Analysis A group of infosec researchers have uncovered neat ways to track a phone's location via 4G or 5G. However, the mechanics of the surveillance, while fascinating, are difficult to pull off for all but the most determined foe.
The so-called Torpedo attacks are said to allow someone nefarious to trace a person's whereabouts by using side-channel features of the 4G and 5G cellular comms specifications. It is possible to use the base Torpedo principle to perform an IMSI-cracking attack, which brute-force decodes a device's encrypted IMSI, or perform a Piercer attack, which links a phone number to an IMSI.
According to a paper [PDF, 985kB] due to be presented today at NDSS (Network and Distributed System Security Symposium) in the US by Syed Rafiul Hussain, along with Ninghui Li and Elisa Bertino, all of Purdue University, and Mitziu Echeverria and Omar Chowdhury at the University of Iowa, the snooping relies on having some prior knowledge of one's target and of how to intercept and read LTE paging channel messages.
Crucially, the nature of the surveillance, as described by the team in their paper, means that – much like the minor controversy over password managers this month – it is not an attack vector many people should realistically live in fear of.
The paper appeared online in December, and its findings have been acknowledged by the GSMA, the world's mobile networks' trade body, which is working on fixing up the problems. No proof-of-concept exploit code or detailed instructions have been released as the vulnerabilities are said to be still live.
How did they figure this out?
To understand the Torpedo family of attacks you need to understand some basic things about how LTE mobile networks work. What follows here is a little oversimplified.
Your mobile phone’s rough location is always known to your network because it has to talk to a nearby base station run by your mobile operator. When someone wants to call you, the mobile network tells the last base station that was talking to your phone to broadcast a paging message for it. If your phone receives that paging message, it replies to say “here I am!” and the call is connected.
In security terms, your phone’s identity to the network can be split into two parts: the International Mobile Subscriber Identity (IMSI) and the Temporary Mobile Subscriber Identity (TMSI). The IMSI is stored on your SIM card and doesn’t change; the TMSI is assigned to your phone by its nearby base station. Every time your phone goes out of reception from one base station, the next base station assigns a new, unique TMSI.
In the 4G and 5G LTE specifications there’s a fair bit of maths that goes on so phones can time-share radio channels, sync with the base station only at known times to check for new paging messages, and so on. One of the important parts of that maths is called the Paging Frame Index, or PFI, and it is broadcast as part of the paging message. The PFI is unique to each device in a cell’s area, being derived in part from the IMSI.
The goal is discovering that IMSI, so it can be used to track the phone's travels or presence, as it moves from base station cell to base station cell.
The Torpedo attack
First of all: the snooper must already have your phone number, and know roughly where you and your phone will physically be at a given time. These two things are far from impossible to obtain, but do rely on the miscreant having some knowledge of you and your travel habits.
The attacker must also set up one or more RF sniffers capable of reading a particular paging message over the airwaves. Again, this is not impossible to do, but does require planning and resources.
To carry out the attack, the spy waits until they know their target is in the rough area of the radio sniffer hardware, and calls (or texts, or WhatsApps, or whatever method of choice triggers a pushed service of some sort) the target’s phone. This triggers a paging message broadcast. The researchers summarised one attack method as follows:
- Make a call.
- Listen for paging messages over the air during the delivery window.
- Remove from the set all PFI values that do not have a paging message during the window.
- If only one PFI value remains in the set, then it concludes that this is [the target’s] PFI
From there you can attempt to use the team's related Piercer attack to obtain the target’s IMSI, which is normally encrypted over the air, from the cell network, and link it to his or her phone number. Briefly, to achieve this, a snoop hijacks the paging channel and forces the network to eventually broadcast a paging message for the target’s IMSI itself, rather than the derived TMSI.
This behaviour is a routine part of how some operators’ LTE networks are designed to locate to a user device that goes AWOL and can be triggered by a single phone call – provided the attacker has hijacked the paging channel first. It does depend on whether the network has been set up to broadcast an IMSI paging message in clear, though. The technique is not guaranteed to work.
Reg comment: Not as severe as it sounds
Consider somewhere like London, which is smothered in base stations, not-spots and plenty of opportunities for a phone to be abruptly taken out of coverage to a completely different location, as happens when you get on the London Underground.
The surveillance as described in the paper can locate you to within the coverage radius of a mobile network base station. Running Torpedo against a single base station cannot tell an attacker that you are on a particular street, outside a particular shop, or gazing out of a particular window in a particular office block. Just that you're within that area, because your phone is present with its unique IMSI.
Now you, too, can snoop on mobe users from 3G to 5G with a Raspberry Pi and €1,100 of gizmosREAD MORE
With that said, a determined attacker who knows your location well and is equipped with multiple sniffers could more precisely locate you using triangulation techniques that police forces use to locate suspected gang members. They could also track you as your handheld moves from cell to cell.
This method is so useful that British prosecutors routinely convince courts to impose conditions on convicted drug and gang criminals forcing those people to only use a specified mobile phone number unless they notify police of a new one.
Finally, making a number of phone calls in a short period of time and hanging up before they are answered can trigger a paging message without alerting the target device to an incoming call, which an attacker can use to track a victim’s location. Knowing the victim’s paging occasion also lets an attacker hijack the paging channel and inject or deny paging messages, by spoofing messages like Amber alerts or blocking messages altogether, the researchers say.
In the infosec lingo, does this feature in your threat model? If so, you are more likely to be the target of determined state-level adversaries than you are from a drive-by cyber-crim or even a moderately organised criminal gang, unless you’ve managed to annoy some seriously well-resourced people.
The cops or intelligence agents could just ask, with a warrant or other suitable powers, your mobile network operator to hand over your phone location, of course – and potentially fall back to the above techniques if they'd rather do this without a telco's involvement and have the right kit.
There’s also the question of timing. The researchers said in their paper that it is “necessary to wait (about 30-35 seconds) for the device to move to the idle mode before making the next trial. Therefore, for ToRPEDO to be successful, it requires 2.4–4.3 minutes on average when successive phone calls are placed with an interval of 30-35 seconds.”
If you’re stationary (sitting at home or in a workplace) that is easily doable – assuming, that is, the target doesn’t do something disruptive like wonder why their phone’s going off every 30 seconds with a dropped call or message and turn it off. If you are outdoors and moving around between base station areas, it becomes more of a question of luck than a hostile person or group’s technical judgement.
As for the IMSI-cracking attack, which is an alternative way of obtaining the ID if Piercer doesn't work, it can take a week: the team spent about 74 hours spread over seven days to brute-force a single subscriber's identity. ®