As 5G Rolls Out, Troubling New Security Flaws Emerge (wired.com) 19
It's not yet prime time for 5G networks, which still face logistical and technical hurdles, but they're increasingly coming online in major cities worldwide. Which is why it's especially worrying that new 5G vulnerabilities are being discovered almost by the dozen. From a report: At the Association for Computing Machinery's Conference on Computer and Communications Security in London today researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws. The researchers from Purdue University and the University of Iowa are detailing 11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.
One purported benefit of 5G is that it protects phone identifiers, like your device's "international mobile subscriber identity," to help prevent tracking or targeted attacks. But downgrade attacks like the ones the researchers found can bump your device down to 4G, or put it into limited service mode, then force it to send its IMSI number unencrypted. Increasingly, networks use an alternative ID called a Temporary Mobile Subscriber Identity that refreshes periodically to stymie tracking. But the researchers also found flaws that could allow them to override TMSI resets, or correlate a device's old and new TMSI, to track devices. Mounting those attacks takes only software-defined radios that cost a few hundred dollars. The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount "replay" attacks to run up a target's mobile bill by repeatedly sending the same message or command. It's an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.
One purported benefit of 5G is that it protects phone identifiers, like your device's "international mobile subscriber identity," to help prevent tracking or targeted attacks. But downgrade attacks like the ones the researchers found can bump your device down to 4G, or put it into limited service mode, then force it to send its IMSI number unencrypted. Increasingly, networks use an alternative ID called a Temporary Mobile Subscriber Identity that refreshes periodically to stymie tracking. But the researchers also found flaws that could allow them to override TMSI resets, or correlate a device's old and new TMSI, to track devices. Mounting those attacks takes only software-defined radios that cost a few hundred dollars. The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount "replay" attacks to run up a target's mobile bill by repeatedly sending the same message or command. It's an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.
Issues? You mean features. (Score:5, Insightful)
"...11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web.
(Average Customer) "Wow, those do sound like a lot of major issues we need to address."
(Marketing Dept/Government Sales) "Hey, who the hell published our list of features and add-ons?!?"
Re: (Score:2)
Get to the root of the problem (Score:4, Funny)
What's the direct cause of this never-ending stream of vulnerability reports?
It's allowing these "software-defined radios", to fall into the hands of security researchers. If we work to prevent that, then we could stanch the flow of vulnerabilities. We need to get the telecommunications industry to work with our legislators to implement policy to that end.
Re: (Score:2)
lol... your user name is hilarious... especially in the context of what you just wrote. well done...
well done!
Re: (Score:2)
Security by obscurity never works. ... or were you being sarcastic?
Re: (Score:2)
Whoosh!
I'm pretty sure it's deadpan humour.
Wow a first in technical history (Score:3, Interesting)
Seems like an automatic, when marketing gets involved in the product delivery schedule.
I still use my original 2008 HTC G1 even though T-Mobile has been sending me notices about features no longer being available (for 4+ years) and I MUST buy a new phone immediately to restore those critical features!
The only 2 apps I have installed are tethering and an SSH client. Other wise I can make calls, send and receive texts. My incoming call and text notifications don't work anymore(phone does not ring, but the ringer works fine).
New smart phones remind me of razors and blades improved to the point they don't function anymore. Besides becoming to expensive to even use. I bought an old used double edged razor and order blades from over seas.
The issue for me is a phone is a comm device for my use, Not a selfie, advertising app tool for others to have a direct channel to me. I know I am the exception.
Just my 2 cents
Re: (Score:1, Insightful)
This would at least get you better network coverage and solve basic things like the notifications you mentioned.
Re: (Score:1)
You could always buy a new, basic Android phone and not install things you don't care about. This would at least get you better network coverage and solve basic things like the notifications you mentioned.
Actually I should have mentioned the Pine Phone or Librem Phone too, given your use cases.
The "security issues" with 5G are elsewhere (Score:2)
The real security issue with 5G is that 5G is the perfect illumination for a passive Stealth Busting radar. https://www.fagain.co.uk/node/... [fagain.co.uk]
It ticks all the necessary tick boxes to defeat Stealth. It uses frequencies which are in the range were Stealth does not work. It "shines" from from the side so the elaborate aircraft shape designed to deflect beams in a direction different from the one they come from does not work either. https://www.fagain.co.uk/node/... [fagain.co.uk]
This is why the usual suspects are piling
Probably just the usual incompetence (Score:2)
These days, competent engineers in the IT space are a small minority. The rest has big egos and small skills and it shows.
Re: (Score:3)
Re: (Score:2)
Me too. All those wasted resources...
Your as wide open (Score:1)
Wonder around with your mic on and camera getting collected on. Files, images, voice prints, location..the other tracking of smartphone user walking with you.
No old cell network, new smartphone was ever protection agains the gov, police by design.
What made people think 5G would provide "magical" privacy vs any nations gov, police, mil?
Use any generation of cell network, new network, the gov and mil are ready to collect everything by des
Troubling New Security Flaws Emerge (Score:2)
Oh wait, wrong window.
Legacy tracker compatibility (Score:2)