Companies around the world are working to roll out 5G networks, facing regulatory, logistic, economic and technical hurdles along the way. Now, according to WIRED, researchers have discovered a number of new flaws in the specification, adding yet another challenge to successful deployment.
Researchers from Purdue University and the University of Iowa have discovered 11 new flaws in 5G protocols. Alarmingly, these flaws are all part of the 5G specification itself, rather than any one carrier’s implementation. The vulnerabilities can “expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.”
Although one of the benefits of 5G is supposed to be greater protection of phone identifiers, such as the international mobile subscriber identity (IMSI), so-called downgrade attacks bypass that security by forcing a device to operate in 4G mode, or a limited service mode. Once the service is downgraded, the device can be forced to send its IMSI. Even the safeguards that are in place, such as Temporary Mobile Subscriber Identity (TMSI), can be overridden.
The researchers also discovered “issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts.”
The flaws have all been reported to the GSM Association, which downplayed the severity of the issue.
“These scenarios have been judged as nil or low-impact in practice, but we appreciate the authors’ work to identify where the standard is written ambiguously, which may lead to clarifications in the future,” the GSMA told WIRED. “We are grateful to the researchers for affording industry the opportunity to consider their findings and welcome any research that enhances the security and user confidence of mobile services.”