Cellular security and user privacy have long been key topics for researchers in the telecom arena, yet little progress has been made to thwart surveillance tools known as ‘stingrays.’ Bringing the topic center stage at Enigma 2020, a USENIX security conference in San Francisco on Monday, research engineer Yomna Nasser will address what she considers to be underlying cellular system flaws that allow pathways for security breaches and will provide recommendations for a viable fix.
Stingrays are also known as cell site simulators. They’re used by U.S. law enforcement, international spies, and criminals to impersonate cell towers and trick cell phones to connect to them, Inside Towers reported. This allows the operator to collect unique identifiers from the device, determine their location, and even eavesdrop on calls.
While 3GPP provides a 5G standard for protection measures designed to reduce potential surveillance, it has two major flaws – one, it’s categorized as “optional” and two, it does not provide specifications for implementation, which puts telecoms in the driver’s seat without a steering wheel.
“The point of my talk is to try and explain the root cause behind all these types of attacks, which is basically the lack of authentication when phones are first trying to find a tower to connect to,” Nasser says. “If something looks like a cell tower, they will connect; that’s just a consequence of how cell network technology was designed decades ago. And it’s really hard to redesign things to do security really well—the lack of authentication problem still exists in 5G.”
Bootstrapping, the process of establishing a connection between a base station and device before each have authenticated themselves, is the pathway by which a device can end up on an illicit base station.
As reported by Wired, 4G and 5G standards have built-in mechanisms that make it harder for attackers to get valuable information when they trick devices. However, the problem is not completely solved because smartphones still rely on less secure legacy networks for the bootstrapping initial connection phase, as well as to initiate and end calls. If telecoms continue to support GSM and 3G, spies can still attack devices.
Nasser’s solution, according to Wired, would “function a lot like HTTPS web encryption, allowing phones to quickly check cell tower ‘certificates’ to prove their legitimacy before establishing a secure connection.”
Network operators will need to add a few more bytes of data to introductory device-tower interactions to establish stronger protections on pre-authentication message. Considering the significant costs and resources required to do so, the question is, will they?