Are major communication systems vulnerable?

We use our mobile phones today for a host of reas­ons: to tele­phone, send text mes­sages, exchange images or shop online. To do this, we need to con­nect to the com­mu­nic­a­tions net­work (which trans­mits inform­a­tion between dif­fer­ent devices and sys­tems). This net­work is prey to attack, how­ever. “Rogue (or fake) base sta­tions” for example, take advant­age of the con­fid­ence we have in net­work oper­at­ors and oth­er ser­vice pro­viders to weak­en security.

“With each new gen­er­a­tion of mobile com­mu­nic­a­tions, changes are made to secur­ity pro­to­cols,” explains Jan­nik Dreier. “The prob­lem is that most of the pro­to­cols that exist today date back to the intro­duc­tion of digit­al tele­phones, but secur­ity guar­an­tees have, of course, moved on greatly since then.”

One of the changes brought about by the switch to 5G con­cerns pri­vacy pro­tec­tion. To secure com­mu­nic­a­tions, the device and the net­work must be able to authen­tic­ate each oth­er when they con­nect. Dur­ing the con­nec­tion and exchange (of data, speech or images), how­ever, the user’s iden­tity and loc­a­tion as well as the con­tent of the exchange must be kept con­fid­en­tial. A com­mu­nic­a­tions pro­tocol called Authen­tic­a­tion and Key Agree­ment (AKA) has been used to achieve this since the 3G stand­ard was intro­duced. This means that mes­sages are encryp­ted thanks to a key exchanged dur­ing connection.

Today’s 5G com­mu­nic­a­tion stand­ard is there­fore based on the 5G AKA pro­tocol¹. This new pro­tocol has con­sid­er­ably improved phone iden­ti­fi­er pro­tec­tion com­pared with 4G tech­no­logy and, in par­tic­u­lar, has solved a prob­lem pre­vi­ously exploited by IMSI (Inter­na­tion­al Mobile Sub­scriber Iden­tity) inter­cept­ors. With these devices, the IMSI of a mobile phone card could be inter­cep­ted to determ­ine where a mobile device was loc­ated – and there­fore track a user. How could this be done? By simply listen­ing in to trans­mis­sions between the mobile phone and the mobile net­work antenna – the IMSI being sent unen­cryp­ted. This is no longer pos­sible with 5G AKA.

“Although this part of the pro­tocol has been improved now, the pro­tocol as a whole is far from per­fect,” warns Jan­nik Dreier. “It’s as if we’ve just ‘plugged a hole’. If we were to refor­mu­late this pro­tocol and start from scratch, as it were, we would build it com­pletely dif­fer­ently. That’s often the case in technology.”

“While the con­nec­tion between a tele­phone and the anten­nae (base sta­tions) is pro­tec­ted, the prob­lem is that the data is no longer pro­tec­ted on the wired net­work,” he explains. The net­work and the oper­at­or are trus­ted entit­ies, and this trust cre­ates a poten­tial vec­tor for eaves­drop­ping, sur­veil­lance or even dir­ect attack. “The use of equip­ment from China, in par­tic­u­lar, has been the sub­ject of much debate, because a ‘hid­den door’ could be used for espi­on­age or out­right to cre­ate a sort of ‘red but­ton’: if pressed, the net­work and all com­mu­nic­at­ing devices would imme­di­ately stop functioning.”

Anoth­er prob­lem: mobile phone net­works allow us to use our phones in roam­ing mode by con­nect­ing to a net­work oth­er than that of our nat­ive oper­at­or (when we are abroad, for example²). The danger here: an attack­er could make us think that our phones are roam­ing and set up a rogue base sta­tion, that is, a mali­cious device used to mim­ic a legit­im­ate mobile net­work base sta­tion. As com­mu­nic­a­tions are only pro­tec­ted up to the fake sta­tion, the attack­er is, in prin­ciple, able to inter­cept and mon­it­or all traffic passing through it. Unfor­tu­nately, today’s smart­phones are not very well equipped to warn us of such attacks because they eas­ily accept roam­ing con­nec­tions. Import­antly, these are not always clearly vis­ible to the user (who, moreover, does not sus­pect any­thing unto­ward because he may not even be abroad).

Rogue base sta­tions can also be used for oth­er pur­poses – for example (and with the help of mobile net­work oper­at­ors), by the police and intel­li­gence ser­vices for fight­ing crime or for sur­veil­lance pur­poses. In addi­tion to tele­phone con­ver­sa­tions and mes­sages, ser­vice pro­viders can track all oth­er types of con­tent passing through the fake base station.

Secur­ity is not lim­ited to the net­work, but also to phones them­selves, par­tic­u­larly with the use of end-to-end encryp­ted com­mu­nic­a­tions, such as those used in applic­a­tions like Sig­nal and What­s­App. If we pro­tect com­mu­nic­a­tions from end to end, each end of the trans­mis­sion nat­ur­ally becomes a tar­get for attack, for both crim­in­als and gov­ern­ment­al ser­vices alike.

This is why pro­pos­i­tions for remote mon­it­or­ing of devices are reg­u­larly put for­ward, espe­cially in the fight against ter­ror­ism and child por­no­graphy³. “But there are prob­lems,” explains Jan­nik Dreier. “From a tech­nic­al point of view, these approaches will neces­sar­ily affect the secur­ity of com­mu­nic­a­tions net­works and sys­tems for the pop­u­la­tion as a whole because they require that all devices be scanned, not just those that we suspect.”

Pro­pos­als to com­bat child por­no­graphy, for instance, are essen­tially based on com­par­ing images with a data­base of known images or on arti­fi­cial intel­li­gence (AI) trained on these images. This unavoid­ably leads to “false neg­at­ives”, that is, images that should be detec­ted but which aren’t. Worse still, there is the risk of “false pos­it­ives”: people could be accused of a crime they did not com­mit because an image was wrongly iden­ti­fied as being por­no­graph­ic by AI.

There will inev­it­ably be a large num­ber of these mis­clas­si­fic­a­tions if all images on all devices are scanned. “We also know that modi­fic­a­tions undetect­able to the naked eye can be applied to an image and that these can be mis­clas­si­fied by AI. We can there­fore ima­gine attack­ers modi­fy­ing images in this way and send­ing them to tar­gets who will then be wrongly iden­ti­fied as being in pos­ses­sion of child por­no­graphy content.”

There is also a more polit­ic­al type of danger. “Once such an infra­struc­ture is in place, it could then be used for oth­er pur­poses and, ulti­mately, and espe­cially in non-demo­crat­ic coun­tries, for repression.

“It is also import­ant to note that we don’t know exactly how these infra­struc­tures work because the detec­tion algorithms behind them are not in the pub­lic domain,” he adds. “That is a prob­lem: we would­n’t then know on what basis we’ve been incrim­in­ated. There would be a lack of trans­par­ency. Such a strategy cre­ates unpre­ced­en­ted cap­ab­il­it­ies for user sur­veil­lance and con­trol with poten­tially drastic con­sequences for demo­cracy in Europe and around the world.”

“We place far too much trust these days in oper­at­ors and their equip­ment, some­thing that intro­duces inher­ent weak­nesses. Unfor­tu­nately, this situ­ation not going to change any time soon, because it’s not fin­an­cially attract­ive for oper­at­ors,” he says. As a res­ult, things could become even worse in the future: “If we are not able to rebuild these archi­tec­tures from scratch, in a mod­el that is less reli­ant on oper­at­ors, we need to cor­rect the known short­com­ings. Some of these may be easy to repair, thanks to the use of end-to-end pro­tec­tion solu­tions, for example, but not oth­ers. There will nev­er be a per­fect solution.”

Interview by Isabelle Dumé