Researchers from the University of Birmingham have uncovered new threats that allow third parties to track the physical presence of mobile phones operating on 3G networks.
The research team from Birmingham that collaborated with the Technical University of Berlin explains how these vulnerabilities could be exploited to enable ordinary people to find the location of phones, and other 3G-capable devices. It has been revealed that this could enable attackers to track 3G user movements across countries, and even within office buildings — all this without even knowing phone identities. The flaws affect the latest 3G networks, not just the older generation GSM networks.
Physical presence of phones using 3G networks being tracked (Image Credit: Getty Images)
The team have also proposed solutions to the issue, and are cooperating with standards organisations, and network operators to promote the adoption of privacy-respecting solutions in future mobile networks.
The researchers, in the course of their study, discovered two flaws on the 3G standard, which is implemented on all mobile phones today. It was found that the IMSI paging attack compelled mobile devices to reveal the temporary identity (TMSI) in response to a static identity (IMSI) paging request. This can reveal the presence of devices in a monitored area by correlating the IMSI and TMSI. Another attack involves the Authentication and Key Agreement (AKA) protocol of the phone. By distinguishing two different error replies from a phone, an attacker can send a message that allows him to determine if a certain phone is nearby or not.
To demonstrate the vulnerabilities, the researchers used an off-the-shelf femtocell unit that had been modified with new software created by the Berlin group. The attacks were then made by intercepting, altering and injecting 3G Layer-3 messages into the communication between the base station, and mobile phones in both directions. The research team tested the vulnerabilities on network providers including T-Mobile, Vodafone and O2, and the French SFR.
Mark Ryan, Professor in Computer Security at the University of Birmingham, who led the study, said, “The attacks could be used to track staff movements within a building. It could be used by stalkers who want to follow indiviuals, or spouses that want to track their partner's movements”.
“To exploit the vulnerability, the employer would need to capture wireless data from the phone as it interacted with a normal base station. This could happen in a different area than the monitored one. Then the employer would position their femtocell near the entrance of the building. Movements inside the building could be tracked as well by placing additional devices to cover different areas of the building,” said Dr Myrto Arapinis from the University of Birmingham’s School of Computer Science.
The team have come up with a way to fix the problem. “Our paper details modifications of the 3G protocols that we have proposed in order to overcome these vulnerabilities”, Loretta Mancini from Birmingham, said.
To fix the vulnerabilities, the researchers proposed employing new methods that prevent an attacker from being able to link different occasions when the phone is being used. Their proposed solution employs the use of public-key cryptography, a particular type of encryption that mobile operators have been refraining from using because of the difficulties in implementing it. The researchers have found that this kind of encryption needs to be deployed within their networks to thwart a privacy attack. The researchers took care to devise solutions that minimise the use of public-key cryptography in order to reduce deployment difficulties.
“The solutions we propose show that privacy friendly measures could be adopted by the next generation of mobile telephony standards while keeping low the computational and economical cost of implementing them”, says Dr Eike Ritter, also part of the Birmingham team. “We are endeavouring to work with the 3G standards organisations to achieve that.”
“Since we use wireless technology for all aspects of our lives, from transport tickets like London's Oyster card to wireless payment cards and door-entry fobs, there is a risk of being tracked by third parties like neighbours, family and colleagues”, said Ryan.
“Online services like those of Facebook and Google also monitor users' behaviour”, said Arapinis, “and we are proposing ways in which that monitoring could be limited.”
This research will be presented at the ACM conference on Computer and Communications Security in Raleigh, North Carolina on Tuesday October 16, 2012.