5G security concerns persist with new research pointing to critical flaw

5G graphic

Researchers have discovered a critical security flaw in the upcoming 5G network protocol which could facilitate the eavesdropping of calls and man in the middle attacks.

Although we are yet to experience the blistering speeds 5G promises to provide in the UK, fears of its security have largely been theoretical and speculative as of late, until the research, conducted by research firm SINTEF and academics from ETH Zurich and Germany's Technische Universitt Berlin, made a more concrete claim.

The flaw, which also affects older 3G and 4G protocols, can be used to create new ISMI-catchers, which are devices that break encryptions of cellular communications, allowing attackers to monitor the communications passing through a virtual mobile tower under control of the attacker.

The research paper indicates that the vulnerability lies in the Authentication and Key Agreement (AKA) which is a "challenge-response protocol mainly based on symmetric cryptography and a sequence number (SQN)".

What is AKA?

AKA works by establishing and negotiating public keys which are used for encrypting two ends of a phone line.

3G and 4G network protocols were both subject to the vulnerabilities in the AKA so the security was enhanced in preparation for 5G by using randomised asymmetric encryption to protect identifiers prior to authentication.

Despite the increase in protection, researchers have found a vulnerability in the AKA that affects 5G as well as previous generations of cellular connectivity.

The potential damage

The new ISMI-catchers work differently to previous iterations which could intercept mobile traffic metadata. New versions can intercept details about a mobile user's activity such as the number of calls and texts sent, allowing the attacker to create individual profiles for each user.

These profiles, the researchers explained, can be tracked after the user leaves the vicinity or catchment area of the fake mobile tower. The profile made of a user can also alert the attacker when the user re-enters the coverage zone of the fake tower, which has more severe implications than it first appears.

Although privacy cannot be broken after the user leaves the range of the fake tower, the location of the user can. This means attackers can potentially track the location and activity of high ranking politicians, for example.

"Assuming an adversary having a fake base station nearby an embassy, he not only can learn the officials' activity when they are at the office during working hours but also when they are not, including during evening and nights (e.g., at home) or during business trips," say the researchers. "Therefore, such an attacker may learn if targets use different SIMs cards for private use (no activity at home). It may also infer if some specific time periods (e.g., one evening and night) were specifically busy (a lot of calls or SMSs were made yielding a big rise of SQN)."

When can we expect a fix?

The complete and dedicated fix which is required to mitigate the attack created by the researchers isn't likely to arrive until the end of 2019.

This means for users in the US and Australia, two countries in which consumer 5G networks are already active, the threat will be real for quite some time.

The earliest estimates for a 5G rollout in the UK are August 2019 with a more thorough rollout estimated to happen in 2020 which means the UK may not experience such vulnerabilities if the fix is made in time.

"We followed the responsible disclosure procedure and reported our findings to the 3GPP [the standards body behind 5G], GSM Association (GSMA), several manufacturers (Ericsson, Nokia, and Huawei), and carriers (Deutsche Telekom and Vodafone UK)," the research team said.

"Our findings were acknowledged by the 3GPP and GSMA, and remedial actions are underway to improve the protocol for next generation," they added. "While 5G AKA will suffer from our attack in the first deployment of 5G (Release 15, phase 1), we are still hopeful that 5G AKA could be fixed before the deployment of the second phase (Release 16, to be completed by the end of 2019)."

Fuel to the fire

This news certainly doesn't mark the first piece of concern surrounding the security of 5G networks.

The increased bandwidth that will facilitate lighting-quick download speeds will also provide a base for, what some theorise, more widespread and damaging DDoS attacks harnessed by insecure IoT devices being leveraged to create expansive botnets.

Devices such as printers, fridges, baby monitors and security cameras could all be used, just like they were in the Dyn cyber attack of 2016, to unleash attacks that could not just down websites, but also infrastructure controlling essential services like electricity providers and banks.

"The fact that 5G increases the speed means that it takes even fewer of them to overwhelm a given organization because now you can get an exponential rate of traffic directed to someone," said Stuart Madnick, professor of IT at MIT to Inverse. "The worst is yet to come."

"It's like going from fireworks to dynamite sticks," he says. "5G encourages further evolution and expansion of Internet of Things related networks. All of the good news and bad news that comes along with this technology gets magnified."

Concerns also surround 5G's application in the autonomous car sphere. With accidents already happening in self-driving cars, some think 5G will provide a platform on which the technology can thrive.

What's more concerning is the thought that researchers are still finding vulnerabilities which facilitate man in the middle attacks in AKA technology on which we have relied for years to protect our cellular privacy and security.

5G's security concerns will persist for some time and only time will tell how appropriate the technology is to underpin advancements such as autonomous cars and remote surgeries.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.