Home & Office

3G flaw makes any device vulnerable to tracking

A flaw in the way some aspects of the 3G protocol are implemented could result in a third-party attacker being able to precisely track the location of any 3G-enabled device.
Written by Ben Woods, Contributor

A flaw in the way in which 3G-enabled mobile phones and other devices deal with 3G protocol logic means that a third party could track a device at any time, according to security researchers.

Researchers from the University of Birmingham, who were later joined in the research by a team from the Technical University of Berlin, said that standard off-the-shelf equipment, such as femtocells, could be used to exploit the flaw, allowing the physical location of devices to be revealed.

Mobile phones
Researchers have warned of a flaw in the way 3G devices deal with the protocol underlying 3G networks.

Any device would be vulnerable, they said, as the problems are hard-wired into the design of the 3G system itself. 

"The attacker does not need to know any keys, nor perform any cryptographic operation... [These] kind of vulnerabilities usually look trivial once uncovered but often remain unnoticed for [a] long time, since they do not involve fancy cryptography but are caused by errors in the protocol logic," the researchers wrote in the paper (PDF).

This protocol logic specifies which devices deal with the rules for network requests and the passing of information, meaning the problem isn't with one particular network or device, but the standards that 3G is based upon.


The 3G standard specifies that it should provide user identity confidentiality preventing the user's permanent identity (International Mobile Subscriber Identity - IMSI) from being revealed.

"The attacker does not need to know any keys, nor perform any cryptographic operation"

In order to help obscure the real identity on the network, temporary identities (Temporary Mobile Subscriber Identity - TMSI) are assigned to devices, and these are regularly updated. 3G networks should also make it impossible for a user to be traced even if an intruder was eavesdropping on the radio link.

However, the researchers found that both these requirements, previously found to be vulnerable in the past, can be circumvented reasonably easily.

The researchers say that by spoofing an IMSI paging request, an individual device can be pin-point located. An IMSI paging request is used by mobile networks to locate a device and provide service to it. However, when the permanent identity is not known, the network also allows for the temporary identity to be used.

"The possibility of triggering a paging request for a specific IMSI allows an attacker to check a specific area for the presence of mobile stations of whom he knows the identity, and to correlate their IMSI and TMSI," the researchers say.

Session keys

Another vulnerability, the researchers said, lay in the Authentication and Key Agreement (AKA) protocol, which is used to provide authentication between a device and a network by providing secure shared session keys.

This "secret long-term key" (K IMSI) can be identified by sniffing the AKA request and then relaying that to all devices within a certain area. Every device except the target would return an authentication failure, thereby identifying the individual. Again, this could then be used to track location.

"The captured authentication request can now be replayed by the adversary each time he wants to check the presence of [the device] in a particular area. In fact, thanks to the error messages, the adversary can distinguish any mobile station from the one the authentication request was originally sent to," the researchers wrote.

The researchers tested the theories on a range of networks (Vodafone, SFR, O2, and T-Mobile) but said they would work on any network that adheres to the 3GPP industry body's "widely-deployed" 3G protocol.

Exploiting either of these vulnerabilities would only require some off-the-shelf equipment, such as femtocells, which may or may not need to be rooted, and some level of technical knowledge. It's not inconceivable that hacking tools that automate the process of that technical knowledge could appear in the future, making it possible for almost anyone to spy on your whereabouts.

However, the researchers said there are ways to mitigate the attacks, based around symmetric and public key-based cryptography.

Editorial standards