As 5G Rolls Out, Troubling New Security Flaws Emerge

Credit to Author: Lily Hay Newman| Date: Tue, 12 Nov 2019 16:30:00 +0000
Researchers have identified 11 new vulnerabilities in 5G—with time running out to fix them.
It's not yet prime time for 5G networks, which still face logistical and technical hurdles, but they're increasingly coming online in major cities worldwide. Which is why it's especially worrying that new 5G vulnerabilities are being discovered almost by the dozen.
At the Association for Computing Machinery's Conference on Computer and Communications Security in London today researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws.
"The thing I worry about most is that attackers could know the location of a user."
Syed Rafiul Hussain, Purdue University
The researchers from Purdue University and the University of Iowa are detailing 11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.
"We had a hunch when we started this work that there were more vulnerabilities to find," says Syed Rafiul Hussain, a mobile security researcher from Purdue who led the study. "Since many security features from 4G and 3G have been adopted to 5G, there is a high chance that vulnerabilities in previous generations are likely inherited to 5G, too. Additionally, new features in 5G may not have undergone rigorous security evaluation yet. So we were both surprised and not so surprised by our findings."
One purported benefit of 5G is that it protects phone identifiers, like your device's "international mobile subscriber identity," to help prevent tracking or targeted attacks. But downgrade attacks like the ones the researchers found can bump your device down to 4G, or put it into limited service mode, then force it to send its IMSI number unencrypted. Increasingly, networks use an alternative ID called a Temporary Mobile Subscriber Identity that refreshes periodically to stymie tracking. But the researchers also found flaws that could allow them to override TMSI resets, or correlate a device's old and new TMSI, to track devices. Mounting those attacks takes only software-defined radios that cost a few hundred dollars.
The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount "replay" attacks to run up a target's mobile bill by repeatedly sending the same message or command. It's an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.
The 5G rollout is very much in progress now after years of development and planning. But researchers' findings underscore that the data network is going live with some vulnerabilities and flaws still in place. No digital system is ever perfectly secure, but this many flaws still emerging is noteworthy, especially since researchers have found so many bugs clustered around serious issues like network downgrading and location tracking.
The researchers submitted their findings to the standards body GSMA, which is working on fixes. "These scenarios have been judged as nil or low-impact in practice, but we appreciate the authors’ work to identify where the standard is written ambiguously, which may lead to clarifications in the future," GSMA told WIRED in a statement. "We are grateful to the researchers for affording industry the opportunity to consider their findings and welcome any research that enhances the security and user confidence of mobile services."
The researchers note that a limitation of their study is that they didn't have access to a commercial 5G network to test the attacks in practice. But they point out that while GSMA says the attacks are low impact, it still listed the work in its Mobile Security Research Hall of Fame.
"The thing I worry about most is that attackers could know the location of a user," Purdue's Hussain says. "5G tried to solve this, but there are many vulnerabilities that expose location information, so fixing one is not enough."
Improving the security of the 5G standard through community scrutiny is a necessary process. But with 5G rolling out more and more widely every day, time is running short to catch and resolve vulnerabilities that could expose user data worldwide.