Flaws in 3G GSM standard enable device tracking
What is interesting about this development is how the researchers found that they did not need to perform exotic cryptographic actions or obtain security keys to carry out the attacks they performed. Using off-the-shelf and rooted femtocell which broadcast a 3G signal, two types of attacks were performed, the IMSI (International Mobile Subscriber Identity) paging attack, and the Authentication and Key Agreement (AKA) protocol attack.
With the IMSI paging attack, it would force the device to reveal its IMSI in response to a temporary number (TMSI) request. This is somewhat similar to what authorities use with “IMSI catchers” in tracking cell phone movements. In the AKA protocol attack, the authentication request would be sent to all phones in range. All the phones, except the targeted device would return with a synchronization failure.
The researchers tested the techniques against the networks of T-Mobile, Vodafone and O2 in Germany, as well as SFR in France. It would seem the attacks will work on any carrier that adheres to the 3G GSM standard. They found that these techniques would also allow tracking of movements within a building based on how they may position femtocells in the building.
In the past, the GSM standard has been compromised, allowing cloning and position tracking. These attacks are different say the researchers because these were merely exploiting a weakness in the protocol of the standard, not individual weakness of a device or its encryption.
3GPP, an industry group, is reviewing the research and will recommend a course of action that can work across the standard. It will take some time however, given how widespread GSM is in use. The researchers have outlined some possible fixes to the standard as well, which are under review and do not appear to be too difficult or expensive to implement. It will be interesting to see how this research evolves since IMSIs are unique identifiers used in GSM, UMTS and LTE standards.
The research teams will be outlining their finding at the ACM Conference on Computer and Communications Security in Raleigh, North Carolina next week.
source: SC Magazine