Print 17 comment(s) - last by KOOLTIME.. on Oct 11 at 12:23 PM

Flaws can be fixed easily and affordably, say authors of paper

Anonymity, privacy -- these are things we have come to expect when it comes to our cell phones.  The last thing people anticipate is for unknown -- possibly malicious -- third parties to able to quickly track our positions every time we place a phone call.

I. Exploiting the 3G Protocol to Track

But that's precisely what security researchers at the University of Birmingham (located in the central UK) are preparing to show off at the ACM Conference on Computer and Communications Security conference in Raleigh, N.C. next week.  The demonstrated proof-of-concept attack will no doubt add to the aging 3G communication standard's security woes.

The researchers simulated an attacking using affordable off-the-shelf components -- a rooted femtocell (which broadcast 3G signals) and other affordable components.

The attackers used an off-the-shelf femtocell. [Image Source:]

They then conducted two attacks geared at tracking the victim's position.  The attacks were conducted in Europe on a number of real-world networks, across various carriers.

The researchers used a so-called "paging attack" -- a denial-of-service (DOS) type attack that involves tricking basestations or mobile devices into an always "ready" state.  By sending a TMSI (Temporary Mobile Subscriber Identity) which appeared to contain a static IMSI (International Mobile Subscriber Identity), the attacker tricked the victim device into giving up its real IMSI.

That in turn allowed the target to be continuously tracked within a monitored region.

A second route to monitoring was also demonstrated, which used an Authentication and Key Agreement (AKA) protocol attack.  The target device returns a Mac error, while the rest of the devices would respond with a different error -- a synchronization error.

The authors write, "The captured authentication request can now be replayed by the adversary each time he wants to check the presence of [a device] in a particular area. In fact, thanks to the error messages, the adversary can distinguish any mobile station from the one the authentication request was originally sent to."

The caveat here is that the attackers first had to indentify example authentication requests by calling the victim's device.  But they argue that the flaw could still be abused in certain scenarios, such as if a boss wanted to track employees in a large office building.

The researchers elaborate, "[The employer] would first use the femtocell to sniff a valid authentication request. This could happen in a different area than the monitored one. Then the employer would position the device near the entrance of the building. Movements inside the building could be tracked as well by placing additional devices to cover different areas of the building.  If devices with wider area coverage than a femtocell are used, the adversary should use triangulation to obtain finer position data."

II. Fixing the Flaws

So what does all of this mean??  3G networks -- any 3G network, according to the authors -- are vulnerable to tampering which allows their users to be tracked, due to protocol weaknesses.  

The IMSI paging attack flaw seems to be the more dangerous attack as it can be used to track anonymous victims.

Locking the door
Researchers say the flaw can easily be fixed. [Image Source: North Miami Beach FL]

Fortunately, there's a fix to both problems.  The fix is to both modify the error messages, and adopt certain protocol changes.  Those changes would involve introducing a so-called "unlikability" session key to weed out malicious AKA requests, and to implement IMSI paging procedure fixes to prevent the DOS trickery.

The 3G mobile industry's security watchdog, 3GPP, is investigating the proof-of-concept attacks and is considering the proposed fixes, which the authors argue would have a "low... computational and economical cost".  Those fixes could (in theory) be rolled out in coming months to prevent attackers from exploiting "in the wild" the soon-to-be-published flaw.

Source: SC Magazine

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

There is a easy fix.
By MIAmobi on 10/10/2012 7:18:35 PM , Rating: 2
The MIAmobi SilentPocket™ provides Instant Privacy. It completely takes your mobile device off the grid. It stops GPS tracking, provides data protection, and prevents texting and driving. Voicemail rings, beeps, blings or vibes will not be heard. Voicemail, Texts and email will be received once the device is taken out of the SilentPocket. Simply put no signals in or out is the only way to protect your location. If you really need to know for sure that you are in control of your mobile device, empower yourself with a SilentPocket™

RE: There is a easy fix.
By Master Kenobi on 10/10/2012 7:22:29 PM , Rating: 2
Nice try, but you can still be tracked. If the battery is in your phone, you're toast.

RE: There is a easy fix.
By MIAmobi on 10/10/2012 7:42:53 PM , Rating: 2
If your phone is in the SilentPocket it cannot be tracked. Blocks all Signal to your phone and blocks all signals coming out of your phone. You can get informed at

RE: There is a easy fix.
By Master Kenobi on 10/10/2012 9:46:44 PM , Rating: 2
Keep thinking that.

RE: There is a easy fix.
By StevoLincolnite on 10/10/2012 9:54:17 PM , Rating: 2
Well if it works as advertised... It would cease all network connectivity. This guy just seems like an advertiser/scammer though, which most people here wouldn't fall for being enthusiasts.

RE: There is a easy fix.
By darkhawk1980 on 10/11/2012 7:57:36 AM , Rating: 1
Worthless advertising peddler.

Your device more than likely does absolutely nothing to stop those signals. Unless it's a box with atleast 5" of metal on all sides, it's not going to be guaranteed to have enough isolation to keep your phone from making contact. And that's just the beginning.

I can't believe that people actually try to sell shit like this and keep a clean conscience.

RE: There is a easy fix.
By Master Kenobi on 10/11/2012 12:20:24 PM , Rating: 2
Correct. Even airplane mode isn't "pure isolation", but it is close. If you really want to get down to it, take the battery out, that's your best bet.

RE: There is a easy fix.
By boeush on 10/10/2012 9:01:13 PM , Rating: 2
Or, you can achieve the same exact effect for free by turning on "Airplane Mode" (which basically switches off all the phone's antennas) and (if you're especially paranoid) also switching off the GPS location service by default (and turning it on only when you actually need to use it.) I do the latter as a matter of course, because it saves battery.

Gods, you must feel awesome about yourself, peddling useless product to rubes who don't know any better...

RE: There is a easy fix.
By geddarkstorm on 10/11/2012 11:58:04 AM , Rating: 2
That app probably does exactly that. How miraculous!

By kleinma on 10/10/2012 4:30:31 PM , Rating: 4
Anonymity, privacy -- these are things we have come to expect when it comes to our cell phones

Come on Jason... who really expects that? I mean I guess we SHOULD expect it, but the reality of what we have is that anonymity and privacy are 2 things I feel I totally give up by using a cell phone, or more specifically a smart phone.

I am sure Google knows everywhere I have been in the past 2 years.

RE: really?
By xti on 10/10/2012 5:05:03 PM , Rating: 2
meh, if they follow my car they know where I am at as well. I mean, what are they gonna do, come punch me? They are hackers and I think stereotypes are on our sides.

RE: really?
By JasonMick on 10/10/2012 5:06:11 PM , Rating: 2
Come on Jason... who really expects that? I mean I guess we SHOULD expect it, but the reality of what we have is that anonymity and privacy are 2 things I feel I totally give up by using a cell phone, or more specifically a smart phone.
And that's why a lot of people avoid smartphones... I agree they're a big security risk. I use one, and a lot of people do, but I know some people who specifically ONLY use 3G feature phones for the added anonymity/privacy.

Those are the kind of folks who I'd imagine would be most perturbed by developments such as this. :-)

RE: really?
By xti on 10/10/2012 5:23:05 PM , Rating: 1
I would bet a cheese burger that more people avoid smartphones because they don't like change or are just bad with these kinds of devices far more than this excessive paranoia.

I can watch porn while waiting for the bus. That pretty much trumps anything you should be scared about.

RE: really?
By ClownPuncher on 10/10/2012 5:57:44 PM , Rating: 2
Service contracts and hardware tends to be somewhat cost prohibitive for some, too. A data plan is typically almost 75% more expensive per month than providing electricity for my home.

RE: really?
By inperfectdarkness on 10/11/2012 3:02:44 AM , Rating: 2

have you ever looked at the cost of a regular contract vs. a smartphone contract?

better yet, have you ever looked at the cost of a pre-paid phone vs. the cost of a smartphone?

i'm sorry, but the reason i haven't migrated to a smartphone isn't technophobia. and concerns over privacy are relevant, but not primary. the real reason is because i've spent less for my pre-paid phone (including the cost of the phone itself)--this year--than i would have paid for 2 months of a smartphone contract.

i work in front of a computer all's not like i can't google stuff when i need to. heck, even if i didn't work in front of a pc, i'd be writing stuff down (or making a voice memo) and looking it up when i got home.

i just loaded another 15 euro on my phone and it'll last me a good 2 months or so. texts are cheap.

what 4G?
By Crazyeyeskillah on 10/10/2012 4:10:22 PM , Rating: 2
I live outside the largest city in Vermont (Burlington) on Verizon and I would say 90%+ of the time I can't get a 4g signal on my phone. If i can it's usually on an extremely localized feed near a specific location.

I find it hard to quantify this as 4g coverage. . .so don't be ignorant of 3g issues, you'd be surprised how many it will continue to affect for years.

By KOOLTIME on 10/11/2012 12:23:09 PM , Rating: 2
Here is a hint,

How do you think a phone call gets charged to your bill and you even receive a CELL phone call in the 1st place.

Easy enough right, cell towers. Cell towers triangulate and your phone sends signal out for discovery, similar concept the the old days of televisions getting the TV signal over the air via rabbit ears, just now it goes 2 way vs 1 way receiver.

You dont have to have any gps or so called air plane mode, once a cell phone makes use of any data and cell towers in the area pick up the signals and know where you are.

"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference

Latest Headlines
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
The Samsung Galaxy S7
September 14, 2016, 6:00 AM
Apple Watch 2 – Coming September 7th
September 3, 2016, 6:30 AM
Apple says “See you on the 7th.”
September 1, 2016, 6:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki