks. Their proof-of-concept exploitations were validated with major network operators in US, Canada, and Europe. The researchers have also shown that the soon-to-be-rolled-out 5G network leaks information about the permanent identifier even though 5G standard tries to conceal it through public key-based encryption.
The GSMA is a trade body that represents the interests of mobile network operators worldwide, and the Hall of Fame recognizes the contributions to the security and privacy of 4G and 5G networks through disclosure of vulnerabilities. The work, led by Hussain and in collaboration with Professor Omar Chowdhury and Mitziu Echeverria, a graduate student at the University of Iowa, has also been accepted for publication at the Network and Distributed Systems Security (NDSS) Symposium, which will be held in February 2019 in San Diego, CA.