Law enforcement in the United States, international spies, and criminals have all used (and abused) the surveillance tools known as “stingrays” for more than a decade. The devices can track people’s locations and even eavesdrop on their calls, all thanks to weaknesses in the cellular network. Today, researchers are detailing a way to stop them—if only telecoms would listen.
Stingrays derive their power by pretending to be cell towers, tricking nearby devices into connecting to them instead of the real thing. The same vulnerabilities that enable that behavior could also be used to, say, spoof emergency alerts on a large scale. At the USENIX Enigma security conference in San Francisco on Monday, research engineer Yomna Nasser will detail those fundamental flaws and suggest how they could finally get fixed.
“The point of my talk is to try and explain the root cause behind all these types of attacks, which is basically the lack of authentication when phones are first trying to find a tower to connect to,” Nasser says. “If something looks like a cell tower, they will connect; that’s just a consequence of how cell network technology was designed decades ago. And it’s really hard to redesign things to do security really well—the lack of authentication problem still exists in 5G.”
Cell phones get service by connecting to a nearby cell tower; as you move, your phone hands off to other towers as needed. This process of establishing a connection with a tower, often called “bootstrapping,” is easy when you’re walking; your phone has plenty of time to realize it needs to find a new tower and connect. It’s harder but still feasible when you’re driving or in a bullet train. Think of the towers as lighthouses, broadcasting their existence at set time intervals and frequencies for any data-enabled device in range to pick up.
Those pings are called “system information broadcast messages,” or pre-authentication messages. They help to quickly establish a connection between a base station and a device before the two know much about each other or have authenticated themselves in any significant way. Maintaining that continuity of service doesn’t allow much time or bandwidth for pleasantries. But that casual introduction also creates risk. Without confirming that a cell tower is genuine, devices could wind up connecting to any rogue base station that’s set up to broadcast system information messages. Like a stingray.
Newer wireless standards like 4G and 5G have defenses built in that make it harder for attackers to get useful information when they trick devices. But these protections can’t totally solve the rogue base station problem, because smartphones still rely on legacy cell networks for the “bootstrapping” initial connection phase, as well as to initiate and end calls. Plus, as long as telecoms support older, less secure data networks like GSM and 3G, snoops can still perform downgrading attacks to push target devices onto older, vulnerable networks.
“The cellular network creates the connection, maintains the signal, and disconnects the connection,” says Syed Rafiul Hussain, a mobile network security researcher at Purdue University in Indiana. “To add authentication you have to add a few extra bytes, a little more data, in your bootstrapping and that would cost network operators more. Plus, older devices don’t have the capabilities of newer ones to handle this extra load. So backward compatibility is also a factor.”
The telecom and tech industries could overcome these challenges if they decided to prioritize a fix. That’s a big if. Nasser points to a solution that would function a lot like HTTPS web encryption, allowing phones to quickly check cell tower “certificates” to prove their legitimacy before establishing a secure connection. Last year, Hussain and colleagues from Purdue and the University of Iowa developed and proposed such an authentication scheme for the bootstrapping process in 5G.