A recent vulnerability in the MAC layer protocols in wireless networks has opened a Pandora’s Box for further intensive 5G research

A recent vulnerability called SPARROW (CVD-2021-0045) has been disclosed in GSMA Mobile Security website Coordinated Vulnerability Disclosure program, whereby malicious actors can take advantage of MAC layer protocols in LTE and 5G to enable long-range communication using other people’s networks.

This vulnerability has unauthorized devices to anonymously exchange short messages over a service provider’s infrastructure. While this is not particularly impactful in Wi-Fi networks, it does become an important concern as cell coverage expands beyond a single room to larger distances.

SPARROW exploits elements of initial messages establishing their links—before the unauthorized user can be authenticated with the network. As a result, an anonymous and unauthorized user can take advantage of a base station’s broadcast signals to relay messages to another anonymous user within a cell coverage area.

Compared to known covert communication techniques, SPARROW does not cause interference by directly accessing physical spectrum (L1) or using other layers of the network protocol stack (L3-L7).

Hatching the SPARROW

The scenario of data exfiltration is a frequent research topic in cybersecurity. It is where malicious actors create covert communication schemes to leak sensitive information from compromised systems. So far, the best-known techniques exploit internet applications and network protocols, and the security industry has developed preventive measures to block it.

However, since commercial wireless signals are available virtually everywhere, exploiting them for data exfiltration can circumvent all existing preventive measures. So… what if one exploits the MAC layer protocol of the commercial wireless access infrastructure for low-cost and power-efficient covert communication?”

There is hardly any literature on exploiting wireless MAC layer (L2) protocols for covert communication. This can be attributed to different interpretations of covert communication across the research community, who have generally focused their efforts to techniques exploiting protocols L3 to L7.

In the context of wireless security, covert communication commonly refers to covert broadcasts using L1 radio signals. This includes L1 pirating radios that can exploit spectrum licensed to commercial networks.  But what about L2? The familiar 3GPP standard was the first research target. By February 2020, a vulnerability in the 3GPP TS 36.321 standard that impacts both LTE and 5G networks was identified.

Keysight researchers dubbed the finding SPARROW. In a proof-of-concept scenario, together with an engineering team in Milan, Italy, SPARROW was born in December 2020.

Rich array of threats

Here is why SPARROW is a real danger to critical facilities protected against other means of covert communication:

• Maximum anonymity: SPARROW devices do not authenticate with the host network while operating. This eliminates their exposure to network security and lawful intercept systems as well as spectrum scanners. Utilizing limited resources, they cause minimal impact on the host network services.
• More miles per watt: SPARROW devices can be several miles apart exploiting broadcast power of base stations or non-terrestrial technologies. The range can be further extended by deploying several of them in a geographically sparse mesh network.
• Low power and low complexity: SPARROW devices can utilize existing protocol implementation libraries installed on commodity software-defined radios. They can operate on batteries or harvest energy from the environment for long durations, just like real sparrows.
• Notable exploitation scenarios include:
• Wireless data exfiltration: SPARROW devices (possibly as small as a dongle) can be an effective alternative to known network data exfiltration techniques.
• Command & Control: They can anonymously communicate with remote malicious IoT devices to trigger unwelcome events using the commercial communication infrastructure.
• Clandestine operations: Agents can communicate with SPARROW-enabled devices in hostile areas without broadcasting noticeable signals or directly accessing the incumbent networks.

Now that SPARROW has been discovered after such a long period of gestation, protocol specification drafters need to consider replay and broadcast abuses in the design phase.

Insecure messages in wireless MAC protocols can be exploited for covert communication between low-cost user devices with malicious intent. Organizations using vulnerable wireless networks should keep an eye on the SPARROW when evaluating their security posture.

Researchers are encouraged to examine other early-stage MAC protocols for other means of leveraging covert communications that bypass traffic inspection devices.