Cell Tower

(Image credit: ExtremeTech)

Security researchers have uncovered a 3G flaw that may allow every device using the network to be tracked. The flaw appears to be present in all modern 3G networks and can exploited using easily obtained technology. What is incredibly scary is that not only will the flaw allow somebody without much computer knowledge to track a device, but also that the 3GPP has apparently known about this flaw for close to six months.

The chief researchers responsible for the discovery reside at the University of Birmingham and were aided by researchers from the Technical University of Berlin. The researchers are now prepared to present and explain their findings in detail at the ACM Conference on Computer and Communications Security event taking place later this month.

These types of attacks are completely unique from anything that has been attempted before. The attack that is most similar to the one outlined by the researchers is an attack made by Muxiang Zhang and Yuguang Fang. In this attack, however, the researchers used an impersonation method instead of exploiting a privacy flaw.

The Attacks

The research team used a rooted femtocell unit to modify and insert G Layer-3 messages into waves that communicate between the unit and the mobile phone. They made sure to insert the messages into waves that were traveling in both directions. This allowed them to be absolutely positive about their findings.

The teams performed these tests on major networks like T-Mobile, O2 and Vodafone. The research team was able to identify that this form of attack would work on any device or network that abides by 3G standards. Other attacks were also successfully undertaken.

IMSI paging attack

In the ISMI paging attack, the attacker would send a temporary number (TMSI) paging request to the device. The device would then send either a positive or negative response depending on the requested area. In other words, the attacker can map out a specific area, large or small, and then receive feedback as to whether the specified device is located in that area or not.

AKA protocol attack

In the authentication and key agreement protocol attack, the attacker would send a similar request to every single 3G-enabled device in a specified area. Then, the device the attacker is looking for will send back a Mac failure, while every other device would send back a synchronization failure.

This type of attacking system can be used on various scales: from family members to employers to stalkers. Anybody with access to a rooted Femtocell can exploit it to track somebody right down to their exact location. The information is so accurate that you could easily tell if someone is moving about within a building.

How they can be stopped

The researchers proposed two possible fixes that they claim will prevent the attacks. The first fix would be introducing an additional session key to function alongside the existing keys in the AKA and IMSI protocols. In addition, they proposed another fix that would actually change the error messages so they no longer would reveal such personal information.

All of the proposed fixes would be rather inexpensive and require little modification to the network’s infrastructure.