New attack variant against 4G and 5G networks

These new techniques allow the use of communication intercepting devices again

During a recent event dedicated to network security experts, a team of researchers unveiled a set of vulnerabilities in mobile networks that impact 4G and 5G LTE protocols.

In their research, entitled “Privacy attacks against 4G and 5G cell phone protocols,” experts say that new attack variants could allow remote access to telecommunications by evading security measures implemented in these protocols, which brings back again the possible use of IMSI devices (like the known StingRay) for the interception of mobile telephony signals.

Then, network security and ethical hacking specialists from the International Institute of Cyber Security describe how these new attack variants work:

  • Torpedo attack

This attack exploits the paging protocol in mobile telephony, allowing malicious users to trace the location of the victim’s device. Because of this, attackers can inject specially designed paging messages to generate denial-of-service (DoS) conditions.

If a device does not establish active communication with a cellular network, it enters into a kind of battery saving mode. Before a call or text message reaches a device, the cellular network sends it a paging message to recognize the incoming call or message; this message also includes a value known as the Temporary Mobile Subscriber Identity (TMSI), this value does not change very frequently.

Network security specialists found that if an attacker calls and hangs phonecalls repeatedly over a short period of time, the database updates the TMSI value more often than usual when sending the paging messages. If an attacker detects these search messages using an IMSI device, it can verify whether the victim is within a range where it is possible to intercept their communications.

Network security specialists say the Torpedo attack impacts 4G and 5G protocols; they also add that this attack was tested against mobile phone service providers in the United States and Canada.

  • IMSI cracking and Piercer attacks

In addition to the aforementioned, the Torpedo attack seems to enable two other variants of attacks, called IMSI cracking and PIERCER.

Persistent Information Exposure by the Core Network (PIERCER) attack exists due to a design error and allows attackers to link the victim’s IMSI to their phone number.

“Some service providers use IMSI instead of TMSI in paging messages to identify devices with outstanding services,” the experts mention in their paper. A manual test revealed that it is possible to give the service provider the impression that an exceptional case is occurring that forces him to disclose the victim’s IMSI,” the experts concluded.

With the victim’s IMSI number, attackers can launch other variants of previously discovered attacks, thereby using IMSI receptors to have full access to victims’ phone communications.