Security researchers from the University of Birmingham have discovered a flaw in 3G-enabled mobile phones that could allow someone to track a device at any given time. Unfortunately there’s no software hot-fix available as the problem is ingrained in the design of the 3G protocol logic.
The 3G standard was designed to protect a user’s identity when on a given network. A device’s permanent identity, known as International Mobile Subscriber Identity (IMSI) is protected on a network by being assigned a temporary identity called a Temporary Mobile Subscriber Identity – TMSI. The TMSI is updated regularly while the 3G networks are supposed to make it impossible for someone to track a device even if they are eavesdropping on the radio link.
Researchers have discovered that these methods can easily be sidestepped by spoofing an IMSI paging request. Such a request is used by networks to locate a device so it can provide service.
"The possibility of triggering a paging request for a speciﬁc IMSI allows an attacker to check a speciﬁc area for the presence of mobile stations of whom he knows the identity, and to correlate their IMSI and TMSI," the researchers point out.
If that weren’t enough, researchers have discovered another vulnerability related to the Authentication and Key Agreement (AKA) protocol. This is used by networks to authenticate a device but by sniffing the AKA request, it’s possible to detect the “secret long-term key” (K IMSI). Once detected, the AKA can be relayed to all devices in a given area. Every device except the target device will return an authentication failure.
It’s possible to exploit either of these vulnerabilities simply by using hardware that’s readily available like femtocells and some technical know-how.