“We’ve discovered a new way to use the MAC layer protocol in LTE and 5G to communicate remotely by using someone else’s network. This newly discovered vulnerability in the LTE/5G MAC layer protocol standard is likely to affect other wireless broadband standards. The vulnerability could allow unauthorized devices to anonymously exchange short messages through a service provider’s infrastructure. While its impact on Wi-Fi networks isn’t huge at the moment, it’s bound to become a big concern as cellular coverage expands from one room to greater distances.
By Reza Soosahabi, Senior R&D Engineer, Keysight Technologies
We’ve got our eyes on Sparrow, how unauthorized users use wireless infrastructure for covert communications
Reza Soosahabi, Senior R&D Engineer, Keysight Technologies
We’ve discovered a new way to use the MAC layer protocol in LTE and 5G to communicate remotely by using someone else’s network. This newly discovered vulnerability in the LTE/5G MAC layer protocol standard is likely to affect other wireless broadband standards. The vulnerability could allow unauthorized devices to anonymously exchange short messages through a service provider’s infrastructure. While its impact on Wi-Fi networks isn’t huge at the moment, it’s bound to become a big concern as cellular coverage expands from one room to greater distances.
The vulnerability allows an unauthorized user the opportunity to exploit elements of the initial message to establish a link before completing network authentication. Thus, an anonymous unauthorized user can use the base station broadcast signal to deliver a message to another anonymous user within the cellular coverage area.
In contrast to known covert communication techniques, this new unlicensed communication technology utilizes the MAC layer (L2) in the wireless access infrastructure rather than directly accessing the physical spectrum (L1) or using other layers of the network protocol stack (L3-L7). According to Wiley Online Library: “The Media Access Control (MAC) layer provides radio resource allocation services and data transmission services for the upper layers. The data transmission services of the MAC layer include performing scheduling requests, buffer status reports, random access, and hybrid automatic repeat requests ( HARQ) etc.”
The official name of the vulnerability is CVD-2021-0045, nicknamed SPARROW. We have responsibly disclosed it in the GSMA Coordinated Vulnerability Disclosure Program; the GSMA Mobile Security website has also endorsed this vulnerability.
SPARROW’s Discovery Process
As a Senior Research Fellow at Keysight’s ATI Research Center, my research interests are signal processing and wireless system security. In 2020, in the course of my work on data exfiltration methods, I envisioned the possibility of exfiltrating data using over-the-air broadcast resources in commercial communication networks. I realize that there are many threat scenarios in networking and Internet applications, some of which go beyond the common threats defined in the wireless security world. My definition of vulnerability is: the opportunity to use a system outside of its intended application. Threat scenarios (such as data exfiltration, etc.) have special significance for finding and patching vulnerabilities in systems and standards.
Data exfiltration scenarios are a common research topic in the field of cybersecurity. Malicious actors can use it to create covert communication schemes to leak sensitive information out of infected systems. To date, some of the well-known data exfiltration techniques utilize Internet applications and network protocols, and the security industry has developed targeted preventative measures. Based on my understanding of wireless security, I start by asking a key hypothetical question. It was this question posed that laid the foundation for my new discovery: “What if someone could leverage the MAC layer protocol of a commercial wireless access infrastructure for low-cost, low-power covert communications?”
Commercial wireless signals are almost ubiquitous, so exploiting them for data exfiltration bypasses all existing precautions. I didn’t find any articles on using the wireless MAC layer (L2) protocol for covert communication, and this oversight is to blame for the different understandings of covert communication in the research community. Cybersecurity researchers typically focus on techniques that leverage L3 to L7 layer protocols. In the wireless security world, covert communications generally refers to covert broadcasts using L1 layer wireless signals, including L1 pirated wireless that can utilize spectrum licensed for commercial use. But what about L2?
My first research target was the well-known 3GPP standard. In February 2020, I discovered a vulnerability in the 3GPP TS 36.321 standard that affects LTE and 5G networks. I named this vulnerability SPARROW. It allows anonymous low-power devices to exchange covert short messages within a cell without connecting to the network. We arranged a proof of concept with an engineering team in Milan, Italy. This scenario was validated in December 2020.
Hazards of SPARROW
SPARROWs pose a real danger to critical installations protected by other covert communication methods for the following reasons:
• Extremely Anonymous: SPRROW devices operate without authenticating to the host network, thus avoiding exposure to network security and lawful interception systems and spectrum scanners. They utilize very limited resources and have very little impact on host network services.
• Large coverage: Using the broadcast power of base stations or non-terrestrial technologies, SPARROW devices can communicate over miles apart. If you deploy several of these devices in a sparse mesh network, you can further expand the communication range.
• Low power consumption and simple operation: SPARROW devices leverage the existing library of protocol implementations installed on commercial SDRs. They run on battery power, or get long-term energy from their surroundings, just like a real sparrow!
The following usage scenarios are worth noting:
• Wireless data exfiltration: SPARROW devices (possibly the size of a dongle) may be an effective alternative to known network data exfiltration techniques.
• Command and Control: They can anonymously communicate remotely with malicious IoT devices using commercial communication infrastructure, triggering unexpected events.
• Covert Activities: Agents are able to communicate with SPARROW devices in hostile areas without broadcasting overt signals or accessing existing networks directly.
Here are the key takeaways:
• Insecure messages in the wireless MAC protocol may be used by low-cost user equipment for covert communications with malicious intent. Industry organizations should take this new type of vulnerability into account when assessing their security posture.
• The fact that this vulnerability has not been disclosed for a long time should be taken seriously enough by the protocol specification writers to carefully consider the abuse of replay and broadcast at the design stage.
• Researchers should examine other early MAC protocols for other covert communication methods that bypass traffic inspection devices.
How can you protect against these kinds of vulnerabilities on the web? We have developed a general remedy for vulnerable wireless standards.