Security gaps in the 5G mobile communication standard uncovered

In order to guarantee security, key factors must be considered: the device and network must be able to authenticate each other, and the confidentiality of the data exchange and the privacy of the user concerning identity and location must be guaranteed.

This has been implemented through a protocol known as Authentication and Key Agreement (AKA) since the introduction of the 3G standard. The organisation 3rd Generation Partnership Project (3GPP) is responsible for the specifications of this protocol, and for the specifications of the newest standard 5G AKA.

With the aid of the security protocol verification tool Tamarin, an ETH research team systematically examined the 5G AKA protocol, taking the specified security aims into account.

According to ETH, Tamarin was developed and improved during the last eight years in this research group and is one of the most effective tools for analysing cryptographic protocols. The tool automatically identifies the minimum-security assumptions required in order to achieve the security objectives set by 3GPP. “It showed that the standard is insufficient to achieve all the critical security aims of the 5G AKA protocol,” says senior scientist and co-author Ralf Sasse. “It is therefore possible for a poor implementation of the current standard to result in users being charged for the mobile phone usage of a third party.”

As the team determined, data protection will be improved significantly with the new protocol in comparison with 3G and 4G technologies. In addition, 3GPP succeeded in closing a gap with the new standard that had previously been exploited by IMSI catchers. With these devices, the International Mobile Subscriber Identity (IMSI) of a mobile phone card can be read to determine the location of a mobile device.

To achieve this, the device masquerades as a radio station in order not to be caught by the mobile phone. “This gap is closed with the 5G AKA. However, we have determined that the protocol permits other types of traceability attacks,” explains senior scientist and co-author Lucca Hirschi.

In these attacks, the mobile phone does not send the user’s full identity to the tracking device, but still indicates the phone’s presence in the immediate vicinity. “We assume that more sophisticated tracking devices could also be dangerous for 5G users in the future,” adds Hirschi. If the new mobile communication technology is introduced with these specifications, it may lead to numerous cyberattacks.

The team says it is in contact with 3GPP, in order to jointly implement improvements in the 5G AKA protocol.