The adoption of Fourth Generation Long Term Evolution (4G LTE)—the de facto standard for cellular telecommunication—has seen a stable growth in recent years, replacing prior generations due to its promise of improved assurances (e.g., higher bandwidth, reliable connectivity, enhanced security). On top of that, the imminent deployment of the Fifth Generation (5G) cellular network has created much enthusiasm in both industry and academia particularly due to its promise of enabling new applications such as smart vehicles and remote robotic surgery. It is, therefore, expected that 5G rollout will positively impact us from national to a more personal level by enabling applications that often improve our quality of life.
Paging is one of the many important protocols in cellular networks which enables a cellular device- not actively communicating with a base station- to respond to a phone call or an SMS, or any incoming messages for the device. The cellular paging (broadcast) protocol strives to balance between a cellular device's energy consumption and quality-of-service by allowing the device to only periodically poll for pending services in its idle, low-power state. For a given cellular device and serving network, the exact time periods when the device polls for services (called the paging occasion) are fixed by design in the 4G/5G cellular protocol.
This talk first presents how the fixed nature of paging occasions can be exploited as a side-channel by an adversary in the vicinity of a victim to associate the victim's soft-identity (e.g., phone number, Twitter handle) with its paging occasion, with only a modest cost, through an attack dubbed ToRPEDO (TRacking via Paging mEssage DistributiOn). Consequently, we demonstrate how ToRPEDO can enable an adversary to verify a victim's coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks.
We also demonstrate that, in 4G and 5G, it is plausible for an adversary to retrieve a victim device's persistent identity (i.e., IMSI) with a brute-force "IMSI−Cracking" attack while using ToRPEDO as an attack sub-step. Our further investigation on 4G paging protocol deployments also identified an implementation oversight of several network providers which enables the adversary to launch a new kind of IMSI-Catching attack, named PIERCER (Persistent Information ExposuRe by the CorE netwoRk), for associating a victim's phone number with its IMSI; subsequently allowing targeted user location tracking. All of our attacks have been validated and evaluated in network operators of many different counties including US, Canada, Europe, and South-East Aisa using commodity hardware and software.
Finally, this talk discusses the potential flaws of the proposed fixes by the Third Generation Partnership Project (3GPP), the standard body for the cellular networks and thus concludes with a direction of potential countermeasures against the presented attacks.