5G Networks Can Be Eavesdropped with a Device for a few DollarsSociety | August 12, 2019, Monday // 11:57| views
Next week, at the Black Hat conference, security experts will present the opportunity to intercept communications on 5G networks using the so-called. "IMSI traps" or "hunters". The hacking device costs only $ 7, TechNews.bg reports.
The open glitch in security equipment for high-speed 5G mobile networks makes them as vulnerable as the networks of the previous generation. IMSI hunters are devices that disguise themselves as the base station of a cellular telephone network and allow hackers to capture the unique IMSI identifier registered on the SIM card.
Once the phone is connected to the interceptor, the device can track it, and there is a risk of eavesdropping on other people's conversations: the repeater can deactivate the encryption feature enabled by the subscriber and operate with the usual open signal by transmitting it. to the actual base station.
Currently, an IMSI trap can be created for only $ 7. Devices of this kind are actively used by the police and special services. In 2014, in three Scandinavian countries - Norway, Sweden and Finland, a scandal over the use of IMSI traps broke out.
Reporters from the Norwegian newspaper Aftenposten measured traffic in the government district of Oslo, where embassies of many countries are located, and found that there were numerous false base stations. The same devices were discovered in the government districts of Helsinki and Stockholm, but disappeared as soon as they were exposed.
5G technology has undergone a number of changes to prevent attacks from fake base stations: in particular, the intercepted identifiers can no longer be used to track smartphones. However, as experts from the Norwegian analytical company SINTEF Digital have found that even in the current 5G specifications, there are a number of issues that reduce the security of the devices.
The device data, for an example, is encrypted so that it can no longer be read as plain text. However, that isn’t true for all data: some of the identification information transmitted from the mobile device to the nearest base station is still unencrypted.
IMSI traps can capture this data and determine at least the class of devices, as well as theoretically the manufacturer, some hardware components, model, and operating system. The information can be extremely useful for hackers if they are looking for a specific and custom device.
The vulnerabilities also allow man-in-the-middle attacks, in which the intercepted data can be replaced with an IMSI trap.
The telecommunications industry divides all cellular connectivity devices into 12 categories - from the simplest IoT devices to sophisticated smartphones and tablets. Devices that fall into the "lower" categories do not need high-speed connections and therefore only connect via 2G and 3G; 4G and 5G connections, for their part, are only needed for higher-end devices.
Using an IMSI trap attack, hackers change the category of the target device so that the base station only provides 2G / 3G connections. This will make the device vulnerable to other attacks using IMSI traps.
The problem is not really about the technical characteristics of 5G, but about the implementation of the links from the operators. They must provide protection against attacks that downgrade the category, but studies show that more than two-thirds of connections in the networks of 30 telecoms operators in Europe, Asia and the US are defenseless against such attacks.
In addition, experts found that using IMSI traps can prevent the device from switching to a power-saving mode that is activated when there is a stable connection. Without it, the device constantly inspects the nearest base stations, which affects the charge level. If the device is constantly "in active demand", sometimes the battery runs out five times faster than usual.
The experts reported their findings to GSMA, the developer of cell standards. Previously, this association has already made many changes to the specification of 5G, just to prevent attacks using IMSI traps. Hopefully GSMA will react in the same way now.