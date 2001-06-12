from the off-the-grid-is-the-only-way dept.
Researchers at ETH Zurich and Technische Universität Berlin have described a flaw in the 3G, 4G, and 5G communications which keeps mobile phone communications vulnerable to international mobile subscriber identity-catcher (IMSI-catcher) attacks. Specifically, the Authentication and Key Agreement (AKA) protocol accidentally (?) allows for a new privacy attack against all variants of the protocol, including more detailed location disclosure.
The standards body in charge of 5G—the 3rd Generation Partnership Project, or 3GPP—has improved AKA to mitigate those well-known privacy issues. However, the researchers say, they have been able to find a new vulnerability that affects all versions of the AKA, including in the upcoming 5G standard. And what's more, the researchers say that this new attack "breaches subscribers' privacy more severely than known location privacy attacks do."
The newly discovered vulnerability allows an attacker who can intercept mobile traffic in the area (meaning anyone with a software-defined radio costing around $500) to monitor individual subscriber activity, such as the number of outgoing calls or SMSs sent in a given amount of time (but not the metadata or contents of the messages.) On top of that, the technique can tell an attacker how many calls or text messages an individual victim sent even if the victim is not near the attacker when the calls or texts are sent. Instead, after the first time the victims enters the attack area and subsequently leaves the area, even past call and text activity would become vulnerable as soon as the victim and their device re-enters the attack area.
[...] It's important to keep in mind here that, for cases of lawful intervention from law enforcement agencies, there are better ways than this attack technique to get location information, such as getting a warrant and getting the information directly from the phone companies. People working outside the legal system, such as spies and criminals, cannot get warrants and cannot typically work directly with the phone companies. Law enforcement does not need the location-finding capabilities of an IMSI catcher unless they are trying to circumvent the legal system.
If 5G Is So Important, Why Isn't It Secure? (2019)
Sen. Wyden Confirms Cell-Site Simulators Disrupt Emergency Calls (2018)
Trump's Cell Phone Use is Security "Nightmare" Waiting to Happen, Lawmakers Say (2018)
New York District Court Throws Out DEA Stingray Evidence (2016)
A federal judge has rejected evidence obtained through the warrantless use of Stingray IMSI catcher technology by the DEA:
A federal judge in New York State has pushed back against Drug Enforcement Agency (DEA) use of Stingray data, saying the data it collected isn't admissible. Like a Maryland state judge, who ruled in 2015 that IMSI-catcher data needed warrants, US District Court judge William Pauley III has decided that technology can't be used to subvert America's Fourth Amendment.
His judgment, here, draws parallels with other cases that have treated privacy-invasive technologies as "unreasonable search". Past rulings on such matters have kiboshed heat detection through walls, for example, in the 15-year-old Kyllo case that began in 1992. "Absent a search warrant, the Government may not turn a citizen's cell phone into a tracking device," the judgment notes – adding that the Department of Justice seems to agree, since its internal policies now tell government agents to get a warrant before using such devices.
Also at Ars Technica, Reuters, and NYT.
The letter, which was sent Wednesday by Rep. Ted Lieu (D-California) and Rep. Ruben Gallego (D-Arizona), comes after recent media reports that Donald Trump is making "increased use" of his personal phone.
Last year, Trump reportedly had an iPhone with just one app on it: Twitter.
"While cybersecurity is a universal concern, the President of the United States stands alone as the single-most valuable intelligence target on the planet," the congressmen write.
The letter goes onto ask a number of questions of the White House Communications Agency, the entity responsible for the president’s infosec needs.
How frequently does the WHCA update the President’s phone’s operating system?
Does the President use encryption when he makes phone calls or texts from his personal cell phone?
How has WHCA adapted to the growing threat of "Stingray" devices, or IMSI catchers, in Washington D.C., especially given the President’s alleged proclivity for making outgoing voice calls on his personal cell phone?
From the Electronic Frontier Foundation (EFF)
Sen. Ron Wyden has sent a letter to the U.S. Department of Justice concerning disruptions to 911 emergency services caused by law enforcement's use of cell-site simulators (CSS, also known as IMSI catchers or Stingrays). In the letter, Sen. Wyden states that:
Senior officials from the Harris Corporation—the manufacturer of the cell-site simulators used most frequently by U.S. law enforcement agencies—have confirmed to my office that Harris' cell-site simulators completely disrupt the communications of targeted phones for as long as the surveillance is ongoing. According to Harris, targeted phones cannot make or receive calls, send or receive text messages, or send or receive any data over the Internet. Moreover, while the company claims its cell-site simulators include a feature that detects and permits the delivery of emergency calls to 9-1-1, its officials admitted to my office that this feature has not been independently tested as part of the Federal Communication Commission's certification process, nor were they able to confirm this feature is capable of detecting and passing-through 9-1-1 emergency communications made by people who are deaf, hard of hearing, or speech disabled using Real-Time Text technology.
The full text of the letter can be read here.
Researchers of CSS technology have long suspected that using such technologies, even professionally designed and marketed CSS's, would have a detrimental effect on emergency services, and now—for the first time—we have confirmation.
So not only does it snoop on all calls in the area, it also disrupts emergency calls. And why is everything about Stingrays, even their existence, such a huge secret, even to the point of dropping prosecutions?
The Trump administration’s so-called “race” with China to build new fifth-generation (5G) wireless networks is speeding toward a network vulnerable to Chinese (and other) cyberattacks. So far, the Trump administration has focused on blocking Chinese companies from being a part of the network, but these efforts are far from sufficient. We cannot allow the hype about 5G to overshadow the absolute necessity that it be secure.
[...] “It is imperative that America be first in fifth-generation (5G) wireless technologies,” President Trump wrote in an October Presidential Memorandum of instructions to federal agencies. While the administration, especially the Trump Federal Communications Commission (F.C.C.), makes much of how the 5G “race” with China is a matter of national security, not enough effort is being put into the security of the network itself. Nowhere in the president’s directive, for instance, was there a word about protecting the cybersecurity of the new network.
As the President’s National Security Telecommunications Advisory Committee told him in November[pdf], “the cybersecurity threat now poses an existential threat to the future of the Nation.” Last January, the brightest technical minds in the intelligence community, working with the White House National Security Council (N.S.C.), warned of the 5G cybersecurity threat. When the proposed solutions included security through a federally-owned network backbone, the wireless industry screamed in protest. The chairman of the Trump F.C.C. quickly echoed the industry line that “the market, not government, is best positioned to drive innovation and leadership.” Government ownership may not be practicable, but the concerns in the N.S.C. report have been dismissed too readily.
Worse than ignoring the warnings, the Trump administration has repealed existing protections. Shortly after taking office, the Trump F.C.C. removed a requirement imposed by the Obama F.C.C. that the 5G technical standard must be designed from the outset to withstand cyberattacks. For the first time in history, cybersecurity was being required as a forethought in the design of a new network standard — until the Trump F.C.C. repealed it. The Trump F.C.C. also canceled a formal inquiry seeking input from the country’s best technical minds about 5G security, retracted an Obama-era F.C.C. white paper about reducing cyberthreats, and questioned whether the agency had any responsibility for the cybersecurity of the networks they are entrusted with overseeing.
The simple fact is that our wireless networks are not as secure as they could be because they weren’t designed to withstand the kinds of cyberattacks that are now common. This isn’t the fault of the companies that built the networks, but a reflection that when the standards for the current fourth-generation (4G) technology were set years ago, cyberattacks were not a front-and-center concern.
