3G Flaw makes any device vulnerable to tracking.

A recent flaw discovered in 3G-enabled devices seems to allow the attacker to track anyone of these devices. Any devices would be vulnerable since the 3G system has this flaw hard-wired into its design.

The most shocking part of the exploit is described by the researchers who reported the issue: “The attacker does not need to know any keys, nor perform any cryptographic operation… [These] kind of vulnerabilities usually look trivial once uncovered but often remain unnoticed for [a] long time, since they do not involve fancy cryptography but are caused by errors in the protocol logic,” So essentially anyone who want’s to sniff out a radio link, there really isn’t anything preventing them aside from the knowledge to perform such a task.

The 3G standard specifies that it should mask the user’s permanent identity from being revealed by providing user identity confidentiality, as well as regular updates to the 3G-enabled devices and making it impossible for a user to be traced even if the attacker was sniffing out the radio link.

The strangest part of the story is that this vulnerability was found in the past and patched, but it still can be circumvented easily, simply by spoofing an IMSI paging request (what a mobile network uses to locate a device and provide the necessary services to it), one specific device can be pinpointed accurately and the location found. Explained shortly by the researchers: “The possibility of triggering a paging request for a specific IMSI allows an attacker to check a specific area for the presence of mobile stations of whom he knows the identity, and to correlate their IMSI and TMSI,” which really summarizes it nicely.

Another vulnerability lies in session keys that authenticate a device to the network. This is authenticated using a protocol called Authentication and Key Agreement (AKA). These keys can be identified by sniffing the AKA request and then sending that request to all devices within a certain area. All the devices except the target would return an authentication failure, which would identify the target device, which, again, would allow for tracking. So the error messages make it possible to track specific devices. The researchers tested the theories on a range of networks, but any network that follows the 3G protocol standard is technically vulnerable. While these attacks are possible, they can be easily mitigated with more aggressive cryptography tactics employed by the networks, but that remains to be determined if it is that big of a priority to be fixed.

Overall, 3G has somewhat significant exploits, but it remains to be seen if they are significant enough to get fixed quickly, and since many people are switching to 4G, if they even should.





7 thoughts on “3G Flaw makes any device vulnerable to tracking.

  1. This is quite interesting. I’m not sure if i fully understand how it works but I do know that it can’t be that threatening and I’ll bet it won’t get fixed any time soon. I say that because yes, you can track a single device but the number of devices on 3G make it very difficult to actually use this. What is threatening is if someone figures out how to use this technique but only on a small selective group of devices.

  2. This raises a good point about how quickly this industry moves. As hard as it is for us to keep abreast of each new change, crackers have to make quick use of their exploits. Our computers are like our immune systems- constantly besieged by outmoded forms of attack.
    While this is a big privacy violation, it seems at least a shortlived one. I’m having trouble visualizing how someone could use my general location- maybe as part of a social engineering attempt?

Comments are closed.