Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.



07:30 AM
Larry Loeb
Larry Loeb
Larry Loeb

ToRPEDO Attack Surfaces to Hit 5G

GSMA had better start looking at ways around it, and fast.

In a paperto be presented at this week's Network and Distributed System Security Symposium in San Diego, researchers from Purdue University and the University of Iowa outline an attack on both 4G and the upcoming 5G mobile telephony protocols that can enable an adversary to verify a victim's coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks.

When this attack (which they call ToRPEDO) is used as a subset of another attack, it can also reveal a victim device's persistent identity known as International Mobile Subscriber Identity (IMSI). But they didn't stop there.

They also found that on some 4G paging protocol deployments, an implementation oversight on the part of several network providers enabled an adversary to launch an attack (which they named PIERCER) that will associate a victim's phone number with its IMSI. That gives the attacker targeted user location tracking.

The specifics of how it all works gets pretty geeky pretty fast, so look at the paper if you want all the details and all the math.

In many ways, this kind of attack resembles the side-channel attacks that have shown up recently.

It starts with the Temporary Mobile Subscriber Identity (TMSI) that is randomly assigned to a device when in first enters a cell's area. An attacker would place multiple phone calls to the victim device in a short period of time and sniffs the paging messages. Enough TMSI messages (from the placed calls) over a short period of time says the victim is in the cell's area.

IMSIs can be represented as a 49-bit binary number. The leading 18-bits (the mobile country code and the mobile network code) can be found from a phone number using paid, Internet-based home location register lookup services.

The researchers say that, "Identifying the victim's paging occasion with ToRPEDO additionally leaks the trailing 7 IMSI bits for US subscribers leaving 24 bits for the attacker to guess. Using a brute-force attack and two oracles (one for 4G and another for 5G) we designed, the attacker can guess the victim's IMSI in less than 13 hours."

This latter attack is called IMSI-Cracking and will be used on encrypted IMSIs found on some 4G and 5G networks. It needs ToRPEDO to be carried out first.

One could try a defense against ToRPEDO by primarily focusing on either thwarting the root cause (that is, fixed paging times) of ToRPEDO or through the detection of its (behavioral) signature. The researcher found that both these approaches did not work. Instead, they came up with a countermeasure which prevents the adversary from retrieving accurate side channel information through the addition of noise.

The basic idea is to increase the paging rate of all paging occasions to a certain level so that the adversary would need a high number of silent calls to sufficiently differentiate the paging rate of victim's paging occasion from others. To pull that off, they propose that a node that injects new paging messages at the paging occasions for which the paging rate is relatively lower than the expected rate. The researchers found AT&T, Verizon, Sprint and T-Mobile were all vulnerable to ToRPEDO attacks.

Fixing the vulnerability requires major work by GSMA, an industry body that represents mobile operators. GSMA has not stated when a fix might be forthcoming.

While the researchers have not let a PoC out that could be misused by others, just knowing the attack vector is present may cause threat actors to try and exploit it. GSMA had better start looking at ways around it, and fast.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-13
The Motorola MH702x devices, prior to version, do not properly verify the server certificate during communication with the support server which could lead to the communication channel being accessible by an attacker.
PUBLISHED: 2021-04-13
A privilege escalation vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could allow unauthorized access to the driver's device object.
PUBLISHED: 2021-04-13
A null pointer dereference vulnerability in Lenovo Power Management Driver for Windows 10, prior to version, that could cause systems to experience a blue screen error.
PUBLISHED: 2021-04-13
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-04-13
An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exist...