Flaws Allow Every 3G Device To Be Tracked

mask.of.sanity writes "New privacy threats have been uncovered by security researchers that could allow every device operating on 3G networks to be tracked. The vulnerabilities could be exploited with cheap commercial off-the-shelf technology to reveal the location of phones and other 3G-capable devices operating on all 3G compliant networks. It was similar, but different, to previous research that demonstrated how attackers could redirect a victim's outgoing traffic to different networks."

Makes me wonder

[Chrisq]

Did the 3G equipment come from Huwei or ztc?

Re:Makes me wonder

Did the 3G equipment come from Huwei or ztc?

No, but that is a rather amusing post, I lol'd.

On a more serious note, the summary and article make it sound worse than it is. Here's what they are doing:

"The attacks were made by intercepting, altering and injecting 3G Layer-3 messages into communication between the base station and mobile phones in both directions."

So to be clear, it won't allow you to just track any 3G device any time you want. It's a MITM attack which requires you to physically intercept and spoof a cell signal using the 3G standard... assuming the network fully complies with 3G and doesn't have it's own signalling or other security added on.

Re:Makes me wonder

[msauve]

Actually, if they were CDMA phones from Huwei or ZTE (ztc?), they apparently wouldn't be subject to the "flaw" mentioned. The article blithely uses "3G" to refer exclusively to UMTS, no mention whatsoever of CDMA2000. Of course, "every 3G device" is not on a UMTS network.

"Flaw" allows us to be tracked.

[mosb1000]

I'm pretty sure the word flaw should be in quotation marks in this context.

Re:"Flaw" allows us to be tracked.

Indeed - it requires malevolent base stations to be deployed and even then only determines the presence of particular 3G devices in the area.

They were obviously straining for an example when discussing an employed deploying such stations to track employee movements in a building; door pass access is somewhat easier to track...

In general though I'm resigned to the fact that the telco underlying my MVNO knows my location when I am connected and will happily relay this to the "authorities" with minimal encouragement, so this new attack doesn't seem particularly startling; now someone else other than the telco can know this. Whoppeee.

Re:"Flaw" allows us to be tracked.

[mabhatter654]

If the mob is tracking you, you have bigger problems than "privacy"

Re:"Flaw" allows us to be tracked.

[mabhatter654]

I don't see how you think any ACTIVE radio transmitter can't be tracked? By definition, phones connect to towers and that gets logged for network purposes. All these people are doing is adding their own radio to the mix, which your phone happily pings to see if ithat "tower" useful. That's the whole definition of a network and "cellular" communication.

Next thing you know, they'll be telling me my IP address is in EVERY packet I send and receive on the Internet!!!!

Re:"Flaw" allows us to be tracked.

[flappinbooger]

Next thing you know, they'll be telling me my IP address is in EVERY packet I send and receive on the Internet!!!!

What? What? That is outrageous! This needs to be front page news! I will not tolerate such privacy violations!

Re:"Flaw" allows us to be tracked.

[wonkey_monkey]

No, it's okay because everyone has the same IP address - 127.0.0.1.

Re:"Flaw" allows us to be tracked.

[flappinbooger]

No, it's okay because everyone has the same IP address - 127.0.0.1.

Phew. That's a relief.

Re:"Flaw" allows us to be tracked.

[JustOK]

mines ::1

Re:"Flaw" allows us to be tracked.

[mabhatter654]

That singles you out as one of those IPV6 hipster kiddos!

Intentional

[aaaaaaargh!]

I believe these kinds of flaws are intentional. Just think about the early cell phone encryption standards, who were completely insecure despite having been designed by teams who should have known better.

Governments and government-near task forces and interest groups have no incentive to make communication devices for the general population secure.

Re:Intentional

[umghhh]

they do not have to - in majority of jurisdictions where such networks operate there are laws in place that force operators to:

• be able know where a mobile device is
• to intercept all standard mobile communications i.e. calls and texting

I believe in US this is called Lawful Interception.

Re:Intentional

[MrZilla]

Yes, an obscure error message that can be used to differentiate one UE from another, if you have already used a compromised base station to sniff earlier sessions, and which will give you an indication if that UE is in the area of your transmitter or not sounds just like the sort of nefarious flaw that the Men in Black Illuminati would work into an international standard to spy on the tinfoil community.

As a comment above already mentioned, the operator knows where you are, with a lot more precision than this attack gives, and most of them will happily share this data with the authorities, especially if a judge has OK'd it. This will, by the way, also give you voice and text intercepts, should you need them.

Re:Intentional

[aaaaaaargh!]

You and the other poster are comparing apples with bananas.

If intentional flaws indeed have been inserted into communications technology, then certainly for complementing lawful interception with means for unlawful interception rather than as a substitute. You need to take into account that many government agencies are explicitly allowed (by the laws of their country) to spy on foreign residents in foreign countries, and only under rare circumstances will these be able to ask local authorities for help and judicial permission.

Re:Intentional

[zippthorne]

Ah.. but spying on foreign residents in foreign countries is almost always an offense with a maximum penalty of death in the target country....

Re:Intentional

[MrZilla]

Well, I grouped you in with the crowd that seem to think governments only spy on their own citizens.

But I still feel that this method of tracking gives too little data for the effort needed to execute it. Not to mention sneaking it in to a 3GPP standard with this express intent. Not saying that it's impossible, but it does seem far fetched.

Not thatbad

Acctually from the article "This would reveal the presence of devices in a monitored area, breaking anonymity and ‘unlinkability’ by revealing the IMSI and TMSI correlation." And by moitored area they mean area with specific hardware installed. So you have to be a spy or something to be afraid of such tracking.

Re:Not thatbad

Bullshit. The police can set one up near any protest, make life hell for everybody who showed up, even if the protesters weren't breaking the law. It's been done before, why trust this time?

Re:Not thatbad

[MrZilla]

Sure. If they know the IMSI of the mobiles that the protesters are using in advanced. This attack gives the TMSI of the device, which is a temporary identifier, and will change when the mobile roams outside of the current location area.

Then they need to set up compromised base stations all over the city if they want to track this protester, and I am sure that there are easier ways to go about that.

You know...

[GeekWithAKnife]

Richard Stallman, often considered a nutcase, once said that he won't use a cell phone because he does not want to be tracked.

Whether by design, by accident or by the nature of the device, the fact is you can be tracked. Of course I don't care about that, because I have nothing to hide...then again what will this information be/is used for? big brother stuff, of course not!? Naturally, it's all just a big misunderstanding.

I'm safe!

[Cruciform]

Good luck tracking me! I'm served by Bell Aliant. I can lose service anywhere they offer coverage!
And they charge me a reasonably high fee for this knd of security.
Thanks Bell!

Re:I'm safe!

[clickclickdrone]

And they charge me a reasonably high fee for this knd of security.

"Reassuringly expensive" is the phrase you're looking for.

Shocked and appalled at 3G smartphone insecurity

[cvtan]

I'm going to keep using Windows so I know I'm safe.

That'll make'm buy newer phones!

[erroneus]

Lately, I have seen a decrease in smartphone fever. Okay, maybe not "lately" -- it has been decreasing for a long time actually. People are less excited about new gadgets and spending that money when they know another new thing is coming along soon. Even the demand for iPhone 5 seems to have dropped where I am... I have a good number of iPhone users where I work but they have been moving to droid and even a couple back to flip phones. I have seen exactly zero iPhone5 phones where I work or anywhere in the wild.

I think people are realizing what "good enough" means and that spending the $100-$300 more doesn't buy them a whole lot more. Also, simple and reliable seem to be features many people are interested having again.

But the phone companies have invested a lot of money in FCC costs, marketing and especially in ruining perfectly good smart phones with their bloatware and hacked ROMs that remove features they hope to sell back to customers at a premium. People are losing interest. I know *I* am losing interest... not completely... I'm still looking to get an unlocked, unbranded GalaxyS3 for my next phone and ditching the carrier's plans. Prepaid is the way to go for me. I will save TONS of money when my contract is up.

As Designed

[ThatsNotPudding]

Probably in an NSA spec book somewhere.

Re:As Designed

[HarrySquatter]

Why? They can just ask for the far more precise location data straight from the telecoms who are more than willing to give it up.

From bash.org:

[jensend]

<gmaxwell> 1960: "I have a great idea! lets have every person in the country carry a radio tracking beacon!" "That'll never fly!" 2012: "I can has TWO iphones??"

Aint a bug,

[Pirulo]

It's a feature

So what about AT&T?

[MobileTatsu-NJG]

So does this include my 3G AT&T phone that shows an icon claiming it's 4G?