Security flaws in 4G and 5G enable attackers to track phone locations and send fake messages

Vulnerabilities affect all four major mobile carriers in the USA

Researchers at Iowa and Purdue Universities in the USA have uncovered three new security vulnerabilities in 4G and 5G mobile networks, which enable hackers to track the location of users and send them fake messages.

The team also claims that one of these three vulnerabilities affects all four major mobile carriers in the USA - AT&T, Sprint, T-Mobile and Verizon - as well as other major mobile networks in Europe and Asia.

This is the first time that researchers have found weaknesses affecting both 4G and upcoming 5G mobile networks.

"Any person with a little knowledge of cellular paging protocols can carry out this attack," Syed Rafiul Hussain, one of the co-authors of the paper, told TechCrunch.

The flaws enable attackers to gain access to a user's phone with just their Twitter name or phone number.

Once attackers identify the phone, they can send messages that appear to come from a genuine contact or mobile company. After exploiting the vulnerabilities, hackers can also intercept incoming calls.

Using the first flaw, dubbed Torpedo (the full name for which looks like something a kidnapper would make using yesterday's newspaper: TRacking via Paging mEssage DistributiOn), attackers can track smartphone locations. This is basically a weakness in the paging protocol, which is used to notify a phone before a text message or call comes through. The attacker can exploit the Torpedo flaw using a piece of equipment costing just $200.

With Torpedo, an attacker can verify whether a victim phone is present in a geographical cell with less than 10 calls.

"In the process, the attacker learns exactly when a device wakes up to check for paging messages and 7 bits of information of the device's International Mobile Subscriber Identity (IMSI)," the researchers revealed in the study paper.

Torpedo also enables hackers to exploit two other weaknesses: Piercer and IMSI-Cracking.

Piercer enables hackers to determine the IMSI on the 4G network, while attackers can use IMSI-Cracking to brute force an IMSI number in networks.

The researchers have shared all details of the flaws with mobile carriers as well as the GSMA (GSM Association) - the industry body, that represents mobile operators. The GSMA will need to fix the Torpedo and IMSI-Cracking flaws; fixing Piercer depends entirely on mobile carriers.

Fixing Torpedo should be a priority for the GSMA as it acts as a precursor to the other two flaws.