A team of researchers from the University of Iowa and Purdue University has found nearly a dozen security breaches in the 5G protocol, prompting them to write a paper describing both their findings and a security breaching tool they developed called 5GReasoner. The information has been uploaded to the Documentcloud server.
While has 5G has been widely heralded as the next-generation smartphone protocol, security concerns have arisen. The researchers with this effort have found vulnerabilities that leave users at risk of being tracked, along with several other issues.
The work by the researchers involved building the software tool 5GReasoner, which they used to test the new protocol, finding 11 vulnerabilities. Using 5GReasoner, the researchers set up a radio base station that could be used to attack phones in the nearby vicinity. They report that they were able to obtain network IDs for local phones, which in turn allowed them to discover paging occasions—and that allowed them to see the current location of a phone, which could be used to track the person using it.
The researchers found that they were able to broadcast phony emergency alerts to phones in a given area, and in some cases, were able to track phone activity. Also, they found they could run denial-of-service systems to prevent phones from accessing their designated networks—a scheme that could result in downgraded service, or worse, no service at all.
The research team noted that some of the vulnerabilities could be used for surveillance attack by hackers or law enforcement personnel. They added that all the vulnerabilities they found could be exploited by anyone with a basic knowledge of either 4G or 5G networks—and that it could be done with low-cost software.
The researchers have reported their findings to the GSM Association (GMSA), which is responsible for approving international phone protocols. In response, the GMSA released a note describing the vulnerabilities as nil, or of low impact. They did not mention if the vulnerabilities would be fixed.