2G Was Too Weak? Turns Out 3G & 4G Networks Are Also Prone to Stingray Surveillance Attacks
3G and 4G LTE devices deployed worldwide have a critical security vulnerability that could be used by Stingray devices, security researchers revealed at the Black Hat Conference in Las Vegas. Researchers said all the modern and high-speed networks have a protocol flaw that enables mobile devices to connect with the cell operator, allowing attackers to track and monitor users.
Stingray devices also known as IMSI catcher or cell site simulators are phone surveillance devices that mimic cell phone towers, sending out signals to trick phones into transmitting their location. Predominantly used by intelligence agencies and law enforcement officials, the Stingray devices enable them to spy on their targets and monitor their communications.
"Very little" can be done to prevent Stingray attacks
The security research group that includes Ravishankar Borgaonkar, Shinjo Park, Lucca Hirschi, Altaf Shaik, Andrew Martin, and Jean-Pierre Seifert have discovered "a new flaw in the widely deployed cryptographic protocol in 3G and 4G cellular networks." The group claims that a low-cost setup is all that is needed to exploit this flaw and spy on the targets who are using 3G and 4G devices.
Many believe that the modern protocols, unlike 2G, protect users against easy-to-use tracking and surveillance. However, latest research reveals a flaw in the authentication and key agreement, which enables a phone to communicate securely with the user's cell network. Talking to ZDNet, researchers explained that the "agreement protocol relies on a counter that's stored on the phone operator's systems to authenticate the device and to prevent replay attacks." However, they discovered that "the counter isn't well protected and partially leaks."
While this flaw doesn't reportedly allow attackers to intercept calls or messages, it does enable them to monitor consumption patterns and track the phone location.
"Due to low-cost hardware [costs just $1,500] and software setup, we would not be surprised to see criminal stalking and harassment to more mundane monitoring of spouse or employee movements, as well as profiling for commercial and advertisement purposes," Ravishankar Borgaonkar.
Researchers see no fix to this issue as the flaw is in the 3G and 4G standard, affecting "all operators worldwide." They hope that the "next generation 5G network may address user's privacy issues related to these IMSI catcher attack techniques."
This is, however, not the first time that flaws have been discovered in the latest protocols. Some of the researchers from this same security group had presented another paper back in 2015 Black Hat Conference revealing attacks against LTE access network protocols.
- We have contacted 3GPP (the global 3rd Generation Partnership Project) and Borgaonkar for a comment on this flaw and any possible fixes of these vulnerabilities. We will keep this space updated with any developments.