4G LTE pried open to reveal a slew of new protocol-level attacks

User location spoofing? Check. Fake emergency alerts? Check. Plenty more nasties, too

A group of American university researchers have broken key 4G LTE protocols to generate fake messages, snoop on users, and forge user location data.

Those working on the coming 5G protocols should take note: the vulnerabilities are most worrying because they're written into the LTE protocols, and could therefore have an industry-wide impact.

Identified by Purdue University's Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino with the University of Iowa's Omar Chowdhury, the protocol procedures affected are:

  • Attach – the procedure that associates a subscriber device with the network (for example, when you switch the phone on);
  • Detach – occurs when you switch your device off, or if the network disconnects from the device (for example because of poor signal quality, or because the phone can't authenticate to the network); and
  • Paging – this protocol is part of call setup, to force the device to re-acquire system information, and in emergency warning applications.

The researchers' paper (PDF) describes an attack tool called LTEInspector, which the researchers said found exploitable vulnerabilities that resulted in "10 new attacks and nine prior attacks” (detecting old vulnerabilities helped the researchers validate that the new vulns were genuine).

The worst of these was an authentication relay attack, which the paper said “enables an adversary to connect to the core networks – without possessing any legitimate credentials – while impersonating a victim cellular device”.

Wanqiao Zhang. Image: Darren Pauli, The Register.

Every LTE call, text, can be intercepted, blacked out, hacker finds

READ MORE

The network would record a user in (for example) London when they were in Paris, providing a way to set up a false alibi or undermine a criminal investigation with fake evidence, the researchers wrote.

Worryingly, the paper expresses scepticism about fixes: “retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny”, it states.

The protocol attacks

Attacks against the attach procedure included forging attach_request messages from a malicious device to block the victim's phone from attaching (“authentication synchronisation failure attack”); tracking a user through a malicious node (a “traceability attack” using the security_mode_command instruction); and another service disruption attack that works by injecting malicious control plane commands, also using a malicious node such as a Stingray.

Authentication synchronisation failure attack

Simplicity itself: the researchers' authentication synchronisation attack

All of the paging protocol attacks need a malicious node. With that, an attacker can hijack the paging channel to disrupt victim's services, including what the authors call a “Panic Attack”, consisting of fake emergency warnings.

The paging channel could also be attacked to drain a victim's battery, by forcing the target device to repeatedly re-attach to the network (the attach procedure, the paper noted, is cryptographically-expensive).

As with paging attacks, the attacks against the detach protocol also need the victim to connect to a malicious node.

Simply issuing a detach_request against the victim would degrade their service, the paper said.

The attacks the researchers discovered can also be chained, which is how they developed the authentication relay attack.

The adversary: LTEInspector

The technology the team developed for the attacks is called LTEInspector, which they describe as a “lazy” (it's only called on-demand) combination of symbolic model checker and cryptographic protocol verifier.

LTEInspector architecture

LTEInspector architecture

LTEInspector examines the order of events and actions; cryptographically-protected messages and constructs; and other “rich constraints” such as linear integer arithmetic constraints.

From this, they wrote, “the set of properties that LTEInspector aims to check include authenticity (e.g., disallowing impersonation), availability (e.g., preventing service denial), integrity (e.g., restricting unauthorized billing), and secrecy of user’s sensitive information (e.g., preventing activity profiling)”. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018