5G Cellphone’s Location Privacy Broken Before It’s Even Implemented

Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.

When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.

The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.

A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.

Via [The Register]

Header image: MOs810 [CC BY-SA 4.0].

51 thoughts on “5G Cellphone’s Location Privacy Broken Before It’s Even Implemented

    1. They don’t need to be salted, they should be random. Almost any phone have a very good hardware random number generator (the accelerometer), so no need to use pseudo random numbers.

  1. “or by advertisers to better target ads.”

    Some companies are abusing google’s tracking to see whether you’ve visited their competitors sites, and adjust their prices accordingly. They’re trying to guess when you’re just about to make the purchase and apply “surge pricing”, or gouge the prices up when they’re most confident that you need to make the purchase now instead of looking further.

    1. Does that mean when I want something from company A cheap, I first have to visit company B’s website and then somehow switch over to company A’s website?

      What do you mean with google tracking? The only tracking I know of is the ‘Referrer URL’.

      Can you give examples of companies that change prices this way?

      1. >What do you mean with google tracking? The only tracking I know of is the ‘Referrer URL’.
        Did you never heard of Google Analytics? Their crap is included in almost every (commercial) website. Or some other advertiser-company (Google is the biggest i think)? I use NoScript and Adblock to stop them getting data from my PC.

        I’m interested too in names of companies doing the thing described.

        1. Sure, google knows where you’ve been but can other websites query google where YOU have been? (seems like that’s provate data).

          I heard adblock, abp and ghostery are in the pocket of google (bribed or whatever you call it) so I use Disconnect.

      1. google may not provide that information but there are always ways to get that information. Facebook for example loves selling marketers and advertisers information, then there is device fingerprinting, referrer links, cookies and even competitors sharing data.

      2. Google never hand out information instead they hold millisecond auctions on categories, profiles and keywords. So say they profile/keywords were “single, working, female, aged 25 to 55, shoes” there would be an micro auction on each keyword between multiple advertisers each with multiple customers and the one with the highest automated bid within the few millisecond get to display the advertisement. If they gain a click through from the target then more is paid and the click through site can also install additional tracking cookies in the targets browser. The more targeted the advertisement the higher the cost that would be paid for the right to prominently display an advertisement.

        I went to a marketing pitch by multiple social media companies and one company I would describe as a junk mail provider, and it was very interesting to hear each company talk about how their targeting and click-through and actual purchase rates were being monitored and helping to build better profiles and helped find sweet spots where the targets have their wallets/purses fully open and money will be exchanged unless they are pointed at the wrong product or service.

        So no they guard all their data very well, imagine having a record of every keyword that each target has ever searched for during their life, and probably a 90% trail of each website that the targets visit (thanks to google analytics being installed by so many sites).

      1. With 5G for all base stations to beamform with their massive MIMO antennas they need to know the location of the every phone to within a ~1m (~3′) by continuous positioning. It basically allows the same antenna phased array to TX at the exact same time on the exact same frequencies to multiple handsets, sending totally different information to each handset. If you can use the same resource ten times, you have in effect ten times the bandwidth, it is really smart.

        To meet the demand for data rates of up to ten gigabits per second two things need to be tracked on all handsets:
        A highly accurate time of arrival (ToA) estimation
        A highly accurate direction of arrival (DoA) estimation

        So 5G NR (New Radio) and privacy really does depend on who you trust with the ability to track all your phones movements in real time.

        1. Many 4G base stations have multiple antennas, so angle of arrival is already possible (some proof of concepts have been made). A massive MIMO array will of course work significantly better.

          1. Doesn’t really matter, a simple distance measurement from a few nearby towers is good enough. There’s so many towers now, so plenty of information. AFAIK you could locate phones by time-of-arrival all the way back to 2G.

            If you add in angle as well, you’d be able to ditch your computer mouse and use your phone instead. The network will know where it is to the nearest millimetre.

      2. We’re talking about a spoofed tower here, not a normal one. If you built it cleverly, a stingray type device with multiple phased antennas could certainly provide an angle passive radar-style, or even with a rotating directional antenna if you wanted to do it the old-fashioned way and save a buck on equipment costs.

        1. It is a legal requirement, you actually can not sell certain types of equipment in most countries without the government having the option to legally tap (evidence->judge->warrant). I’m not talking about bulk collection à la NSA/GCHQ/…, I’m talking about targeted interception of a handful of people.

  2. >>A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads

    Is there a significant difference these days? FB sells your data to governments foreign to yours while building surveillance programs for repressive regimes (as does Google) , Amazon has government contracts.

    1. Yeah. I think our American habit of trusting private industry while simultaneously being extremely wary of state powers doing the exact same thing is a huge self-imposed blind spot which is going to smack us someday soon. We have companies nowadays which really are more like medium-sized nonlocal governments than a business. And they aren’t really beholden to any elections, and are barely beholden to public opinion.

      God, we are so living in a bad cyberpunk novel. I believe I was promised better drugs. Where’s the drugs?

      1. There was a series on SyFy called “Incorporated” that pushes that thought to the max. You might enjoy it. Pretty much, it’s about what would happen if corporations had sovereignty and no government oversite/regulations.

  3. So you chat at home about going to buy a widget. Alexa was listening. You hop in your car to go to the shop. You tell your phone to give directions to the shop. An opposition company receives this info, decides you will be buying, checks the opponents price, sends an SMS to your phone that their widget is on special at a price you are about to pay, and also hijacks your phone to direct you to their shop without your knowledge.
    Far fetched. Nope :(

    1. I searched for RV dump stations on my Android phone. Now they magically show up in Google maps whenever I’m near one, without searching for them.
      I commonly save about 15% off the highway prices on diesel fuel with Gasbuddy. That’s about $40 saved and it costs me nothing other than sharing my location.

      It’s just a matter of how much privacy are you willing to trade for convenience.
      So far, convenience is winning.

      I have instructed my son not to do his searches using my account though. I’ve seen enough Pokemon and Minecraft spam to last a lifetime at this point.

      1. >”It’s just a matter of how much privacy are you willing to trade for convenience.”

        The issue is that different people make different compromises, and the aggregate information reveals enough about their behavior that prediction becomes possible with surprisingly little data.

        For example, a credit card company has a data leak and releases “anonymized” data about purchases. 99% of the people in the database can be individualized by having three random shop receipts that are known to belong to that person. Having no access to the actual receipts, one can still make pretty good guesses by knowing what information you just searched for and which shop you drove to afterwards.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.