Critical vulnerabilities affect 3G, 4G and upcoming 5G protocol

An attacker could intercept communication metadata to locate of a mobile phone

Network security and ethical hacking specialists reported the discovery of vulnerability in the 5G communication protocol, which will be implemented soon. Apparently this vulnerability is more severe than the previously ones discovered, as it affects the 3G and 4G protocols in addition to the upcoming 5G.

According to experts from the International Institute of Cyber Security, the flaw allows the monitoring of communications through the use of IMSI receivers (International Mobile Subscriber Identity Interception) of last generation functional in all telephone protocols.

Third Generation Partnership Project (3GPP), entity responsible for the standardization of mobile communications worldwide, designed and ordered the implementation of the Authentication and Key Agreement (AKA) protocol to protect mobile phone users, however, multiple attacks against this protocol have been successfully performed; some of these flaws have been corrected or mitigated in the AKA enhanced protocol for 5G.

The vulnerability recently discovered by network security specialists affects the AKA protocol, which is a mechanism based on the challenge/response process that uses symmetric cryptography. Current IMSI receivers exploit these vulnerabilities to degrade the AKA to a primary state, allowing the attacker to intercept the traffic metadata of a mobile device to track its location.

3GPP developed a new version of AKA specifically for the 5G (5G-aka) protocol to be able to bypass a IMSI receptor, but the vulnerability allowed attackers to develop a new version of receptors capable of intercepting the 5G signal.

The vulnerability reveals details about a user’s mobile activity, such as the number of calls and text messages sent and received, which far exceeds the performance of older IMSI computers.

It is also worth mentioning that in 2018, David Vignault, a specialist in network security based in Canada, said he was concerned about the possibility of data theft that would generate the implementation of 5G technology, as organizations that protect confidential information (even military secrets) could be affected.

“Espionage activities in strategic areas sponsored by government agencies have increased,” Vignault mentioned. “Sensitive sectors, such as research in artificial intelligence, drugs and military technology, could be severely affected by this kind of security flaws in mobile communication protocols”.