Are major communication systems vulnerable?

We use our mobile phones today for a host of rea­sons: to tele­phone, send text mes­sages, exchange images or shop online. To do this, we need to con­nect to the com­mu­ni­ca­tions net­work (which trans­mits infor­ma­tion between dif­fer­ent devices and sys­tems). This net­work is prey to attack, how­ev­er. “Rogue (or fake) base sta­tions” for exam­ple, take advan­tage of the con­fi­dence we have in net­work oper­a­tors and oth­er ser­vice providers to weak­en security.

“With each new gen­er­a­tion of mobile com­mu­ni­ca­tions, changes are made to secu­ri­ty pro­to­cols,” explains Jan­nik Dreier. “The prob­lem is that most of the pro­to­cols that exist today date back to the intro­duc­tion of dig­i­tal tele­phones, but secu­ri­ty guar­an­tees have, of course, moved on great­ly since then.”

One of the changes brought about by the switch to 5G con­cerns pri­va­cy pro­tec­tion. To secure com­mu­ni­ca­tions, the device and the net­work must be able to authen­ti­cate each oth­er when they con­nect. Dur­ing the con­nec­tion and exchange (of data, speech or images), how­ev­er, the user’s iden­ti­ty and loca­tion as well as the con­tent of the exchange must be kept con­fi­den­tial. A com­mu­ni­ca­tions pro­to­col called Authen­ti­ca­tion and Key Agree­ment (AKA) has been used to achieve this since the 3G stan­dard was intro­duced. This means that mes­sages are encrypt­ed thanks to a key exchanged dur­ing connection.

Today’s 5G com­mu­ni­ca­tion stan­dard is there­fore based on the 5G AKA pro­to­col¹. This new pro­to­col has con­sid­er­ably improved phone iden­ti­fi­er pro­tec­tion com­pared with 4G tech­nol­o­gy and, in par­tic­u­lar, has solved a prob­lem pre­vi­ous­ly exploit­ed by IMSI (Inter­na­tion­al Mobile Sub­scriber Iden­ti­ty) inter­cep­tors. With these devices, the IMSI of a mobile phone card could be inter­cept­ed to deter­mine where a mobile device was locat­ed – and there­fore track a user. How could this be done? By sim­ply lis­ten­ing in to trans­mis­sions between the mobile phone and the mobile net­work anten­na – the IMSI being sent unen­crypt­ed. This is no longer pos­si­ble with 5G AKA.

“Although this part of the pro­to­col has been improved now, the pro­to­col as a whole is far from per­fect,” warns Jan­nik Dreier. “It’s as if we’ve just ‘plugged a hole’. If we were to refor­mu­late this pro­to­col and start from scratch, as it were, we would build it com­plete­ly dif­fer­ent­ly. That’s often the case in technology.”

“While the con­nec­tion between a tele­phone and the anten­nae (base sta­tions) is pro­tect­ed, the prob­lem is that the data is no longer pro­tect­ed on the wired net­work,” he explains. The net­work and the oper­a­tor are trust­ed enti­ties, and this trust cre­ates a poten­tial vec­tor for eaves­drop­ping, sur­veil­lance or even direct attack. “The use of equip­ment from Chi­na, in par­tic­u­lar, has been the sub­ject of much debate, because a ‘hid­den door’ could be used for espi­onage or out­right to cre­ate a sort of ‘red but­ton’: if pressed, the net­work and all com­mu­ni­cat­ing devices would imme­di­ate­ly stop functioning.”

Anoth­er prob­lem: mobile phone net­works allow us to use our phones in roam­ing mode by con­nect­ing to a net­work oth­er than that of our native oper­a­tor (when we are abroad, for exam­ple²). The dan­ger here: an attack­er could make us think that our phones are roam­ing and set up a rogue base sta­tion, that is, a mali­cious device used to mim­ic a legit­i­mate mobile net­work base sta­tion. As com­mu­ni­ca­tions are only pro­tect­ed up to the fake sta­tion, the attack­er is, in prin­ci­ple, able to inter­cept and mon­i­tor all traf­fic pass­ing through it. Unfor­tu­nate­ly, today’s smart­phones are not very well equipped to warn us of such attacks because they eas­i­ly accept roam­ing con­nec­tions. Impor­tant­ly, these are not always clear­ly vis­i­ble to the user (who, more­over, does not sus­pect any­thing unto­ward because he may not even be abroad).

Rogue base sta­tions can also be used for oth­er pur­pos­es – for exam­ple (and with the help of mobile net­work oper­a­tors), by the police and intel­li­gence ser­vices for fight­ing crime or for sur­veil­lance pur­pos­es. In addi­tion to tele­phone con­ver­sa­tions and mes­sages, ser­vice providers can track all oth­er types of con­tent pass­ing through the fake base station.

Secu­ri­ty is not lim­it­ed to the net­work, but also to phones them­selves, par­tic­u­lar­ly with the use of end-to-end encrypt­ed com­mu­ni­ca­tions, such as those used in appli­ca­tions like Sig­nal and What­sApp. If we pro­tect com­mu­ni­ca­tions from end to end, each end of the trans­mis­sion nat­u­ral­ly becomes a tar­get for attack, for both crim­i­nals and gov­ern­men­tal ser­vices alike.

This is why propo­si­tions for remote mon­i­tor­ing of devices are reg­u­lar­ly put for­ward, espe­cial­ly in the fight against ter­ror­ism and child pornog­ra­phy³. “But there are prob­lems,” explains Jan­nik Dreier. “From a tech­ni­cal point of view, these approach­es will nec­es­sar­i­ly affect the secu­ri­ty of com­mu­ni­ca­tions net­works and sys­tems for the pop­u­la­tion as a whole because they require that all devices be scanned, not just those that we suspect.”

Pro­pos­als to com­bat child pornog­ra­phy, for instance, are essen­tial­ly based on com­par­ing images with a data­base of known images or on arti­fi­cial intel­li­gence (AI) trained on these images. This unavoid­ably leads to “false neg­a­tives”, that is, images that should be detect­ed but which aren’t. Worse still, there is the risk of “false pos­i­tives”: peo­ple could be accused of a crime they did not com­mit because an image was wrong­ly iden­ti­fied as being porno­graph­ic by AI.

There will inevitably be a large num­ber of these mis­clas­si­fi­ca­tions if all images on all devices are scanned. “We also know that mod­i­fi­ca­tions unde­tectable to the naked eye can be applied to an image and that these can be mis­clas­si­fied by AI. We can there­fore imag­ine attack­ers mod­i­fy­ing images in this way and send­ing them to tar­gets who will then be wrong­ly iden­ti­fied as being in pos­ses­sion of child pornog­ra­phy content.”

There is also a more polit­i­cal type of dan­ger. “Once such an infra­struc­ture is in place, it could then be used for oth­er pur­pos­es and, ulti­mate­ly, and espe­cial­ly in non-demo­c­ra­t­ic coun­tries, for repression.

“It is also impor­tant to note that we don’t know exact­ly how these infra­struc­tures work because the detec­tion algo­rithms behind them are not in the pub­lic domain,” he adds. “That is a prob­lem: we would­n’t then know on what basis we’ve been incrim­i­nat­ed. There would be a lack of trans­paren­cy. Such a strat­e­gy cre­ates unprece­dent­ed capa­bil­i­ties for user sur­veil­lance and con­trol with poten­tial­ly dras­tic con­se­quences for democ­ra­cy in Europe and around the world.”

“We place far too much trust these days in oper­a­tors and their equip­ment, some­thing that intro­duces inher­ent weak­ness­es. Unfor­tu­nate­ly, this sit­u­a­tion not going to change any time soon, because it’s not finan­cial­ly attrac­tive for oper­a­tors,” he says. As a result, things could become even worse in the future: “If we are not able to rebuild these archi­tec­tures from scratch, in a mod­el that is less reliant on oper­a­tors, we need to cor­rect the known short­com­ings. Some of these may be easy to repair, thanks to the use of end-to-end pro­tec­tion solu­tions, for exam­ple, but not oth­ers. There will nev­er be a per­fect solution.”

Interview by Isabelle Dumé