USRP SDRs used to Break 3G to 5G Mobile Phone Security

According to researchers at the International Association for Cryptologic Research it is possible to snoop on 3G to 5G mobile users using a fake base station created by an SDR. It has been well known for several years now that 2G mobile phone security has been broken, but 3G to 5G remained secure. However, the researchers have now determined that lack of randomness and the use of XOR operations used in the Authentication and Key Agreement (AKA) cryptographic algorithm's sequence numbering (SQN) allows them to beat the encryption.

In their research they used a USRP B210 SDR which costs about US$1300, but it's likely that cheaper TX/RX capable SDRs such as the US$299 LimeSDR could also be used. In their testing they used a laptop, but note that a cheap Raspberry Pi could replace it too.

Theregister.co.uk writes:

"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."

Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.

The full paper is available here in pdf form.

Tools used including a laptop, USRP B210 and a sim card reader.
Tools used including a laptop, USRP B210 and a sim card reader.

6 comments

  1. Knot Schure

    And on topic, I must admit, remembering the old days of open listening to analogue networks, I was overjoyed to read the headline of this article – especially being a B210 owner…

    But alas, there are no links to .grc files, nor openLTE setup files etc, and no step by step guide, and I’ve got only one life to live, and I’m not wasting it working out the math for that in GNUradio.

    Also interesting that he doesn’t show it connected in MIMO operation, on the RHS of that picture, the four SMA connectors, from bottom to top are: RF:a TX/RX and RX2, then RF:b RX2 and TX/RX. With two antennas only shown as connected, it implies to me he was in a single Tx & single Rx mode, but I guess it could be a picture.

    Long story short – don’t bother reading the white paper, there is nothing there to get you listening to 3/4G audio…

  2. James Daniels

    Well on SDR generally, for some considerations – its the only affordable way – I am in West Africa looking at protecting the vulnerable (smuggler rife) skies from Airborne light aircraft, drone and even maritime intrusions into this poor country. If anyone needs a practical SDR radar academic project to low cost protect the skies in a poor west aftrican country part digitising Radio & TV with ample masts nationwide (for a survey) , contact me. James

    • shady

      Hello James if i need Lime SDR-Mini and i wanted to be delivery by a drone to my house because i am in Egypt and it is illegal to have it or order it how to do so??

  3. heyjim

    probably by design. seems all the base wireless protocols have these ‘features’. BT, wifi, 2G, 3G, logitech. we should probably layer voip over SSL over 5G.

    • Knot Schure

      I already run my VOIP on my Andriod handset through VPN, and according to stats for an S8+, it adds 20% to the daily battery drain on average.

  4. name

    And banning SDRs is not the right move…researchers will keep having more trouble if research causes uninformed in governments to clamp down on independent research.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.