USRP SDRs used to Break 3G to 5G Mobile Phone Security

According to researchers at the International Association for Cryptologic Research it is possible to snoop on 3G to 5G mobile users using a fake base station created by an SDR. It has been well known for several years now that 2G mobile phone security has been broken, but 3G to 5G remained secure. However, the researchers have now determined that lack of randomness and the use of XOR operations used in the Authentication and Key Agreement (AKA) cryptographic algorithm's sequence numbering (SQN) allows them to beat the encryption.

In their research they used a USRP B210 SDR which costs about US$1300, but it's likely that cheaper TX/RX capable SDRs such as the US$299 LimeSDR could also be used. In their testing they used a laptop, but note that a cheap Raspberry Pi could replace it too. writes:

"We show that partly learning SQN leads to a new class of privacy attacks," the researchers wrote, and although the attacker needs to start with a fake base station, the attack can continue "even when subscribers move away from the attack area."

Though the attack is limited to subscriber activity monitoring – number of calls, SMSs, location, and so on – rather than snooping on the contents of calls, the researchers believe it's worse than previous AKA issues like StingRay, because those are only effective only when the user is within reach of a fake base station.

The full paper is available here in pdf form.

Tools used including a laptop, USRP B210 and a sim card reader.
Tools used including a laptop, USRP B210 and a sim card reader.


  1. James Daniels

    Well on SDR generally, for some considerations – its the only affordable way – I am in West Africa looking at protecting the vulnerable (smuggler rife) skies from Airborne light aircraft, drone and even maritime intrusions into this poor country. If anyone needs a practical SDR radar academic project to low cost protect the skies in a poor west aftrican country part digitising Radio & TV with ample masts nationwide (for a survey) , contact me. James

    • shady

      Hello James if i need Lime SDR-Mini and i wanted to be delivery by a drone to my house because i am in Egypt and it is illegal to have it or order it how to do so??

  2. heyjim

    probably by design. seems all the base wireless protocols have these ‘features’. BT, wifi, 2G, 3G, logitech. we should probably layer voip over SSL over 5G.

  3. name

    And banning SDRs is not the right move…researchers will keep having more trouble if research causes uninformed in governments to clamp down on independent research.

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.