Law enforcement in the United States, international spies and criminals have been using (and abusing) for more than ten years the surveillance tools known as ‘stingrays’. The devices can track people’s locations and even listen to their conversations, all thanks to weaknesses in the mobile network. Today, researchers describe a way to stop them – if only telecom would listen.

Stingrays derive their strength from pretending to be cell towers that deceive nearby devices to connect to them instead of the real thing. The same vulnerabilities that make this behavior possible can also be used, for example, to falsify large-scale emergency warnings. At the USENIX Enigma security conference in San Francisco on Monday, research engineer Yomna Nasser will describe those fundamental shortcomings in detail and suggest how they can finally be resolved.

“The purpose of my speech is to explain the cause of all these attacks, which is basically the lack of authentication when phones first try to find a tower to connect to,” says Nasser. “If something looks like a cell tower, they’ll connect; that’s just a result of the way cell network technology was designed decades ago. And it’s really hard to redesign things to do security really well – the lack of authentication issue still exists in 5G. “

“It has been many, many years, even decades, and we still have the same problems.”

Roger Piqueras Jover, Bloomberg LP

Mobile phones receive service by connecting to a nearby tower; As you move, your phone will move to other towers if necessary. This process of connecting to a tower, often called “bootstrapping,” is easy when you walk; Your phone has enough time to realize that it must find a new tower and connect. It is more difficult but still achievable while driving or in a bullet train. Consider the towers as lighthouses, which broadcast their existence at set time intervals and frequencies for each device with data within range to pick up.

Those pings are called “system information broadcast messages” or pre-authentication messages. They help to quickly establish a connection between a base station and a device before the two know much about each other or have verified themselves in a significant way. Maintaining that continuity of service does not allow much time or bandwidth for courtesies. But this informal introduction also entails risks. Without confirming that a cell tower is real, devices can be connected to a fraudulent base station that is set up to broadcast system information messages. Like a stingray.

Newer wireless standards such as 4G and 5G have built-in defenses that make it harder for attackers to get useful information when they mislead devices. But these protections cannot completely resolve the rogue base station problem, as smartphones still rely on older mobile networks for the “bootstrapping” initial connection phase, as well as for initiating and ending calls. And as long as telecom supports older, less secure data networks such as GSM and 3G, snoops can still perform downgrade attacks to push target devices to older, vulnerable networks.

“The mobile network makes the connection, maintains the signal and disconnects,” says Syed Rafiul Hussain, investigator of mobile network security at Purdue University in Indiana. “To add authentication, you need to add a few extra bytes, a little more data, in your bootstrapping and that would cost network operators more. Plus, older devices don’t have the capabilities of newer ones to handle this extra load. So backwards compatibility is also a factor. “

The telecom and technology industry could overcome these challenges if they decided to prioritize a fix. That’s a big if. Nasser points to a solution that could work much like HTTPS web encryption, allowing telephones to quickly check the “certificates” of the cell tower to prove their legitimacy before a secure connection is established. Last year, Hussain and colleagues from Purdue and the University of Iowa developed and proposed such an authentication scheme for the bootstrapping process in 5G.

