How to Hack 5G - Part 3

Fingerprint Icon Written by Chris Powell

Previous Article | Next Article

Hacking 5G

This post is the third in a series that provides an overview of 5G security. Last time I discussed the basics of smart cards and how we modify them for use in cellular networks as Subscriber Identity Modules (SIMs). Their official name being Universal Integrated Circuit Cards (UICCs).

I spoke of how they protect cryptographic data and delved into some of the identities used in the cellular system itself, particularly the International Mobile Subscriber Identity (IMSI).

This post talks explicitly about what IMSI catchers are and how they work, and what 5G is doing to mitigate them. If you don't know what an IMSI is, I highly recommend you read my previous post as a primer.

IMSI Catchers

Remember that IMSIs are permanent identifiers baked into your SIM card and identify you, the subscriber. It is an essential point to understand because, if, for example, I wanted to track someone (a target) using their mobile phone, I'd use a permanent identifier.

But remember from my last post, there's also something called an International Mobile Equipment Identity (IMEI). Don't just track a targets SIM card, use their IMEI to follow their mobile handset as well.

  • IMSI is your SIM
  • IMEI is your mobile handset

Now let's imagine it's possible to walk, or drive around and use a “device” that reads the Radio Frequency (RF) spectrum, looking for these identifiers. Like at a mass gathering where lots of people have their phones. The name I might give to such a device would be an IMSI catcher.

And that's what an IMSI catcher is. A device that lets me read mobile handset transmissions to gather identifiers without people knowing. They're pretty powerful tools.

IMSI Catcher Image
- Left is a professional version, right home made
https://lapsi.al/2016/05/15/gazetaret-ambasadoret-dhe-politikanet-qe-u-pergjuan-nga-policia/
https://arxiv.org/abs/1510.07563

IMSI Makeup

Now that you have an understanding of what IMSI catchers are, I can jump into how they work. But first, I must describe what makes up an IMSI.

Here is a picture of a made-up IMSI with the value 234030123456789.

IMSI Number
-An example IMSI
  • Mobile Country Code (MCC)
    • The MCC is a standardised code that indicates the home country of your SIM card. I live in the UK, so my MCC is 234.
  • Mobile Network Code (MNC)
    • In the UK, we have several Mobile Network Operators (MNOs) such as Vodafone, O2 and EE. The MNC is what identifies a particular operator. Here, 03 means Airtel/Vodafone.
  • Mobile Subscriber Identity Number (MSIN)
    • The MSIN is the bit that is unique to you. It's how the operators identify individuals on their network.

An MCC plus an MNC is commonly called a Public Land Mobile Network (PLMN). You can look up this information on the following website https://www.mcc-mnc.com.

Searching for Signal

So a mobile phone is a sophisticated handheld radio, although unlike traditional radios that talk to each other, your handset communicates with cell towers instead. You may have seen these contraptions before, but if you haven't, this is what they look like.

Cell Tower
- Example cell tower

The white panels on the poles are antennas, and they talk to a physical box, typically located inside a building or a cabinet. Together they make up a cell site and have one of several names depending on its generation.

  • 2G - Base Transceiver Station (BTS)
  • 3G - NodeB
  • 4G - eNodeB
  • 5G - gNodeB

How cell towers work is left for a future post, but realise that they are the things your mobile phone “talks” to in the network. But there's a problem. They aren't everywhere, such as in the middle of the Pacific Ocean. And if you travel far enough, you'll eventually lose signal with the one you're closest too.

So what is your phone going to do? Something called cell reselection followed by a handover procedure.

Reselection is where your mobile phone does some calculations with your current cell tower and decides to search for a new one. A handover is where your phone finds one with a better signal and connects to it; however, there's another issue.

Have you ever been in a place with poor cell reception, but someone else on a different provider has a much stronger signal? Well, that's because different MNOs own different towers. If your provider doesn't have one close to your current location, but a competing MNO does, then your friends will get better cell reception.

But how does your mobile phone know which network it's on? I mean anyone can buy a mobile phone from the shop and put any provider's SIM card in it. Note that I'm not talking about phones “locked” to a network, that's a separate issue altogether.

Handsets know which towers they can connect to because SIM cards have IMSIs. And IMSIs have MCCs and MNCs to tell them which country they belong to, and which operator they can use. Cell towers also have MCCs and MNCs, and if they match your IMSI, your phone can use that tower.

Cell Selection
- A handset only selects its home network

So if I built a portable cell tower and advertised myself as having the same MCC and MNC as your network, then crank up the power and drive past your house. Your phone will think I'm a new cell tower belonging to your provider's network and should eventually connect to me if I look appealing enough.

But, reading an IMSI isn't that simple, for starters you're probably using a Temporary Mobile Subscriber Identity (TMSI) to identify yourself. And because TMSIs are dynamic and change periodically in the network, I can't know which TMSI is associated with your IMSI.

TMSI Network Association
- TMSI and IMSI association

It turns out that while your handset sits, or camps on a cell tower, your phone is always searching for a better one. It stores a list of several alternatives in case you lose connectivity with your current, or serving, cell site, which speeds up the reselection process.

Fortunately for us, handsets maintain this list by continually listening, searching and connecting to cell sites that appear legitimate. I say look legitimate because they can't know without first interrogating one.

And it's only possible to interrogate a tower by sending the IMSI. Without one, authentication is impossible, even for the legitimate network.

After taking all of this into account lets walk through the steps of building our very own IMSI catcher.

  1. Your target's handset keeps a list of several other towers it can see.

  2. You generate a list of nearby cell towers that have favourable parameters but are far enough out of range as to not interfere with the process. It turns out that during cell reselection, there are a few parameters of interest to us. I need to go off on a tangent here, so bear with me.

    Your cellphone prioritises nearby towers based on specific frequencies, as well as other parameters that influence the cell reselection algorithm. Below is the equation used to calculate quality and signal strength in the above procedure, which we can abuse to make ourselves appear more favourable.

    Reselection Equation
    - 5G reselection equation

    The parameters Qrxlevminoffset, Qqualminoffet and Qoffset-temp alter this equation to make cell towers more or less appealing. But why have them at all?

    It turns out that if you're at the midpoint between two similar cell sites, your mobile phone finds it challenging to select a preferable one. One second your current tower could be more appealing, and the next, your phone prefers the other one.

    Your handset would bounce back and forth between the two cell towers causing you, and them a whole lot of hurt. It doesn't sound like much, but if this were to happen in a densely populated area, it would take the network out.

    These parameters serve to make an adjacent cell less appealing by artificially decreasing the quality and signal values. It fixes the problem by encouraging a handset to remain on its current tower.

    Unfortunately, you can't set all of these values yourself, some of this information will have to come from the legitimate network. But what we can do is find a cell tower with favourable parameters, and a high priority frequency, that we can imitate. We just need to make sure it's far away as to not interfere with what we're doing.

    Favourable Tower
    - Distant cell tower we can imitate
  3. You turn on your portable cell tower and punch in the same parameters as your target's network, e.g. MCC, MNC, as well as imitating a favourable tower.

  4. Start cranking up the power and wait for people to start connecting. Remember that your target isn't the only person using the network in that area.

  5. Pretty soon, you should start receiving things called Attach Requests, shortly followed by Radio Resource Control (RRC) Registration Requests. Unfortunately, these messages only transmit something called a Global Unique Temporary Identity (GUTI), also known as a 5G TMSI.

    However, after the RRC Registration Request, and during the rest of the process, you can send an RRC Identity Request. This message lets you request identity information directly from the phone, typically an IMSI or IMEI.

  6. The process isn't over yet, and we still need to complete the set-up procedure. But we can't authenticate ourselves to the handset as we don't know the cryptographic keys.

    What we can do is tell the phone to go away by using one of several messages available in the 5G standard. Do you remember the very first message we received called an Attach Request? Well, we have to respond to it, and we do this with a rejection message, specifically an Attach Reject.

    It turns out that we can pick one of several rejection reasons specified by the standard, each more insidious than the last.

    The first is a simple rejection. You tell the phone “sorry there are no towers available for you in this area”. The phone shouldn't notice anything untoward as the cell tower we were imitating isn't in the immediate vicinity.

    The second is to tell the phone “sorry there is no 5G, 4G, 3G or 2G service in this area”. It will immediately disconnect and won't reconnect to any cellular networks until manually rebooted.

    It is a potent Denial-of-Service attack because you can drive around a large area, say a city, with a powerful antenna and anyone that connects to you, will be kicked off all cellular networks. And if you remember, none of the phones will reconnect until they reboot.

    The final message, and probably the most worrisome, is to tell the phone “sorry no 5G, 4G or 3G service in this area”. Practically it's performed using several downgrade attacks, but the result is the same. Your target ends up roaming on your 2G network and doesn't authenticate you.

    You have performed a Man-in-the-Middle attack, and are free to read any messages or phone calls your target sends or receives โ€” hopefully, without noticing any problems problem besides a lack of data.

    IMSI Catcher Process
    - Typical IMSI catcher procedure

And that's it, we've built ourselves an IMSI catcher, but you might have one question, how do you locate and scan cell towers in the first place?

It turns out it's pretty easy to do with the website https://www.cellmapper.net, or by driving around with an antenna on your roof and a Software Defined Radio (SDR) in your car โ€” a bit like wardriving in WiFi hacking.

Analysis

By now we will have gathered a bunch of IMSIs and IMEIs to analyse, so what patterns can we look for in the data? For instance, the three following scenarios will indicate if, and how our target is swapping their SIM card.

  • The target's IMSI and IMEI are the same
    • They are using the same SIM card and mobile handset.
  • The target's IMSI is the same, but their IMEI is different
    • They swapped their SIM into a new handset.
  • The target's IMSI is different, but their IMEI is the same
    • They have the same handset and are using a new SIM card.

Let's go further still. It turns out that the wireless interface uses timing information to help synchronise cell towers and handset. And by using this data, we can infer the average range from our current location.

We could theoretically mark our position and then calculate the distance of our target. If we did this with three separate IMSI catchers, we could begin the process of triangulation, but it gets worse.

The 5G wireless interface introduces three new technologies, Beamforming, Beamsteering and Massive Multiple Input/Multiple Output (MIMO). They use something called a phased antenna array, which is a bit like a flat panel with loads of antennas glued to it.

It's able to estimate your location and steer radio signals towards you accurately. It can even do this when you're moving at relatively low speeds. The diagram below illustrates the basic idea. I'll go into more detail in a later post when I discuss the radio network.

Beamsteering
- Phased array illustrating directional beamforming

It raises an important point. Do you trust your wireless interface being able to track you as you move around? Sure it helps increase the quality and speed of the network, but it can have some pretty significant privacy implications.

How 5G Protects Your Identity

5G provides an extension to the authentication procedures which makes it harder for IMSI catchers to operate. Granted, this all depends on the implementation and configuration of the protections in the first place.

This addition lets MNOs create an asymmetric key pair for the use of encrypting your identity information. The public key lives in your SIM card, and the private key, in the MNOs network.

Now, whenever your phone has to send your IMSI to a cell tower, your handset will encrypt the MSIN part with the public key. That way, your provider is the only entity that can decrypt it to read the sensitive information.

Public Key IMSI Encryption
- 5G Identity encryption with public/private keys

If your handset always encrypts your IMSI and doesn't fall back to an earlier generation, such as 4G, you should be safe. It'd be impossible for an IMSI catcher to exist unless you roam onto another network.

Roaming is where your handset selects another MNC that's not your native operator, typically when travelling abroad. A lot of countries, the UK being one of them, don't allow in-country roaming. But in others, mainly where the cellular network isn't ubiquitous, roaming between operators is common.

One way around this protection could be changing the MCC as well as the MNC โ€” just pretend you're in another country. I don't think international operators are going to share any private cryptographic data, so your handset would have to fall back to an unencrypted identity exchange.

It's in edge cases like this that IMSI catchers thrive, and I doubt there will ever be complete protection from them. But I hope this leaves you a bit more informed as to how they work.

One last thing I will say is that the public key is not sensitive, so if the MNO private key gets compromised, as I'm sure it will, an Over-the-Air (OTA) SIM update will occur and change it. Again, OTA updates are a topic for a future post.

Conclusion

I discussed what makes up an IMSI, and how a mobile handset reselects onto a new cell tower. I also spoke in-depth about the general idea behind IMSI catchers, and what I would do if I built one myself.

It's a very complicated subject, and I've done my best to describe the process simply and concisely. As always, if I've done a particularly poor job, please let me know.

I wish I could go into much more detail, but I can't. I'd have to write a book on the subject otherwise. However, for now, I suggest looking into mobile apps that can detect suspicious cell towers, https://cellularprivacy.github.io/Android-IMSI-Catcher-Detector, or see how people have built their own with SDRs https://harrisonsand.com/imsi-catcher.

I do not recommend building your own as it is a massive violation of national and federal laws. I've listed it here for reading purposes only.

Upcoming Topics

  • How cryptography works in 5G
  • The Radio Access Network (RAN), and why 5G New Radio (NR) is awesome
  • Attaching to a network in 5G
  • How your SIM works with the User Data Repository (UDR)
  • The 5G core, virtualisation and its REST APIs