ToRPEDO Attack Surfaces to Hit 5G

GSMA had better start looking at ways around it, and fast.

In a paperto be presented at this week's Network and Distributed System Security Symposium in San Diego, researchers from Purdue University and the University of Iowa outline an attack on both 4G and the upcoming 5G mobile telephony protocols that can enable an adversary to verify a victim's coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks.

When this attack (which they call ToRPEDO) is used as a subset of another attack, it can also reveal a victim device's persistent identity known as International Mobile Subscriber Identity (IMSI). But they didn't stop there.

They also found that on some 4G paging protocol deployments, an implementation oversight on the part of several network providers enabled an adversary to launch an attack (which they named PIERCER) that will associate a victim's phone number with its IMSI. That gives the attacker targeted user location tracking.

The specifics of how it all works gets pretty geeky pretty fast, so look at the paper if you want all the details and all the math.

In many ways, this kind of attack resembles the side-channel attacks that have shown up recently.

It starts with the Temporary Mobile Subscriber Identity (TMSI) that is randomly assigned to a device when in first enters a cell's area. An attacker would place multiple phone calls to the victim device in a short period of time and sniffs the paging messages. Enough TMSI messages (from the placed calls) over a short period of time says the victim is in the cell's area.

IMSIs can be represented as a 49-bit binary number. The leading 18-bits (the mobile country code and the mobile network code) can be found from a phone number using paid, Internet-based home location register lookup services.

The researchers say that, "Identifying the victim's paging occasion with ToRPEDO additionally leaks the trailing 7 IMSI bits for US subscribers leaving 24 bits for the attacker to guess. Using a brute-force attack and two oracles (one for 4G and another for 5G) we designed, the attacker can guess the victim's IMSI in less than 13 hours."

This latter attack is called IMSI-Cracking and will be used on encrypted IMSIs found on some 4G and 5G networks. It needs ToRPEDO to be carried out first.

One could try a defense against ToRPEDO by primarily focusing on either thwarting the root cause (that is, fixed paging times) of ToRPEDO or through the detection of its (behavioral) signature. The researcher found that both these approaches did not work. Instead, they came up with a countermeasure which prevents the adversary from retrieving accurate side channel information through the addition of noise.

The basic idea is to increase the paging rate of all paging occasions to a certain level so that the adversary would need a high number of silent calls to sufficiently differentiate the paging rate of victim's paging occasion from others. To pull that off, they propose that a node that injects new paging messages at the paging occasions for which the paging rate is relatively lower than the expected rate. The researchers found AT&T, Verizon, Sprint and T-Mobile were all vulnerable to ToRPEDO attacks.

Fixing the vulnerability requires major work by GSMA, an industry body that represents mobile operators. GSMA has not stated when a fix might be forthcoming.

While the researchers have not let a PoC out that could be misused by others, just knowing the attack vector is present may cause threat actors to try and exploit it. GSMA had better start looking at ways around it, and fast.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.