According to a research team of the University of Lowa and the Purdue University, certain privacy breaking imperfections in the 4G and 5G mobile protocols could easily enable attackers to send fake alerts and other different notifications, intercept calls, track locations of the users and more.
On paper as presented by the researchers at the Mobile World Congress in Barcelona this week, they said,
“The issues arise from weaknesses in the cellular paging (broadcast) protocol.”
They initiated their point with the fact that when the mobile is in its low-power state or idle state, it will save its battery by working on pending services and activities only periodically.
Elisa Bertino, Omar Chowdhury, Mitziu Echeverria, Syed Rafiul Hussain and Ninghui Li explained,
“When a cellular device is not actively communicating with a base station, it enters an idle, low-energy mode to conserve battery power. When there is a phone call or an SMS message for the device, it needs to be notified. This is achieved by the paging protocol, which strives to achieve the right balance between the device’s energy consumption and timely delivery of services such as phone calls.”
The researchers have found out that three connected types of attacks could be used in this paging mechanism. The primary attack being, ToRPEDO (Tracking via paging message Distribution). ToRPEDO can be used to find out the location of a particular device. Hackers can inject duplicate paging messages and conduct denial-of-service (DoS) attacks. Two other attacks enabled by the ToRPEDO are the IMSI-Cracking attack and the PIERCER (short form for Persistent Information Exposure by the Core network). These two attacks enable an adversary to completely reveal the unique International Mobile Subscriber Identity (IMSI) number of the user. If the phone number of the user is known to the attacker this can easily allow location tracking of the user. Whenever there is a text or call to be delivered to a device which is idle, the Mobile Management Entity (MME) mechanism of the network sends a request to the nearest base station of the device to broadcast a paging message. This message includes the Temporary Mobile Subscriber Identity (TMSI) of the device.
The team said,
“An attacker places multiple phone calls to the victim device in a short period of time and sniffs the paging messages. If the most frequent TMSI among the paging messages appears frequently enough, then the attacker concludes that the victim device is present.”