Data Centre


4G LTE pried open to reveal a slew of new protocol-level attacks

User location spoofing? Check. Fake emergency alerts? Check. Plenty more nasties, too

By Richard Chirgwin


A group of American university researchers have broken key 4G LTE protocols to generate fake messages, snoop on users, and forge user location data.

Those working on the coming 5G protocols should take note: the vulnerabilities are most worrying because they're written into the LTE protocols, and could therefore have an industry-wide impact.

Identified by Purdue University's Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino with the University of Iowa's Omar Chowdhury, the protocol procedures affected are:

The researchers' paper (PDF) describes an attack tool called LTEInspector, which the researchers said found exploitable vulnerabilities that resulted in "10 new attacks and nine prior attacks” (detecting old vulnerabilities helped the researchers validate that the new vulns were genuine).

The worst of these was an authentication relay attack, which the paper said “enables an adversary to connect to the core networks – without possessing any legitimate credentials – while impersonating a victim cellular device”.

Every LTE call, text, can be intercepted, blacked out, hacker finds


The network would record a user in (for example) London when they were in Paris, providing a way to set up a false alibi or undermine a criminal investigation with fake evidence, the researchers wrote.

Worryingly, the paper expresses scepticism about fixes: “retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny”, it states.

The protocol attacks

Attacks against the attach procedure included forging attach_request messages from a malicious device to block the victim's phone from attaching (“authentication synchronisation failure attack”); tracking a user through a malicious node (a “traceability attack” using the security_mode_command instruction); and another service disruption attack that works by injecting malicious control plane commands, also using a malicious node such as a Stingray.

Simplicity itself: the researchers' authentication synchronisation attack

All of the paging protocol attacks need a malicious node. With that, an attacker can hijack the paging channel to disrupt victim's services, including what the authors call a “Panic Attack”, consisting of fake emergency warnings.

The paging channel could also be attacked to drain a victim's battery, by forcing the target device to repeatedly re-attach to the network (the attach procedure, the paper noted, is cryptographically-expensive).

As with paging attacks, the attacks against the detach protocol also need the victim to connect to a malicious node.

Simply issuing a detach_request against the victim would degrade their service, the paper said.

The attacks the researchers discovered can also be chained, which is how they developed the authentication relay attack.

The adversary: LTEInspector

The technology the team developed for the attacks is called LTEInspector, which they describe as a “lazy” (it's only called on-demand) combination of symbolic model checker and cryptographic protocol verifier.

LTEInspector architecture

LTEInspector examines the order of events and actions; cryptographically-protected messages and constructs; and other “rich constraints” such as linear integer arithmetic constraints.

From this, they wrote, “the set of properties that LTEInspector aims to check include authenticity (e.g., disallowing impersonation), availability (e.g., preventing service denial), integrity (e.g., restricting unauthorized billing), and secrecy of user’s sensitive information (e.g., preventing activity profiling)”. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Stingray phone stalker tech used near White House, SS7 abused to steal US citizens' data – just Friday things

Second worst stingray in history (RIP Steve Irwin)

White House calls its own China tech cash-inject ban 'fake news'

Chip slinger stocks dip as US investment crackdown turns out to be completely true

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

White House plan to nuke social security numbers is backed by Equifax's ex-top boss

We meant it, nothing matters any more. Nothing at all

US-China trade war is back on: White House repeats threat to tax Middle Kingdom imports


2FA? We've heard of it: White hats weirded out by lack of account security in enterprise

Plus: Appetite for internal pen-testing appears to be growing

White-box security webcam scatters vulnerabilities through multiple OEMs

Hands up anyone who tests what they stick their labels on. Anyone? We thought not

Schadenfreude for UK mobile networks over the tumult at Carphone

Analysis That's what you get for selling unlocked phones

White House sicko sent down for 20 years after sexting underage girls

No, not who you're thinking of. Sad!

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice