Now you, too, can snoop on mobe users from 3G to 5G with a Raspberry Pi and €1,100 of gizmos

Crypto-boffins' paper shows AKA protocol still broken

A protocol meant to protect smartphone users' privacy is vulnerable to fake base station attacks all the way from 3G to 5G, according to a group of international researchers. All the baddies need is a little over €1,100 worth of kit and a laptop.

The "Authentication and Key Agreement" protocol (aka AKA, hehe) is meant to provide security between mobile users and base stations, and was previously exploited by surveillance devices, such as the StingRay, used by cops and Feds.

A stingray

Stingray phone stalker tech used near White House, SS7 abused to steal US citizens' data – just Friday things


In research published by the International Association for Cryptologic Research this month, boffins from ETH Zurich, Berlin Technical University and Norwegian research institute SINTEF Digital claimed they had found "a new privacy attack against all variants of the AKA protocol, including 5G AKA, that breaches subscriber privacy more severely than known location privacy attacks do."

It is severe because it is a logical vulnerability in the protocol – which means it's not specific to one implementation of AKA, and is why it reaches all the way back to 3G implementations.

"AKA is a challenge-response protocol mainly based on symmetric cryptography and a sequence number (SQN) to verify freshness of challenges, preventing replay attacks," the boffins wrote.

Following the discovery of earlier vulnerabilities in cellular networks, particularly mobile phones' susceptibility to IMSI catchers (that is, fake base stations like StingRay), the body in charge of mobile phone standards, 3GPP, improved AKA for the 5G era with randomised asymmetric encryption to protect user identifiers sent during the pre-encryption handshake.

However, the new version still uses SQNs, and the paper said that's what the researchers attacked. They discovered that a lack of randomness and AKA's use of XOR allowed them to defeat the SQN protection mechanism.

"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."

Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.

This latest exploit can gain information on activities beyond the fake phone mast, if the victim reenters the area of the bogus base station.

"Even when [user equipment] are using mobile services outside the attack area, part of this activity may be leaked to some adversary using our attack the next time the UE enters again the attack area," the paper read. "Intuitively, this is because, independently of its location, the UE's activity has an effect on the counter SQN stored in the HN that will be leaked when the UE is (actively) under attack."

NBN fixed wireless tower near Ballarat

Rights groups challenge UK cops over refusal to hand over info on IMSI catchers


The vulnerability arises because an attacker can send authentication challenges to the UE at different times, to retrieve the SQN, and "by cleverly choosing several timestamps, the attacker is able to exploit [SQN] values... to break the confidentiality of SQN."

The researchers' proof of concept needed a laptop, a universal software radio peripheral, a smartcard reader, and the OpenLTE software. Excluding the laptop, they said the kit cost €1,140 (they note that the laptop could easily be replaced with a Raspberry Pi).

The authors – Ravishankar Borgaonkar of SINTEF Digital, Lucca Hirschi of ETH Zurich, and Shinjo Park and Altaf Shaik of the Technical University of Berlin – said they have notified 3GPP, the GSM Association; vendors Huawei, Nokia and Ericsson; and carriers Deutsche Telekom and Vodafone UK.

They said the GSMA and 3GPP told them remediation will be undertaken for future generations. However, the early implementations of 5G will probably suffer from the vulnerability. ®

Other stories you might like

  • 5G C-band rollout at US airports slowed over radio altimeter safety fears
    Well, they did say from July, now they really mean from July 2023

    America's aviation watchdog has said the rollout of 5G C-band coverage near US airports won't fully start until next year, delaying some travelers' access to better cellular broadband at crowded terminals.

    Acting FAA Administrator Billy Nolen said in a statement this month that its discussions with wireless carriers "have identified a path that will continue to enable aviation and 5G C-band wireless to safely co-exist."

    5G C-band operates between 3.7-3.98GHz, near the 4.2-4.4GHz band used by radio altimeters that are jolly useful for landing planes in limited visibility. There is or was a fear that these cellular signals, such as from cell towers close to airports, could bleed into the frequencies used by aircraft and cause radio altimeters to display an incorrect reading. C-band technology, which promises faster mobile broadband, was supposed to roll out nationwide on Verizon, AT&T and T-Mobile US's networks, but some deployments have been paused near airports due to these concerns. 

    Continue reading
  • SpaceX: 5G expansion could kill US Starlink broadband
    It would be easier to take this complaint seriously if Elon wasn't so Elon

    If the proposed addition of the 12GHz spectrum to 5G goes forward, Starlink broadband terminals across America could be crippled, or so SpaceX has complained. 

    The Elon Musk biz made the claim [PDF] this week in a filing to the FCC, which is considering allowing Dish to operate a 5G service in the 12GHz band (12.2-12.7GHz). This frequency range is also used by Starlink and others to provide over-the-air satellite internet connectivity.

    SpaceX said its own in-house study, conducted in Las Vegas, showed "harmful interference from terrestrial mobile service to SpaceX's Starlink terminals … more than 77 percent of the time, resulting in full outages 74 percent of the time." It also claimed the interference will extend to a minimum of 13 miles from base stations. In other words, if Dish gets to use these frequencies in the US, it'll render nearby Starlink terminals useless through wireless interference, it was claimed.

    Continue reading
  • Crypto sleuths pin $100 million Harmony theft on Lazarus Group
    Elliptic points to several indicators that suggest the North Korea-linked gang was behind the hack

    Investigators at a blockchain analysis outfit have linked the theft of $100 million in crypto assets last week to the notorious North Korean-based cybercrime group Lazarus. The company said it had tracked the movement of some of the stolen cryptocurrency to a so-called mixer used to launder such ill-gotten funds.

    Blockchain startup Harmony announced June 23 that its Horizon Bridge – a cross-chain bridge service used to transfer assets between Harmony's blockchain and other blockchains – had been attacked and crypto assets like Ethereum, Wrapped Bitcoin, Binance Coin, and Tether stolen.

    According to blockchain analytics company Elliptic, the attacker immediately turned to Uniswap, a decentralized exchange, to convert most of the assets into 85,837 Ethereum, which researchers said is a common method used by hackers to avoid the stolen assets from being seized.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Broadcom to buy VMware 'on Thursday for $60 billion'
    Think we speak for everyone when we say: Seriously, what the f...?

    Broadcom is to acquire VMware for $60 billion in a deal that will be announced on Thursday.

    That's according to the Wall Street Journal. VMware is scheduled to report its Q1 2023 results on the same day, so the Thursday announcement theory is not entirely unrealistic.

    Neither biz has had anything to say about the reported deal at the time of writing, with VMware declining comment on rumor and speculation.

    Continue reading
  • BT: 'Quantum radios' could boost 5G network range
    Tech exploits electromagnetically induced transparency to form highly sensitive electric field detector

    Brit telecoms giant BT is undertaking a trial of new antenna technology that may boost the range of 5G networks and reduce mobile network energy consumption.

    The receiver technology works by exploiting a quantum effect called "electromagnetically induced transparency" to form a highly sensitive electric field detector. According to BT, this could theoretically make it over 100 times more sensitive than traditional receivers, allowing it to detect weaker signals and thus extend the range of a mobile network deployment.

    Regular readers will no doubt have become twitchy at the mention of the word "quantum" so we asked BT if it could supply us with a simple explanation of how the new antenna technology works. It told us:

    Continue reading

Biting the hand that feeds IT © 1998–2022