Main site
Classification
Vulnerabilities
tool
Geeks
Web Security
system security
cyber security
Wireless Security
Device/Client Security
Data Security
Security Management
Enterprise Security
Industrial Control Security
feature
Headlines
Biography
Activity
video
View
recruitment
Report
Information
Blockchain Security
Standards and Compliance
Container Security
Public class
Official WeChat AccountEnterprise SecuritySina Weibo
FreeBuf.COM is a network security industry portal that publishes professional security information and technical analysis every day.
FreeBuf+ applet
Wireless service providers prioritize uptime and latency, sometimes at the expense of security, allowing attackers to exploit this vulnerability to steal data, or worse.
Due to vulnerabilities in 5G technology, mobile devices are at risk of data theft and denial of service.
At the upcoming Black Hat 2024 conference in Las Vegas, a seven-member research team from Pennsylvania State University will show how hackers can eavesdrop on Internet traffic by providing Internet connections. That means espionage, phishing and more.
The researchers say it's a highly vulnerable attack involving commonly overlooked vulnerabilities and equipment that can be bought online for a few hundred dollars.
Step 1: Set up a fake base station
When a device attempts to connect to a mobile network base station for the first time, the two perform an authentication and key agreement (AKA). The device sends a registration request, and the base station responds with an authentication and security check request.
Although base stations review mobile phones, mobile phones do not review base stations, and the legality of base stations is essentially taken as a given.
“Base stations broadcast 'hello' every 20 or 40 minutes to advertise their presence in a particular area,” explained Syed Md Mukit Rashid, a research associate at Penn State University. “But these broadcast messages are not authenticated and do not have any security mechanism. They are just plain text messages, so there is no way for a phone or device to check if it is coming from a fake tower.”
Building a fake cell tower is not as difficult as it seems. You only need to use a Raspberry Pi or, better yet, a software-defined radio (SDR) to simulate a real cell tower. Kai Tu, another research assistant at Pennsylvania State University, pointed out: “The tools needed to simulate a cell tower can be purchased online, and then you can run some open source software (OSS) on the fake cell tower to use it as a fake base station.” Expensive SDRs can cost tens of thousands of dollars, while cheap SDRs that can accomplish the task only cost a few hundred dollars.
It may seem simplistic that a small device could trick your phone into moving away from an established commercial tower. But a targeted attack using a nearby SDR could provide a stronger 5G signal than a tower that serves tens of thousands of people at once. “Essentially, the device will try to connect to the best tower, the one that provides the highest signal strength,” Rashid said.
Step 2: Exploit the vulnerability
Like other security procedures, AKA can be exploited. For example, researchers found a mishandled security header in a 5G modem integrated into a popular mobile processor that can be used by attackers to bypass the AKA process entirely. This processor is used in most devices produced by the world's two largest smartphone companies, which the company would not disclose.
After attracting a target device, the attacker can use this AKA bypass to return a maliciously crafted “Accept Registration” message and initiate a connection. This allows the attacker to become the victim's Internet Service Provider and see everything the victim does online in an unencrypted form. They can also interact with the victim by sending spear-phishing text messages or redirecting the victim to malicious websites.
While the AKA bypass vulnerability is severe enough, researchers also found other vulnerabilities that could allow an attacker to determine the location of a device and perform a denial of service (DoS).
How to ensure 5G security
The Penn State researchers have reported all of the vulnerabilities they discovered to the respective mobile vendors, who have already deployed patches.
However, a more lasting solution must start with securing 5G authentication. As Rashid said, “If you want to ensure the authenticity of these broadcast messages, you need to use public key (infrastructure) cryptography (PKI). The cost of deploying PKI is high and all base stations need to be updated.” In addition, there are some non-technical challenges, such as who will be the root certificate authority for the public key, etc.
Such a major change is unlikely to happen any time soon, as 5G systems were built with the above in mind, and information is transmitted in plain text for specific reasons.
“It's an incentive problem. Information is sent in milliseconds, so if some kind of encryption mechanism is used, it will increase the computational overhead of the base station and the user device.” Rashid explained that the computational overhead is also related to time, so it will be slower in terms of performance.
Rashid said that the incentive for performance is greater than the incentive for security. But whether it is through fake base stations, Stingray devices or other means, attackers launch attacks by taking advantage of the lack of verification of the initial broadcast information of the base station, which is the root of all evil.
References:
https://www.darkreading.com/mobile-security/your-phone-s-5g-connection-is-exposed-to-bypass-dos-attacks
This article is Independent opinions, no reproduction without permission, for authorization, please contact FreeBuf customer service Xiao Bee, WeChat: freebee2022
GIPHY App Key not set. Please check settings