Are major communication systems vulnerable ?

We use our mobile phones today for a host of rea­sons : to tele­phone, send text mes­sages, exchange images or shop online. To do this, we need to connect to the com­mu­ni­ca­tions net­work (which trans­mits infor­ma­tion bet­ween dif­ferent devices and sys­tems). This net­work is prey to attack, howe­ver. “Rogue (or fake) base sta­tions” for example, take advan­tage of the confi­dence we have in net­work ope­ra­tors and other ser­vice pro­vi­ders to wea­ken security.

“With each new gene­ra­tion of mobile com­mu­ni­ca­tions, changes are made to secu­ri­ty pro­to­cols,” explains Jan­nik Dreier. “The pro­blem is that most of the pro­to­cols that exist today date back to the intro­duc­tion of digi­tal tele­phones, but secu­ri­ty gua­ran­tees have, of course, moved on great­ly since then.”

One of the changes brought about by the switch to 5G concerns pri­va­cy pro­tec­tion. To secure com­mu­ni­ca­tions, the device and the net­work must be able to authen­ti­cate each other when they connect. During the connec­tion and exchange (of data, speech or images), howe­ver, the user’s iden­ti­ty and loca­tion as well as the content of the exchange must be kept confi­den­tial. A com­mu­ni­ca­tions pro­to­col cal­led Authen­ti­ca­tion and Key Agree­ment (AKA) has been used to achieve this since the 3G stan­dard was intro­du­ced. This means that mes­sages are encryp­ted thanks to a key exchan­ged during connection.

Today’s 5G com­mu­ni­ca­tion stan­dard is the­re­fore based on the 5G AKA pro­to­col¹. This new pro­to­col has consi­de­ra­bly impro­ved phone iden­ti­fier pro­tec­tion com­pa­red with 4G tech­no­lo­gy and, in par­ti­cu­lar, has sol­ved a pro­blem pre­vious­ly exploi­ted by IMSI (Inter­na­tio­nal Mobile Sub­scri­ber Iden­ti­ty) inter­cep­tors. With these devices, the IMSI of a mobile phone card could be inter­cep­ted to deter­mine where a mobile device was loca­ted – and the­re­fore track a user. How could this be done ? By sim­ply lis­te­ning in to trans­mis­sions bet­ween the mobile phone and the mobile net­work anten­na – the IMSI being sent unen­cryp­ted. This is no lon­ger pos­sible with 5G AKA.

“Although this part of the pro­to­col has been impro­ved now, the pro­to­col as a whole is far from per­fect,” warns Jan­nik Dreier. “It’s as if we’ve just ‘plug­ged a hole’. If we were to refor­mu­late this pro­to­col and start from scratch, as it were, we would build it com­ple­te­ly dif­fe­rent­ly. That’s often the case in technology.”

“While the connec­tion bet­ween a tele­phone and the anten­nae (base sta­tions) is pro­tec­ted, the pro­blem is that the data is no lon­ger pro­tec­ted on the wired net­work,” he explains. The net­work and the ope­ra­tor are trus­ted enti­ties, and this trust creates a poten­tial vec­tor for eaves­drop­ping, sur­veillance or even direct attack. “The use of equip­ment from Chi­na, in par­ti­cu­lar, has been the sub­ject of much debate, because a ‘hid­den door’ could be used for espio­nage or outright to create a sort of ‘red but­ton’: if pres­sed, the net­work and all com­mu­ni­ca­ting devices would imme­dia­te­ly stop functioning.”

Ano­ther pro­blem : mobile phone net­works allow us to use our phones in roa­ming mode by connec­ting to a net­work other than that of our native ope­ra­tor (when we are abroad, for example²). The dan­ger here : an atta­cker could make us think that our phones are roa­ming and set up a rogue base sta­tion, that is, a mali­cious device used to mimic a legi­ti­mate mobile net­work base sta­tion. As com­mu­ni­ca­tions are only pro­tec­ted up to the fake sta­tion, the atta­cker is, in prin­ciple, able to inter­cept and moni­tor all traf­fic pas­sing through it. Unfor­tu­na­te­ly, today’s smart­phones are not very well equip­ped to warn us of such attacks because they easi­ly accept roa­ming connec­tions. Impor­tant­ly, these are not always clear­ly visible to the user (who, moreo­ver, does not sus­pect any­thing unto­ward because he may not even be abroad).

Rogue base sta­tions can also be used for other pur­poses – for example (and with the help of mobile net­work ope­ra­tors), by the police and intel­li­gence ser­vices for figh­ting crime or for sur­veillance pur­poses. In addi­tion to tele­phone conver­sa­tions and mes­sages, ser­vice pro­vi­ders can track all other types of content pas­sing through the fake base station.

Secu­ri­ty is not limi­ted to the net­work, but also to phones them­selves, par­ti­cu­lar­ly with the use of end-to-end encryp­ted com­mu­ni­ca­tions, such as those used in appli­ca­tions like Signal and What­sApp. If we pro­tect com­mu­ni­ca­tions from end to end, each end of the trans­mis­sion natu­ral­ly becomes a tar­get for attack, for both cri­mi­nals and govern­men­tal ser­vices alike.

This is why pro­po­si­tions for remote moni­to­ring of devices are regu­lar­ly put for­ward, espe­cial­ly in the fight against ter­ro­rism and child por­no­gra­phy³. “But there are pro­blems,” explains Jan­nik Dreier. “From a tech­ni­cal point of view, these approaches will neces­sa­ri­ly affect the secu­ri­ty of com­mu­ni­ca­tions net­works and sys­tems for the popu­la­tion as a whole because they require that all devices be scan­ned, not just those that we suspect.”

Pro­po­sals to com­bat child por­no­gra­phy, for ins­tance, are essen­tial­ly based on com­pa­ring images with a data­base of known images or on arti­fi­cial intel­li­gence (AI) trai­ned on these images. This una­voi­da­bly leads to “false nega­tives”, that is, images that should be detec­ted but which aren’t. Worse still, there is the risk of “false posi­tives”: people could be accu­sed of a crime they did not com­mit because an image was wron­gly iden­ti­fied as being por­no­gra­phic by AI.

There will inevi­ta­bly be a large num­ber of these mis­clas­si­fi­ca­tions if all images on all devices are scan­ned. “We also know that modi­fi­ca­tions unde­tec­table to the naked eye can be applied to an image and that these can be mis­clas­si­fied by AI. We can the­re­fore ima­gine atta­ckers modi­fying images in this way and sen­ding them to tar­gets who will then be wron­gly iden­ti­fied as being in pos­ses­sion of child por­no­gra­phy content.”

There is also a more poli­ti­cal type of dan­ger. “Once such an infra­struc­ture is in place, it could then be used for other pur­poses and, ulti­ma­te­ly, and espe­cial­ly in non-demo­cra­tic coun­tries, for repression.

“It is also impor­tant to note that we don’t know exact­ly how these infra­struc­tures work because the detec­tion algo­rithms behind them are not in the public domain,” he adds. “That is a pro­blem : we wouldn’t then know on what basis we’ve been incri­mi­na­ted. There would be a lack of trans­pa­ren­cy. Such a stra­te­gy creates unpre­ce­den­ted capa­bi­li­ties for user sur­veillance and control with poten­tial­ly dras­tic conse­quences for demo­cra­cy in Europe and around the world.”

“We place far too much trust these days in ope­ra­tors and their equip­ment, some­thing that intro­duces inherent weak­nesses. Unfor­tu­na­te­ly, this situa­tion not going to change any time soon, because it’s not finan­cial­ly attrac­tive for ope­ra­tors,” he says. As a result, things could become even worse in the future : “If we are not able to rebuild these archi­tec­tures from scratch, in a model that is less reliant on ope­ra­tors, we need to cor­rect the known short­co­mings. Some of these may be easy to repair, thanks to the use of end-to-end pro­tec­tion solu­tions, for example, but not others. There will never be a per­fect solution.”

Interview by Isabelle Dumé