At the Black Hat security conference in Las Vegas, a group of network communication security researchers will present findings on flaws in the 5G protections meant to thwart the surveillance devices known as stingrays.
Also called "IMSI catchers" after the international mobile subscriber identity number attached to every cell phone, stingrays masquerade as legitimate cell towers. Once they trick a device into connecting to it, a stingray uses the IMSI or other identifiers to track the device, and even listen in on phone calls.
Ravishankar Borgaonkar, a research scientist at the Norwegian tech analysis firm SINTEF Digital, told Wired that 5G was developed to fix the issues that allow fake base station attacks and while it fixed some problems it does not give full protection against these phoney base station attacks.
The researchers found enough lapses in this setup to sneak a pair of 5G stingray attacks through. When a device "registers" with a new cell tower to get connectivity, it transmits identifying data about itself. As with the current 4G standard, 5G doesn't encrypt that data. As a result, the researchers found that they could collect this information with a stingray, and potentially use it to identify and track devices in each area.
The researchers found that they could use that unencrypted data to determine things like which devices are smartphones, tablets, cars, vending machines, sensors, and so on. They can identify a device's manufacturer, the hardware components inside it, its specific model and operating system, and even what specific operating system version an iOS device is running.
That information could allow attackers to identify and locate devices, particularly in a situation where they already have a target or are looking for a less common model.
It turns out that the same exposure that leaks details about a device also creates the opportunity for a man-in-the-middle, like a stingray, to manipulate that data.
The researchers found that they could use their first stingray attack to modify a device's stated category number during the connection process, downgrading it to an older network. At this point, older stingray attacks would apply, and a hacker could move forward with communication surveillance or more specific location tracking.