Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

ABTV //

DDoS

2/26/2019
07:30 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

ToRPEDO Attack Surfaces to Hit 5G

GSMA had better start looking at ways around it, and fast.

In a paperto be presented at this week's Network and Distributed System Security Symposium in San Diego, researchers from Purdue University and the University of Iowa outline an attack on both 4G and the upcoming 5G mobile telephony protocols that can enable an adversary to verify a victim's coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks.

When this attack (which they call ToRPEDO) is used as a subset of another attack, it can also reveal a victim device's persistent identity known as International Mobile Subscriber Identity (IMSI). But they didn't stop there.

They also found that on some 4G paging protocol deployments, an implementation oversight on the part of several network providers enabled an adversary to launch an attack (which they named PIERCER) that will associate a victim's phone number with its IMSI. That gives the attacker targeted user location tracking.

The specifics of how it all works gets pretty geeky pretty fast, so look at the paper if you want all the details and all the math.

In many ways, this kind of attack resembles the side-channel attacks that have shown up recently.

It starts with the Temporary Mobile Subscriber Identity (TMSI) that is randomly assigned to a device when in first enters a cell's area. An attacker would place multiple phone calls to the victim device in a short period of time and sniffs the paging messages. Enough TMSI messages (from the placed calls) over a short period of time says the victim is in the cell's area.

IMSIs can be represented as a 49-bit binary number. The leading 18-bits (the mobile country code and the mobile network code) can be found from a phone number using paid, Internet-based home location register lookup services.

The researchers say that, "Identifying the victim's paging occasion with ToRPEDO additionally leaks the trailing 7 IMSI bits for US subscribers leaving 24 bits for the attacker to guess. Using a brute-force attack and two oracles (one for 4G and another for 5G) we designed, the attacker can guess the victim's IMSI in less than 13 hours."

This latter attack is called IMSI-Cracking and will be used on encrypted IMSIs found on some 4G and 5G networks. It needs ToRPEDO to be carried out first.

One could try a defense against ToRPEDO by primarily focusing on either thwarting the root cause (that is, fixed paging times) of ToRPEDO or through the detection of its (behavioral) signature. The researcher found that both these approaches did not work. Instead, they came up with a countermeasure which prevents the adversary from retrieving accurate side channel information through the addition of noise.

The basic idea is to increase the paging rate of all paging occasions to a certain level so that the adversary would need a high number of silent calls to sufficiently differentiate the paging rate of victim's paging occasion from others. To pull that off, they propose that a node that injects new paging messages at the paging occasions for which the paging rate is relatively lower than the expected rate. The researchers found AT&T, Verizon, Sprint and T-Mobile were all vulnerable to ToRPEDO attacks.

Fixing the vulnerability requires major work by GSMA, an industry body that represents mobile operators. GSMA has not stated when a fix might be forthcoming.

While the researchers have not let a PoC out that could be misused by others, just knowing the attack vector is present may cause threat actors to try and exploit it. GSMA had better start looking at ways around it, and fast.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31755
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31756
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
CVE-2021-31757
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31758
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
CVE-2021-31458
PUBLISHED: 2021-05-07
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...