Beware the security flaws in 4G and 5G

Faults in 4G, 5G allow crooks to intercept calls and track phone locations. Knowingly or not, as a business using this type of technology has an impact on your data protection requirements

A group of academics have found three new security flaws in 4G and 5G, which they say can be used to intercept phone calls and track the locations of mobile phone users.

4G and the incoming 5G standard promises faster speeds and better security, particularly against law enforcement use of mobile site simulators, known as “stingrays” but the new findings are said to be the first time vulnerabilities have affected both and that the new attacks can defeat newer developments that were meant to protect phone users from snooping.

Worryingly, “Any person with a little knowledge of cellular paging protocols can carry out this attack,” said Syed Rafiul Hussain, one of the co-authors of the paper.

The first attack was Torpedo (TRacking via Paging mEssage DistributiOn) which exploits a weakness in the paging protocol that carriers use to notify a phone before a call or text message is received. It was found that several phone calls placed and cancelled in a short period can trigger a paging message without alerting the target device to an incoming call. The attacker can then track a victim’s location and, knowing the victim’s paging occasion lets an attacker hijack the paging channel and inject or deny paging messages by spoofing messages like amber alerts or blocking messages altogether.

Torpedo opens the door to two other attacks: Piercer, which allows an attacker to determine an international mobile subscriber identity (IMSI) on the 4G network, and the IMSI-Cracking attack which means even the newest 5G-capable devices are at risk from stingrays, which law enforcement use to identify someone’s real-time location and log all the phones within its range. All four major U.S. operators (AT&T, Verizon, Sprint and T-Mobile) are affected by Torpedo, and the attacks can be carried out with radio equipment costing as little as $200.

Given two of the attacks exploit flaws in the 4G and 5G standards, almost all the cell networks outside the U.S. are vulnerable to these attacks – several networks in Europe and Asia are also vulnerable.

Vulnerabilities in Signalling System 7, used by phone networks to route calls and messages across networks, are under active exploitation by hackers and while 4G was meant to be more secure, research shows that it’s just as vulnerable as 3G. 5G was meant to fix many of the intercepting capabilities but European data security authorities have warned of similar flaws.

Why does this matter?

In today’s world, we are using many technologies like 4G and 5G. If we are viewing reports that show people’s activity in a lawful way, how do you make people aware that you are doing this? The fact that you can means that data can be viewed by others in a non-lawful way.

DLM Group is not a cyber security firm but we know that the manner in which you inform people, carry out a DPIA or use technology is paramount. We will help you with that.