A recent flaw discovered in 3G-enabled devices seems to allow the attacker to track anyone of these devices. Any devices would be vulnerable since the 3G system has this flaw hard-wired into its design.
The most shocking part of the exploit is described by the researchers who reported the issue: “The attacker does not need to know any keys, nor perform any cryptographic operation… [These] kind of vulnerabilities usually look trivial once uncovered but often remain unnoticed for [a] long time, since they do not involve fancy cryptography but are caused by errors in the protocol logic,” So essentially anyone who want’s to sniff out a radio link, there really isn’t anything preventing them aside from the knowledge to perform such a task.
The 3G standard specifies that it should mask the user’s permanent identity from being revealed by providing user identity confidentiality, as well as regular updates to the 3G-enabled devices and making it impossible for a user to be traced even if the attacker was sniffing out the radio link.
The strangest part of the story is that this vulnerability was found in the past and patched, but it still can be circumvented easily, simply by spoofing an IMSI paging request (what a mobile network uses to locate a device and provide the necessary services to it), one specific device can be pinpointed accurately and the location found. Explained shortly by the researchers: “The possibility of triggering a paging request for a speciﬁc IMSI allows an attacker to check a speciﬁc area for the presence of mobile stations of whom he knows the identity, and to correlate their IMSI and TMSI,” which really summarizes it nicely.
Another vulnerability lies in session keys that authenticate a device to the network. This is authenticated using a protocol called Authentication and Key Agreement (AKA). These keys can be identified by sniffing the AKA request and then sending that request to all devices within a certain area. All the devices except the target would return an authentication failure, which would identify the target device, which, again, would allow for tracking. So the error messages make it possible to track specific devices. The researchers tested the theories on a range of networks, but any network that follows the 3G protocol standard is technically vulnerable. While these attacks are possible, they can be easily mitigated with more aggressive cryptography tactics employed by the networks, but that remains to be determined if it is that big of a priority to be fixed.
Overall, 3G has somewhat significant exploits, but it remains to be seen if they are significant enough to get fixed quickly, and since many people are switching to 4G, if they even should.