Vulnerability in AKA Mobile Communications Protocol
Researchers from SINTEF Digital Norway, ETH Zurich, and the Technical University in Berlin discovered a new vulnerability that impacts the Authentication and Key Agreement (AKA) protocol, which provides authentication and encryption between cellular phones and networks. Threat actors can have the ability to abuse IMSI-catchers to act as “fake” mobile towers, target the AKA vulnerability, downgrade it to a weaker state, and enable phones to be intercepted and tracked. Man-in-the-Middle (MITM) attacks, and privacy and security concerns related to this vulnerability likely affect the 3G, 4G, and the upcoming 5G protocols; however, fixes for 3G and 4G are underway, and those for 5G are expected to be available by the end of 2019. The NJCCIC recommends patching systems as updates become available. More details on the impact of this AKA vulnerability can be found on the ZDNet blog post here and the research paper here.