Critical Remote Hijacking Vulnerabilities Found in Over 700,000 DrayTek Routers
Published on October 3, 2024
Researchers of the Purdue University of Iowa have discovered vulnerabilities in the paging protocol of cellular networks, and warn that they affect all major 4G network operators in the USA and the rest of the world. The even more worrying fact is that they can also plague the upcoming 5G networks that are touted as much more secure on that part. The three security flaws can result in the interception of phone calls of users, as well as their unrestricted location tracking. To close the circle of concern, the researchers claim that 'any person with a little knowledge of cellular paging protocols can carry out the associated attacks', and the only equipment that they’ll need is a sniffer costing around $200.
The first vulnerability is related to 'Torpedo' attacks. The paging protocol is responsible for notifying a device of an incoming SMS or phone call so that it can wake up from its temporary battery-saving lethargy. The problem with this protocol is that an attacker may take leverage of it to exfiltrate data from the device, such as its location, or inject fake paging messages and even conduct DoS attacks against it.
The other two vulnerabilities are named 'Piercer' and 'IMSI-Cracking', both using 'Torpedo' as a substep to brute-force the guessing of the device’s IMSI (International Mobile Subscriber Identity), and then associate this identification element with the victim’s phone number. This is obviously throwing all notions of user privacy out of the window, as long as the attacker has a radio and fake station near the victim. This would allow the initiation of a procedure that involves the generation of paging messages pointed to the victim’s device and used entirely for hijacking the useful information in them.
The university team has notified GSMA, the body responsible for fixing the Torpedo and IMSI-Cracking flaws, while the Piercer vulnerability will have to be fixed on the carrier side. Having already located a US carrier who is susceptible to Piercer attacks, the researchers have not disclosed any more details about that. However, there is no indication of when these bugs will be eliminated, as no GSMA spokesperson has shared any plans on how they will address the points made in the report, although they have acknowledged the vulnerabilities.
These findings come on top of the SS7 problems that we reported as being on the rise this year. The fact that intercepting calls and locating mobile phone users with such easiness and at a meager cost is undermining the privacy of people at an egregious rate. With the promising 5G showing vulnerabilities of such a high level of severity, there’s not much hope for a remedy in the foreseeable future.
Are you worried about your privacy in regards to the utilization of cellular network telecommunications? Share your thoughts below, or hop to our socials, on Facebook and Twitter.