SB2019020101 - Information disclosure in 3G, 4G and 5G protocols
Published: February 1, 2019
Security Bulletin ID
SB2019020101
Severity
Low
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: N/A)
The vulnerability allows a remote attacker to obtain potentially sensitive informationThe vulnerability exists due to a weak state of in AKA (Authentication and Key Agreement). A remote attacker can create next-gen IMSI-catchers that work across all modern telephony protocols, reveal details about a user's mobile activity, such as the number of sent and received texts and calls, allowing IMSI-catcher operators to create profiles for each smartphone holder.
Furthermore, attackers can keep track of users, even when they move away from the fake base station (IMSI-catcher device), and later briefly return in the station's coverage, with the AKA protocol leaking updated phone activity states.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.