Our Eye Is on the SPARROW

We have discovered a new technique that takes advantage of the MAC layer protocols in LTE and 5G, allowing long-distance communication using other people’s networks. This newly discovered vulnerability in the LTE / 5G MAC layer protocol standard has the potential to affect other wireless broadband standards. The vulnerability allows unauthorized devices to anonymously exchange short messages through the service provider’s infrastructure. Although not particularly influential on Wi-Fi networks, it is becoming an important concern as cell coverage extends from one room to longer distances.

The vulnerability uses elements of the initial messages that establish their connections, but before an unauthorized user can be authenticated on the network. As a result, an anonymous and unauthorized user may take advantage of the signals transmitted by the base station to transmit messages to another anonymous user in the coverage area of ​​the cell.

Compared to known hidden communication techniques, this is a new technique for unauthorized communication by using the MAC layer (L2) of the wireless access infrastructure, instead of interfering with direct access to the physical spectrum (L1) or using other layers of the stack of network protocols (L3- L7). According to Wiley Online Library, ‘The Medium Access Control (MAC) layer provides the radio resource allocation service and the data transfer service to the upper layer. As part of the data service, the MAC layer performs procedures such as scheduling requests, buffer status reporting, random access, and hybrid automatic retry request (HARQ). ”

This vulnerability is officially called CVD-2021-0045, which we have named SPARROW. It is responsibly disclosed in the GSMA Coordinated Vulnerability Detection Program and is recognized in GSMA Mobile Security website.

Opening of VRABO
As a senior researcher at the Keysight ATI Research Center with experience in signal processing and wireless security, I envisioned using wireless resources to broadcast commercial telecommunications networks to retrieve data while researching data exfoliation methods in 2020. I realized that there are many threat scenarios across the spectrum of network and Internet applications. Some of them go beyond the classic definitions of threats used in the field of wireless security. I define vulnerability as any possibility to use a system outside of its intended application. Threat scenarios, such as data leakage, attach particular importance to identifying and patching vulnerabilities in systems and standards.

The data retrieval scenario is a common research topic in cybersecurity. Here, malicious participants create hidden communication schemes to leak sensitive information from compromised systems. So far, the most well-known techniques use Internet applications and network protocols, and the security industry has developed preventive measures to block them. Based on my understanding of wireless security, I began asking the key “what if?” question that became the basis for the discovery: “What if a person uses the MAC layer protocol of a commercial wireless access infrastructure for cheap and energy-efficient hidden communication?”

As commercial wireless signals are available almost everywhere, their use for data retrieval can bypass all existing preventive measures. I did not find articles on using wireless MAC layer protocols (L2) for covert communication. I attribute this omission to various interpretations of covert communication in the research community. Cybersecurity researchers have generally focused on techniques using L3 to L7 protocols. In the context of wireless security, covert communication usually refers to covert broadcasts using L1 radio signals. This includes pirated L1 radios, which can operate spectrum licensed for commercial networks. But what about L2?

The familiar 3GPP standard was my first research goal. Until February 2020, I was able to identify a vulnerability in the 3GPP TS 36.321 standard that affects both LTE and 5G networks. I called the find a Sparrow. It allows anonymous low-power devices to exchange short hidden messages in a cell without connecting to the network. We then worked out a scenario with proof of concept, together with an engineering team in Milan, Italy. This scenario was tested in December 2020.

The danger of sparrows
Therefore, SPARROW poses a real danger to critical equipment protected against other means of covert communication:

• Maximum anonymity: SPARROW devices are not authenticated with the host network while operating. This eliminates their exposure to network security and legal interception systems, as well as spectrum scanners. Using limited resources, they cause very minimal impact on the host’s network services.
• More miles per watt: SPARROW devices can be a few miles apart using the radiated power of base stations or alien technology. The scope can be further expanded by deploying several of them in a geographically scarce network.
• Low power and low complexity: SPARROW devices can use existing protocols to implement protocols installed on stock software-defined radio stations (SDRs). They can run on batteries or collect energy from the environment for a long period of time.

Remarkable operational scenarios include:

• Wireless data retrieval: SPARROW devices (probably small as a key) can be an effective alternative to known network data retrieval techniques.
• Command and control: They can communicate anonymously with remote malicious Internet of Thing devices to trigger unwanted events using the commercial communication infrastructure.
• Secret operations: Agents can communicate with SPARROW-enabled devices in hostile areas without transmitting noticeable signals or having direct access to existing networks.

Here are the big subtractions:

• Insecure messages in wireless MAC protocols can be used for covert communication between low-cost user devices with malicious intent. Industrial organizations must take this new type of vulnerability into account when assessing the safety posture.
• The fact that this vulnerability has remained undiscovered for so long should motivate protocol specification developers to consider repetitions and broadcasts of abuses in the design phase.
• Researchers are encouraged to explore other MAC protocols at an early stage for other means of using hidden communications that bypass traffic control devices.