Data Centre

Networks

4G LTE pried open to reveal a slew of new protocol-level attacks

User location spoofing? Check. Fake emergency alerts? Check. Plenty more nasties, too

By Richard Chirgwin

12 SHARE

A group of American university researchers have broken key 4G LTE protocols to generate fake messages, snoop on users, and forge user location data.

Those working on the coming 5G protocols should take note: the vulnerabilities are most worrying because they're written into the LTE protocols, and could therefore have an industry-wide impact.

Identified by Purdue University's Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino with the University of Iowa's Omar Chowdhury, the protocol procedures affected are:

The researchers' paper (PDF) describes an attack tool called LTEInspector, which the researchers said found exploitable vulnerabilities that resulted in "10 new attacks and nine prior attacks” (detecting old vulnerabilities helped the researchers validate that the new vulns were genuine).

The worst of these was an authentication relay attack, which the paper said “enables an adversary to connect to the core networks – without possessing any legitimate credentials – while impersonating a victim cellular device”.

Every LTE call, text, can be intercepted, blacked out, hacker finds

READ MORE

The network would record a user in (for example) London when they were in Paris, providing a way to set up a false alibi or undermine a criminal investigation with fake evidence, the researchers wrote.

Worryingly, the paper expresses scepticism about fixes: “retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny”, it states.

The protocol attacks

Attacks against the attach procedure included forging attach_request messages from a malicious device to block the victim's phone from attaching (“authentication synchronisation failure attack”); tracking a user through a malicious node (a “traceability attack” using the security_mode_command instruction); and another service disruption attack that works by injecting malicious control plane commands, also using a malicious node such as a Stingray.

Simplicity itself: the researchers' authentication synchronisation attack

All of the paging protocol attacks need a malicious node. With that, an attacker can hijack the paging channel to disrupt victim's services, including what the authors call a “Panic Attack”, consisting of fake emergency warnings.

The paging channel could also be attacked to drain a victim's battery, by forcing the target device to repeatedly re-attach to the network (the attach procedure, the paper noted, is cryptographically-expensive).

As with paging attacks, the attacks against the detach protocol also need the victim to connect to a malicious node.

Simply issuing a detach_request against the victim would degrade their service, the paper said.

The attacks the researchers discovered can also be chained, which is how they developed the authentication relay attack.

The adversary: LTEInspector

The technology the team developed for the attacks is called LTEInspector, which they describe as a “lazy” (it's only called on-demand) combination of symbolic model checker and cryptographic protocol verifier.

LTEInspector architecture

LTEInspector examines the order of events and actions; cryptographically-protected messages and constructs; and other “rich constraints” such as linear integer arithmetic constraints.

From this, they wrote, “the set of properties that LTEInspector aims to check include authenticity (e.g., disallowing impersonation), availability (e.g., preventing service denial), integrity (e.g., restricting unauthorized billing), and secrecy of user’s sensitive information (e.g., preventing activity profiling)”. ®

Sign up to our NewsletterGet IT in your inbox daily

12 Comments

More from The Register

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

Palo Alto Networks buys security startup Redlock for $173m

Threat detection outfit gets new owners

Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'

Researchers check bootstrap enrolment tech, suck teeth, whistle

VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Researchers using the service found a bunch of flaws

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Apple gets around to patching all the other High Sierra security holes

Another week, another Mac patch to install

Schadenfreude for UK mobile networks over the tumult at Carphone

Analysis That's what you get for selling unlocked phones

Super Micro China super spy chip super scandal: US Homeland Security, UK spies back Amazon, Apple denials

UPDATED Officials: Not saying Bloomberg was wrong, we just believe biz saying Bloomberg was wrong

Brit mobile phone users want the Moon on a stick but then stay on same networks for aeons

How does that work?

Hackers' delight: Mobile bank app security flaw could have smacked millions

Certificate pinning unpicked