Privacy Attacks to the 4G and 5G Cellular Paging Protocols Using Side Channel Information

The cellular paging (broadcast) protocol strives to balance between a cellular device’s energy consumption and quality-of-service by allowing the device to only periodically poll for pending services in its idle, low-power state. For a given cellular device and serving network, the exact time periods when the device polls for services (called the paging occasion) are fixed by design in the 4G/5G cellular protocol. In this paper, we show that the fixed nature of paging occasions can be exploited by an adversary in the vicinity of a victim to associate the victim’s soft-identity (e.g., phone number, Twitter handle) with its paging occasion, with only a modest cost, through an attack dubbed ToRPEDO. Consequently, ToRPEDO can enable an adversary to verify a victim’s coarse-grained location information, inject fabricated paging messages, and mount denial-of-service attacks. We also demonstrate that, in 4G and 5G, it is plausible for an adversary to retrieve a victim device’s persistent identity (i.e., IMSI) with a brute-force IMSI-Cracking attack while using ToRPEDO as an attack sub-step. Our further investigation on 4G paging protocol deployments also identified an implementation oversight of several network providers which enables the adversary to launch an attack, named PIERCER, for associating a victim’s phone number with its IMSI; subsequently allowing targeted user location tracking. All of our attacks have been validated and evaluated in the wild using commodity hardware and software. We finally discuss potential countermeasures against the presented attacks.