Flaws in 3G GSM standard enable device tracking

Flaws in 3G GSM standard enable device tracking
Vulnerabilities have been exposed in the GSM standard in the past, but those vulnerabilities usually required a bit of skill and know-how to exploit. Now researchers at the University of Birmingham and the Technical University of Berlin have found another flaw in the standard that could reveal the location of 3G devices using off-the-shelf gear.

What is interesting about this development is how the researchers found that they did not need to perform exotic cryptographic actions or obtain security keys to carry out the attacks they performed. Using off-the-shelf and rooted femtocell which broadcast a 3G signal, two types of attacks were performed, the IMSI (International Mobile Subscriber Identity) paging attack, and the Authentication and Key Agreement (AKA) protocol attack.



With the IMSI paging attack, it would force the device to reveal its IMSI in response to a temporary number (TMSI) request. This is somewhat similar to what authorities use with “IMSI catchers” in tracking cell phone movements.  In the AKA protocol attack, the authentication request would be sent to all phones in range. All the phones, except the targeted device would return with a synchronization failure.



The researchers tested the techniques against the networks of T-Mobile, Vodafone and O2 in Germany, as well as SFR in France. It would seem the attacks will work on any carrier that adheres to the 3G GSM standard. They found that these techniques would also allow tracking of movements within a building based on how they may position femtocells in the building.

In the past, the GSM standard has been compromised, allowing cloning and position tracking. These attacks are different say the researchers because these were merely exploiting a weakness in the protocol of the standard, not individual weakness of a device or its encryption.

3GPP, an industry group, is reviewing the research and will recommend a course of action that can work across the standard. It will take some time however, given how widespread GSM is in use. The researchers have outlined some possible fixes to the standard as well, which are under review and do not appear to be too difficult or expensive to implement. It will be interesting to see how this research evolves since IMSIs are unique identifiers used in GSM, UMTS and LTE standards.

The research teams will be outlining their finding at the ACM Conference on Computer and Communications Security in Raleigh, North Carolina next week.

source: SC Magazine

FEATURED VIDEO

2 Comments

1. Ragnarockd

Posts: 47; Member since: Aug 27, 2012

IMSI paging attack....Was something similar to this used in dark knight movie to locate jokers hideout??

2. SonyXperiaNexus

Posts: 374; Member since: Oct 01, 2012

nope. it was sonar, just like a bat or submarine. they wer high frequency sound waves that bounce back off solid objects and a sensor recieves them again interprets distance and shape of the object from the bounced off waves.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.