Researchers Have Identified 11 New Vulnerabilities in 5G
This article appeared first in WIRED.
As 5G Rolls Out, Troubling New Security Flaws Emerge - Researchers have identified 11 new vulnerabilities in 5G—with time running out to fix them.
It's not yet prime time for 5G networks, which still face logistical and technical hurdles, but they're increasingly coming online in major cities worldwide. Which is why it's especially worrying that new 5G vulnerabilities are being discovered almost by the dozen.
At the Association for Computing Machinery's Conference on Computer and Communications Security in London, researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws.
"The thing I worry about most is that attackers could know the location of a user."
SYED RAFIUL HUSSAIN, POST DOC RESEARCHER | PURDUE COMPUTER SCIENCE
The researchers from The Department of Computer Science at Purdue University and the University of Iowa are detailing 11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.
"We had a hunch when we started this work that there were more vulnerabilities to find," says Syed Rafiul Hussain, a mobile security researcher from Purdue Computer Science who led the study. "Since many security features from 4G and 3G have been adopted to 5G, there is a high chance that vulnerabilities in previous generations are likely inherited to 5G too. Additionally, new features in 5G may not have undergone rigorous security evaluation yet. So we were both surprised and not so surprised by our findings."
One purported benefit of 5G is that it protects phone identifiers, like your device's "international mobile subscriber identity," to help prevent tracking or targeted attacks. But downgrade attacks like the ones the researchers found can bump your device down to 4G or put it into limited service mode, then force it to send its IMSI number unencrypted. Increasingly, networks use an alternative ID called a Temporary Mobile Subscriber Identity that refreshes periodically to stymie tracking. But the researchers also found flaws that could allow them to override TMSI resets, or correlate a device's old and new TMSI, to track devices. Mounting those attacks takes only software-defined radios that cost a few hundred dollars.
The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount "replay" attacks to run up a target's mobile bill by repeatedly sending the same message or command. It's an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.
The 5G rollout is very much in progress now after years of development and planning. But researchers' findings underscore that the data network is going live with some vulnerabilities and flaws still in place. No digital system is ever perfectly secure, but this many flaws still emerging is noteworthy, especially since researchers have found so many bugs clustered around serious issues like network downgrading and location tracking.
The researchers submitted their findings to the standards body GSMA, which is working on fixes. "These scenarios have been judged as nil or low-impact in practice, but we appreciate the authors’ work to identify where the standard is written ambiguously, which may lead to clarifications in the future," GSMA told WIRED in a statement. "We are grateful to the researchers for affording industry the opportunity to consider their findings and welcome any research that enhances the security and user confidence of mobile services."
The researchers note that a limitation of their study is that they didn't have access to a commercial 5G network to test the attacks in practice. But they point out that while GSMA says the attacks are low impact, it still listed the work in its Mobile Security Research Hall of Fame.
"The thing I worry about most is that attackers could know the location of a user," Purdue's Hussain says. "5G tried to solve this, but there are many vulnerabilities that expose location information, so fixing one is not enough."
Improving the security of the 5G standard through community scrutiny is a necessary process. But with 5G rolling out more and more widely every day, time is running short to catch and resolve vulnerabilities that could expose user data worldwide.
Writer: Emily Kinsell, 765-494-0669, email@example.com, @emilykinsell
Source: Syed Rafiul Hussain, firstname.lastname@example.org
5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol
Authors: Syed Rafiul Hussain, Mitziu Echeverria, Imtiaz Karim, Omar Chowdhury, Elisa Bertino
The paper proposes 5GReasoner, a framework for property-guided formal verification of control-plane protocols spanning across multiple layers of the 5G protocol stack. The underlying analysis carried out by 5GReasoner can be viewed as an instance of the model checking problem with respect to an adversarial environment. Due to an effective use of behavior-specific abstraction in our manually extracted 5G protocol, 5GReasoner's analysis generalizes prior analyses of cellular protocols by reasoning about properties not only regarding packet payload but also multi-layer protocol interactions. We instantiated 5GReasoner with two model checkers and a cryptographic protocol verifier, lazily combining them through the use of abstraction-refinement principle. Our analysis of the extracted 5G protocol model covering 6 key control-layer protocols spanning across two layers of the 5G protocol stack with 5GReasoner has identified 11 design weaknesses resulting in attacks having both security and privacy implications. Our analysis also discovered 5 previous design weaknesses that 5G inherits from 4G, and can be exploited to violate its security and privacy guarantees.