Popular apps like Facebook and WhatsApp, combined with weaknesses in LTE protocols, could help spooks or attackers locate users, a group of German and Finnish researchers have found.
The problem, however, isn't the apps, but the network protocols they use. The work, here at Arxiv, details how LTE protocols can be attacked to deny service to a target's device; and how the network can be persuaded to leak device locations.
The location problem is this: the social apps – and other applications, like Voice over LTE – generate broadcast “paging” messages from the network to the device, and the supposedly-anonymous Global Unique Temporary ID given to devices by the network lasts so long (up to three days) that it's easy to de-anonymise devices.
Those messages have always existed, but as the group writes here, in the 3G world the broadcasts covered areas of 100 km2, which isn't so useful for tracking a user.
The designers of LTE wanted better user location, so broadcast activity is now confined to the much-more-snoopable 2 km2 – and building kit to sniff all the broadcast messages a network transmits is relatively easy. The boffins needed only a laptop running open-source LTE baseband software, and a suitable software-defined radio card.
In Facebook, the paging messages are triggered by incoming messages, and in WhatsApp, they're generated to tell you that the other person in a conversation is typing. Since the broadcast message only reaches the cell you're connected to, watching those broadcasts gives an attacker your location within that cell.
The other key to the location attack is to get the network to leak a user's IMSI, but the authors say there are a variety of existing attacks that will do this. With IMSI and user presence in hand, it's then easy to refine location to a much finer degree, by getting users to log into a rogue cell (think “Stingray”).
Luckily, the authors note, the fix for the location tracking bug should be easy enough for operators: if they cycle GUTIs often enough (a pain in the neck if operators have to comply with data retention, but there you go), it becomes impossible to associate paging messages with a specific individual.
The over-the-air denial-of-service attacks the paper presents are based on LTE network signalling messages that aren't protected – “Tracking Area Update” (TAU) messages.
Because LTE devices don't check the integrity of these messages, the messages can be sent from a rogue access point to force downgrade or deny services either to a specific device, or all devices in reach of the attacker.
The DoS attacks are a much thornier problem: forcing authentication of all the network messages requires at least infrastructure upgrades, and in some cases, new LTE protocols. ®