With top speeds of 20 gigabytes per second, 5G should reach our phones in 2020. Users are delighted by the arrival of this fifth generation standard for mobile telecommunications, whose data rates, which are up to ten times faster than 4G, promise to keep up with our increasingly data-intensive mobile applications. While this standard is still being conceived at 3GPP,1 the organization that brings together representatives from industrial actors and telephone service providers, different research teams are taking advantage of this developmental phase to test and strengthen the future norm.

At the French laboratory LORIA,2 Jannik Dreier and his colleagues are exploring various directions for improvement. “3GPP always places great emphasis on faster speeds,” explains the senior researcher at Télécom Nancy. “Yet protocols also change in other directions with each new generation, especially with regard to security.”

Old Flaws

In collaboration with researchers from ETH Zurich and the University of Dundee in Scotland, Dreier points out the persistence of security flaws within the new 5G standard at the CCS3 conference in Toronto. “5G inherits flaws that go back to the very first version of the identification protocol,” Dreier regrets. “All of the security is based on SIM cards, which store the identification keys shared with the network.” Security problems are inherent to wireless technologies, because unlike the transfer of data confined within a cable, nothing protects information when it transits through the air. As a result, security relies  on the capacity of the telephone and the network to identify and authenticate one another when they connect. At the same time, all of the personal information and data belonging to the mobile subscriber must be preserved. But the system is not perfect. Dreier draws attention to the risk of traceability in the event that the telephone can be identified and then followed. This operation is fairly easy to carry out with 4G, thanks to devices such as IMSI-catchers,4 which scan exchanges between the mobile phone and the network’s antenna relays to track their target. “5G will solve the problem with regard to passive attackers that only listen,” Dreier specifies. “But if someone injects messages in the communication between the telephone and the network antenna, which is relatively easy, it once again becomes possible to trace the mobile phone and its user.”
 

Relay antennas make it possible to test 5G under real conditions, like those used in Germany (pictured).

Relay antennas make it possible to test 5G under real conditions, like those used in Germany (pictured).

OLIVER BERG / DPA / dpa Picture-Alliance/AFP

OLIVER BERG / DPA / dpa Picture-Alliance/AFP

Share

Share

A ‘counter’ problem

Here once again, it is the historic architecture of mobile telephone networks that is to blame. Since the first SIM cards could not generate random values, everything was based on a system of counters, which was designed  to avoid receiving the same message multiple times. “SIM Cards  could use a different technique today because they can generate random values,” he explains. “But decision makers apparently did not want to change the standard that profoundly.”

“Traceability tools are notably used by the police and intelligence agencies. It allows them to determine who was near a crime scene, but also who was near a political demonstration. It’s very useful for them, but it can be used for mass surveillance.” Given that two thirds of the world’s population uses a mobile phone, it is hard not to fear abuses, let alone its misuse by criminals.
 

5G was the hightlight of the Mobile World Congress, held in Barcelona in February 2018.

5G was the hightlight of the Mobile World Congress, held in Barcelona in February 2018.

Miquel Benitez / GETTY IMAGES EUROPE / Getty Images/AFP

Miquel Benitez / GETTY IMAGES EUROPE / Getty Images/AFP

Share

Share

Having Someone Else Pay Your Bill

Created in partnership with ETH Zurich, LORIA, and CISPA5 in Sarrebruck, the Tamarin verification tool can analyze the security of a given protocol. Dreier and his colleagues have analzyed 5G AKA,6 the security protocol that has been implemented since 3G, and that the 3GPP would like to continue to improve.

“We are  trying to improve security, not to break things apart,” insists Dreier. “We are conducting formal verifications to ensure security.” If the protocol does not contain flaws, Tamarin establishes a mathematical proof of its security. Yet in problematic cases , the tool generates a description of the attack that was identified. This enabled researchers to discover another flaw in 5G AKA that could result in calls being billed to someone else, when two telephones are used simultaneously in close proximity. “Although in practice this flaw is probably difficult to exploit, it is not excluded by the standard. We sent these results to the 3GPP, but for the moment received only a fairly brief initial response. The process indeed takes time, because it involves in-person meetings, proposals, and finally a vote. We are not part of these organizations, and it is their choice whether to modify the protocol.” 

Despite the fast-approaching 2020 delivery date and official arrival of 5G, numerous improvements can still be made, especially with regard to software. LORIA researchers are working toward adapting tools such as Tamarin so that computer engineers can use them directly during the design phase.  “Unfortunately, the problems of traceability will not be solved solely by some  small changes,” Dreier insists. “One needs to stop using a counter in SIM cards, but that would require a total redesign of the protocol…”