Faster and supposedly more secure, it turns out the paging message occasion—fixed time periods when devices look for incoming communications—designed for 4G and 5G protocols may allow hackers to intercept phone calls and track users’ locations.
“It doesn’t require an experienced hacker to perform this attack. Anyone with a little knowledge of cellular paging protocols could carry it out,” said Syed Rafiul Hussain, a postdoctoral researcher at Purdue.
Cellular networks attempt to conserve energy by scanning periodically and at fixed intervals for incoming calls, texts and other notifications. These scanning time periods, known as the paging occasion, are designed into 4G and 5G protocols. If several calls are placed and canceled in a short period of time when the device isn’t scanning for incoming messages, a paging message can be triggered without notifying the device.
“5G is trying to enforce stronger security and privacy policies than predecessors. However, it inherits many of its characteristics from previous generations, so it’s possible that vulnerabilities that exist in those generations will trickle down to 5G,” Hussain said.
Hussain and his co-authors call these attacks “ToRPEDO,” and warn that they can not only allow hackers to track cell users’ locations but also let them block incoming calls and texts by inserting fake paging messages. Hussain’s findings were presented on February 26, 2019, at the Network and Distributed Security Symposium in San Diego.
ToRPEDO can also lead to Piercer attacks on international mobile subscriber identity (IMSI) on 4G networks as well as soft ID attacks on phone numbers and Twitter names on both 4G and 5G networks. “The IMSI-Cracking attack is a huge blow for 5G because it bypasses the network’s new security policies to protect users’ IMSIs from exposure,” Hussain said. All four major U.S. cell networks are vulnerable to ToRPEDO.