Flaws in 4G and 5G allow snooping on calls, pinpointing device location

Researchers say the threat is real.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
5G logo is seen on an android mobile phone
SOPA Images

Newly discovered security flaws in the 4G and the emerging 5G cellular networks can be used to intercept phone calls and track the location of mobile devices, researchers say.

The trio of attacks, discovered by a group of academics, is believed to be the first time vulnerabilities have been uncovered that affect both the most widely used wireless cellular technology and the one hailed as its super-speedy and more secure successor, according to TechCrunch, which detailed the flaws ahead of their reveal Tuesday.

5G is supposed to bring supercharged speeds to mobile devices and low latency, opening the door for tech innovations such as self-driving cars and virtual reality. The new technology is also expected to deliver a new level of security, as government agencies use International Mobile Subscriber Identity, or IMSI catchers to impersonate cell towers and spy on phones with older connections.

Privacy advocates rank the creepiest tech gifts of 2018

See all photos

The researchers' three-pronged attack is described in a paper to be presented at the Network and Distributed System Security Symposium in San Diego.

The first attack, dubbed Torpedo, exploits a weakness in the standards' paging protocol used to notify phones of an incoming call or text message before it arrives, the researchers said. Multiple calls made in a short duration could allow a nearby attacker to pinpoint the device and send fake text messages and mount a denial-of-service attack. 

The paper, authored by researchers at Purdue University and the University of Iowa, contends that Torpedo sets the sage for two additional exploits, It's "plausible," they say, for an attacker to access a victim device's ISMI -- the unique number identifying the GSM subscriber's device -- with a brute-force attack called IMSI-Cracking. A third attack, called Piercer, pairs the ISMI with the victim's phone number, allowing user location tracking, they said.

The exploits are legit, the researchers say.

"All of our attacks have been validated and evaluated in the wild using commodity hardware and software," researchers said in their paper.

That means even the latest cellular protocol is vulnerable to Stingrays -- surveillance tools used by the FBI and police across the US to surreptitiously track the locations of cell phones and other mobile devices.

The Torpedo attack can be carried out with radio equipment costing as little as $200 and affects all four major US wireless carriers, researchers told TechCrunch.

A Verizon representative said the carrier has reviewed the paper and is evaluating it with its vendors and with standards body organizations to determine the best approach.

Representatives for AT&T , T-Mobile and Sprint didn't immediately respond to requests for comment.

First published Feb. 25, 9:50 p.m. PT.
Update, Feb. 26 at 8:50 a.m.: Adds Verizon comment.