ToRPEDO Attack Surfaces to Hit 5G

  /     /     /  
Publicated : 23/11/2024   Category : security


ToRPEDO Attack Surfaces to Hit 5G


GSMA had better start looking at ways around it, and fast.



In
a paper
to be presented at this weeks Network and Distributed System Security Symposium in San Diego, researchers from Purdue University and the University of Iowa outline an attack on both 4G and the upcoming 5G mobile telephony protocols that can enable an adversary to verify a victims coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks.
When this attack (which they call ToRPEDO) is used as a subset of another attack, it can also reveal a victim devices persistent identity known as International Mobile Subscriber Identity (IMSI). But they didnt stop there.
They also found that on some 4G paging protocol deployments, an implementation oversight on the part of several network providers enabled an adversary to launch an attack (which they named PIERCER) that will associate a victims phone number with its IMSI. That gives the attacker targeted user location tracking.
The specifics of how it all works gets pretty geeky pretty fast, so look at the paper if you want all the details and all the math.
In many ways, this kind of attack resembles the side-channel attacks that have shown up recently.
It starts with the Temporary Mobile Subscriber Identity (TMSI) that is randomly assigned to a device when in first enters a cells area. An attacker would place multiple phone calls to the victim device in a short period of time and sniffs the paging messages. Enough TMSI messages (from the placed calls) over a short period of time says the victim is in the cells area.
IMSIs can be represented as a 49-bit binary number. The leading 18-bits (the mobile country code and the mobile network code) can be found from a phone number using paid, Internet-based home location register lookup services.
The researchers say that, Identifying the victims paging occasion with ToRPEDO additionally leaks the trailing 7 IMSI bits for US subscribers leaving 24 bits for the attacker to guess. Using a brute-force attack and two oracles (one for 4G and another for 5G) we designed, the attacker can guess the victims IMSI in less than 13 hours.
This latter attack is called IMSI-Cracking and will be used on encrypted IMSIs found on some 4G and 5G networks. It needs ToRPEDO to be carried out first.
One could try a defense against ToRPEDO by primarily focusing on either thwarting the root cause (that is, fixed paging times) of ToRPEDO or through the detection of its (behavioral) signature. The researcher found that both these approaches did not work. Instead, they came up with a countermeasure which prevents the adversary from retrieving accurate side channel information through the addition of noise.
The basic idea is to increase the paging rate of all paging occasions to a certain level so that the adversary would need a high number of silent calls to sufficiently differentiate the paging rate of victims paging occasion from others. To pull that off, they propose that a node that injects new paging messages at the paging occasions for which the paging rate is relatively lower than the expected rate. The researchers found AT&T, Verizon, Sprint and T-Mobile were all vulnerable to ToRPEDO attacks.
Fixing the vulnerability requires major work by GSMA, an industry body that represents mobile operators. GSMA has not stated when a fix might be forthcoming.
While the researchers have not let a PoC out that could be misused by others, just knowing the attack vector is present may cause threat actors to try and exploit it. GSMA had better start looking at ways around it, and fast.
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ToRPEDO Attack Surfaces to Hit 5G