Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.
When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.
The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.
A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.
Via [The Register]
Header image: MOs810 [CC BY-SA 4.0].
Cryptography, security and programming are outside my domain. But I wonder could this have easily be avoided by salting the incremental value?
They don’t need to be salted, they should be random. Almost any phone have a very good hardware random number generator (the accelerometer), so no need to use pseudo random numbers.
I can see the warning label on a cell phone now…
Shake well before using!
B^)
Good idea, and great comment. :)
+1
Yup, pseudorandom counters are a standard feature of, for example, TPMs.
Many cell phone basebands have actual hardware RNGs for cryptographical purposes. To get entropy in a phone is not so easy when it has just been turned on.
Honestly, a whole universe full of entropy. But can you get some when you need some?
The camera is also a pretty good source of random bits.
I’ve used the background noise on an old optical mouse sensor for random number generation in the past.
Why not make use of that taped up camera.
Seems plausible. Nice idea.
“or by advertisers to better target ads.”
Some companies are abusing google’s tracking to see whether you’ve visited their competitors sites, and adjust their prices accordingly. They’re trying to guess when you’re just about to make the purchase and apply “surge pricing”, or gouge the prices up when they’re most confident that you need to make the purchase now instead of looking further.
Does that mean when I want something from company A cheap, I first have to visit company B’s website and then somehow switch over to company A’s website?
What do you mean with google tracking? The only tracking I know of is the ‘Referrer URL’.
Can you give examples of companies that change prices this way?
>What do you mean with google tracking? The only tracking I know of is the ‘Referrer URL’.
Did you never heard of Google Analytics? Their crap is included in almost every (commercial) website. Or some other advertiser-company (Google is the biggest i think)? I use NoScript and Adblock to stop them getting data from my PC.
I’m interested too in names of companies doing the thing described.
Sure, google knows where you’ve been but can other websites query google where YOU have been? (seems like that’s provate data).
I heard adblock, abp and ghostery are in the pocket of google (bribed or whatever you call it) so I use Disconnect.
Correction, I ditched Disconnect for uBlock Origin.
nano adblocker + nano defender
run no script or some other like script blocking plugin and see how many websites call up code from google domains. It may surprise you.
Disconnect and uBlock Origin are two different things (I use both).
Burger King actually does this through their app. They give you a coupon for a one cent whopper when you go close enough to a McDonald’s.
i need to get that app, the closest burger king to me is a bit past a mcdonalds.
I doubt google provides that information to the ad’s owner. I think that is an old internet myth.
google may not provide that information but there are always ways to get that information. Facebook for example loves selling marketers and advertisers information, then there is device fingerprinting, referrer links, cookies and even competitors sharing data.
“I doubt google provides that information”
Hahahahahaha
Google giving out information, doesn’t really sit with it’s business model :D
you mean “dont be evil”? cause i think they removed that a while back.
Google never hand out information instead they hold millisecond auctions on categories, profiles and keywords. So say they profile/keywords were “single, working, female, aged 25 to 55, shoes” there would be an micro auction on each keyword between multiple advertisers each with multiple customers and the one with the highest automated bid within the few millisecond get to display the advertisement. If they gain a click through from the target then more is paid and the click through site can also install additional tracking cookies in the targets browser. The more targeted the advertisement the higher the cost that would be paid for the right to prominently display an advertisement.
I went to a marketing pitch by multiple social media companies and one company I would describe as a junk mail provider, and it was very interesting to hear each company talk about how their targeting and click-through and actual purchase rates were being monitored and helping to build better profiles and helped find sweet spots where the targets have their wallets/purses fully open and money will be exchanged unless they are pointed at the wrong product or service.
So no they guard all their data very well, imagine having a record of every keyword that each target has ever searched for during their life, and probably a 90% trail of each website that the targets visit (thanks to google analytics being installed by so many sites).
Wow, I’m gonna have to get used to Duck Duck Go. That and install a couple MORE anti-bullshit addons on the browser.
Agree, I’ve seen this flight prices.. logging in from a friends ‘fresh’ machine after performing the searches on my computer revealed the original lower prices. :/
Don’t forget the old Mac vs PC user pricing from a while back.
https://www.cnet.com/news/mac-users-pay-more-than-pc-users-says-orbitz/
“Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.”
Triangulation.
*trilateration
A cell tower can’t give the angle, but it can give a fairly accurate distance of the target if asked to do so.
With 5G for all base stations to beamform with their massive MIMO antennas they need to know the location of the every phone to within a ~1m (~3′) by continuous positioning. It basically allows the same antenna phased array to TX at the exact same time on the exact same frequencies to multiple handsets, sending totally different information to each handset. If you can use the same resource ten times, you have in effect ten times the bandwidth, it is really smart.
To meet the demand for data rates of up to ten gigabits per second two things need to be tracked on all handsets:
A highly accurate time of arrival (ToA) estimation
A highly accurate direction of arrival (DoA) estimation
So 5G NR (New Radio) and privacy really does depend on who you trust with the ability to track all your phones movements in real time.
Many 4G base stations have multiple antennas, so angle of arrival is already possible (some proof of concepts have been made). A massive MIMO array will of course work significantly better.
Doesn’t really matter, a simple distance measurement from a few nearby towers is good enough. There’s so many towers now, so plenty of information. AFAIK you could locate phones by time-of-arrival all the way back to 2G.
If you add in angle as well, you’d be able to ditch your computer mouse and use your phone instead. The network will know where it is to the nearest millimetre.
Funnily enough, this is actually no longer true with 5G. It could be triangulation, since 5G service is a directional signal, not an area signal.
We’re talking about a spoofed tower here, not a normal one. If you built it cleverly, a stingray type device with multiple phased antennas could certainly provide an angle passive radar-style, or even with a rotating directional antenna if you wanted to do it the old-fashioned way and save a buck on equipment costs.
If only Huawei would save us…
Has it ever been proved that they load their kit with spy ware?????
You mean other than the default requirement for legal intercept.
Which can be subverted even if not enabled, by illegal actions. https://en.wikipedia.org/wiki/Greek_wiretapping_case_2004%E2%80%932005
As opposed to…?
The only difference is whose spyware is loaded in there. Not that I approve either way.
It is a legal requirement, you actually can not sell certain types of equipment in most countries without the government having the option to legally tap (evidence->judge->warrant). I’m not talking about bulk collection à la NSA/GCHQ/…, I’m talking about targeted interception of a handful of people.
>>A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads
Is there a significant difference these days? FB sells your data to governments foreign to yours while building surveillance programs for repressive regimes (as does Google) , Amazon has government contracts.
Yeah. I think our American habit of trusting private industry while simultaneously being extremely wary of state powers doing the exact same thing is a huge self-imposed blind spot which is going to smack us someday soon. We have companies nowadays which really are more like medium-sized nonlocal governments than a business. And they aren’t really beholden to any elections, and are barely beholden to public opinion.
God, we are so living in a bad cyberpunk novel. I believe I was promised better drugs. Where’s the drugs?
Sasha Shulgin did his best.
There was a series on SyFy called “Incorporated” that pushes that thought to the max. You might enjoy it. Pretty much, it’s about what would happen if corporations had sovereignty and no government oversite/regulations.
Where’s the drugs? Just stare at the opening bitmap in this post. Luckily, I didn’t have enough experience coding for it to affect me. Or maybe it takes longer to work than in the novel.
It’s a trap!!!
So you chat at home about going to buy a widget. Alexa was listening. You hop in your car to go to the shop. You tell your phone to give directions to the shop. An opposition company receives this info, decides you will be buying, checks the opponents price, sends an SMS to your phone that their widget is on special at a price you are about to pay, and also hijacks your phone to direct you to their shop without your knowledge.
Far fetched. Nope :(
Would be awesome if the grocery store would predict what I need to buy. I knever know what I want to eat (except when my sister cooks :P).
I searched for RV dump stations on my Android phone. Now they magically show up in Google maps whenever I’m near one, without searching for them.
I commonly save about 15% off the highway prices on diesel fuel with Gasbuddy. That’s about $40 saved and it costs me nothing other than sharing my location.
It’s just a matter of how much privacy are you willing to trade for convenience.
So far, convenience is winning.
I have instructed my son not to do his searches using my account though. I’ve seen enough Pokemon and Minecraft spam to last a lifetime at this point.
>”It’s just a matter of how much privacy are you willing to trade for convenience.”
The issue is that different people make different compromises, and the aggregate information reveals enough about their behavior that prediction becomes possible with surprisingly little data.
For example, a credit card company has a data leak and releases “anonymized” data about purchases. 99% of the people in the database can be individualized by having three random shop receipts that are known to belong to that person. Having no access to the actual receipts, one can still make pretty good guesses by knowing what information you just searched for and which shop you drove to afterwards.
Lower the price on diesel and you wouldn’t have to share.