Although 5G is often touted for being newer, faster, and more secure than 4G, a team of security researchers from the University of Iowa and Purdue University has flipped the last bit of that marketing message on its head by discovering almost a dozen new 5G vulnerabilities. As a result of these breaches, they were able to carry out some nasty attacks like location tracking, broadcasting of false emergency alerts, and severing the 5G connection of a phone entirely from the network.
Given how important and prevalent 5G will become, you might think that the organizations responsible for the implementation of its security protocols, such as 3GPP, have devised clear and strong requirements. According to the research team, that is simply not the case. They claim in their research paper that the 5G protocol “lacks a formal specification and hence is prone to ambiguity and underspecification.” Additionally, the team says that the existing standard “often states security and privacy requirements in an abstract way” with conformance test suites encompassing “only primitive security requirements lacking both completeness and the consideration of adversarial environments.”
To demonstrate their point, the research team created an “adversarial environment” in the form of a fake malicious radio base station, and together with its newly developed tool called 5GReasoner, successfully carried out multiple types of attacks against a 5G-connected smartphone. In one situation, a denial-of-service (DoS) attack on the phone resulted in its connection being completely cut off from the rest of the network. In another, the phone’s location was tracked in real time and logged. The scariest demonstration was the hijacking of the phone’s paging channel to broadcast fake emergency alerts, which according to the research team, could lead to “artificial chaos,” like when a mistakenly sent alert claimed that Hawaii was under missile attack from North Korea that resulted in broad panic on the island.
Given the serious nature of these vulnerabilities and how easily the team was able to exploit them, they have wisely decided not to publicly release the precise methods and code behind their exploits. They did notify the GSM Association, but its spokesperson Claire Cranton, in response to an inquiry from TechCrunch, sounded noncommittal about any upcoming fixes, saying the vulnerabilities are “judged as nil or low-impact in practice.”
Syed Rafiul Hussain, one of the co-authors of the research paper, said in his statement to TechCrunch that while most of the security flaws in the existing design can be easily fixed, some of the vulnerabilities will require “a reasonable amount of change in the protocol.”