We discovered a novel technique that takes advantage of MAC layer protocols in LTE and 5G, enabling long-range communication using other people's networks. This newly discovered vulnerability in the LTE/5G MAC layer protocol standard has the potential to affect other wireless broadband standards. The vulnerability enables unauthorized devices to anonymously exchange short messages over a service provider's infrastructure. While it wasn't particularly impactful in Wi-Fi networks, it becomes an important concern as cell coverage expands beyond a single room to larger distances.
The vulnerability exploits elements of initial messages establishing their links but before the unauthorized user can be authenticated with the network. As a result, an anonymous and unauthorized user can take advantage of base station broadcast signals to relay messages to another anonymous user within a cell coverage area.
Compared with known covert communication techniques, this is a new technique for unauthorized communication by exploiting the MAC layer (L2) of wireless access infrastructure rather than causing interference by directly accessing physical spectrum (L1) or using other layers of network protocol stack (L3-L7). According to the Wiley Online Library, a "medium access control (MAC) layer provides the radio resource allocation service and the data transfer service to the upper layer. As part of the data transfer service, the MAC layer performs procedures such as scheduling requests, buffer status reporting, random access, and hybrid automatic repeat request (HARQ)."
This vulnerability is formally called CVD-2021-0045, which we've nicknamed SPARROW. It has been responsibly disclosed in the GSMA Coordinated Vulnerability Disclosure program and recognized on the GSMA Mobile Security website.
As a senior researcher at Keysight ATI Research Center with a background in signal processing and wireless systems security, I envisioned the possibility of exploiting wireless broadcast resources of commercial telecom networks for data exfiltration while investigating methods for data exfiltration in 2020. I realized that there are many threat scenarios across the spectrum of network and Internet applications. Some of them go beyond the classic threat definitions used in the field of wireless security. I define a vulnerability as any opportunity to use a system beyond its intended application. Threat scenarios such as data exfiltration are what give special significance to finding and patching vulnerabilities in systems and standards.
The scenario of data exfiltration is a frequent research topic in cybersecurity. It's where malicious actors create covert communication schemes to leak sensitive information from compromised systems. So far, the best-known techniques exploit Internet applications and network protocols and the security industry has developed preventive measures to block these. Based on my understanding of wireless security, I began asking a key "what if?" question, which became a foundation for the discovery: "What if one exploits the MAC layer protocol of the commercial wireless access infrastructure for low-cost and power-efficient covert communication?"
Since commercial wireless signals are available virtually everywhere, exploiting them for data exfiltration can circumvent all existing preventive measures. I did not find any articles about exploiting wireless MAC layer (L2) protocols for covert communication. I attribute this lapse to different interpretations of covert communication across the research community. Cybersecurity researchers have generally focused their efforts on techniques exploiting protocols L3 to L7. In the context of wireless security, covert communication commonly refers to covert broadcasts using L1 radio signals. This includes L1 pirating radios that can exploit spectrum licensed to commercial networks. But what about L2?
The familiar 3GPP standard was my first research target. By February 2020, I could identify a vulnerability in the 3GPP TS 36.321 standard that affects both LTE and 5G networks. I dubbed the finding SPARROW. It allows anonymous low-power devices to exchange short hidden messages within a cell without attaching to the network. We then arranged a proof-of-concept scenario, together with an engineering team in Milan, Italy. That scenario was verified in December 2020.
The Danger of SPARROW
Here's why SPARROW is a real danger to critical facilities protected against other means of covert communication:
- Maximum anonymity: SPARROW devices do not authenticate with the host network while operating. This eliminates their exposure to network security and lawful intercept systems as well as spectrum scanners. Utilizing limited resources, they cause very minimal impact on the host network services.
- More miles per watt: SPARROW devices can be several miles apart exploiting broadcast power of base stations or non-terrestrial technologies. The range can be further extended by deploying several of them in a geographically sparse mesh network.
- Low power and low complexity: SPARROW devices can utilize existing protocol implementation libraries installed on commodity software-defined radios (SDRs). They can operate on batteries or harvest energy from the environment for long durations.
The notable exploitation scenarios include:
- Wireless data exfiltration: SPARROW devices (possibly as small as a dongle) can be an effective alternative to known network data exfiltration techniques.
- Command and control: They can anonymously communicate with remote malicious Internet of Thing devices to trigger unwelcome events using the commercial communication infrastructure.
- Clandestine operations: Agents can communicate with SPARROW-enabled devices in hostile areas without broadcasting noticeable signals or directly accessing the incumbent networks.
Here are the big takeaways:
- Insecure messages in wireless MAC protocols can be exploited for covert communication between low-cost user devices with malicious intent. Industry organizations should account for this new type of vulnerability when evaluating security posture.
- The fact that this vulnerability has remained undisclosed for such a long time should motivate protocol specification drafters to consider replay and broadcast abuses in the design phase.
- Researchers are encouraged to examine other early-stage MAC protocols for other means of leveraging covert communications that bypass traffic inspection devices.