5G is faster and more secure than 4G. But new research shows it also has vulnerabilities that could put phone users at risk.
Security researchers at Purdue University and the University of Iowa have found close to a dozen vulnerabilities, which they say can be used to track a victim's real-time location, spoof emergency alerts that can trigger panic or silently disconnect a 5G-connected phone from the network altogether.
5G is said to be more secure than its 4G predecessor, able to withstand exploits used to target users of older cellular network protocols like 2G and 3G like the use of cell site simulators — known as "stingrays." But the researchers' findings confirm that weaknesses undermine the newer security and privacy protections in 5G.
Worse, the researchers said some of the new attacks also could be exploited on existing 4G networks.
The researchers expanded on their previous findings to build a new tool, dubbed 5GReasoner, which was used to find 11 new 5G vulnerabilities. By creating a malicious radio base station, an attacker can carry out several attacks against a target's connected phone used for both surveillance and disruption.
In one attack, the researchers said they were able to obtain both old and new temporary network identifiers of a victim's phone, allowing them to discover the paging occasion, which can be used to track the phone's location — or even hijack the paging channel to broadcast fake emergency alerts. This could lead to "artificial chaos," the researcher said, similar to when a mistakenly sent emergency alert claimed Hawaii was about to be hit by a ballistic missile amid heightened nuclear tensions between the U.S. and North Korea. (A similar vulnerability was found in the 4G protocol by University of Colorado Boulder researchers in June.)
Another attack could be used to create a "prolonged" denial-of-service condition against a target's phone from the cellular network.
In some cases, the flaws could be used to downgrade a cellular connection to a less-secure standard, which makes it possible for law enforcement — and capable hackers — to launch surveillance attacks against their targets using specialist "stingray" equipment.
All of the new attacks can be exploited by anyone with practical knowledge of 4G and 5G networks and a low-cost software-defined radio, said Syed Rafiul Hussain, one of the co-authors of the new paper.
Given the nature of the vulnerabilities, the researchers said they have no plans to release their proof-of-concept exploitation code publicly. However, the researchers did notify the GSM Association (GSMA), a trade body that represents cell networks worldwide, of their findings.
Although the researchers were recognized by GSMA's mobile security "hall of fame," spokesperson Claire Cranton said the vulnerabilities were "judged as nil or low-impact in practice." The GSMA did not say if the vulnerabilities would be fixed — or give a timeline for any fixes. But the spokesperson said the researchers' findings "may lead to clarifications" to the standard where it's written ambiguously.
Hussain told TechCrunch that while some of the fixes can be easily fixed in the existing design, the remaining vulnerabilities call for "a reasonable amount of change in the protocol."
It's the second round of research from the academics released in as many weeks. Last week, the researchers found several security flaws in the baseband protocol of popular Android models — including Huawei's Nexus 6P and Samsung's Galaxy S8+ — making them vulnerable to snooping attacks on their owners.