4G LTE pried open to reveal a slew of new protocol-level attacks

User location spoofing? Check. Fake emergency alerts? Check. Plenty more nasties, too

By Richard Chirgwin

Posted in Networks, 5th March 2018 00:58 GMT

A group of American university researchers have broken key 4G LTE protocols to generate fake messages, snoop on users, and forge user location data.

Those working on the coming 5G protocols should take note: the vulnerabilities are most worrying because they're written into the LTE protocols, and could therefore have an industry-wide impact.

Identified by Purdue University's Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino with the University of Iowa's Omar Chowdhury, the protocol procedures affected are:

The researchers' paper (PDF) describes an attack tool called LTEInspector, which the researchers said found exploitable vulnerabilities that resulted in "10 new attacks and nine prior attacks” (detecting old vulnerabilities helped the researchers validate that the new vulns were genuine).

The worst of these was an authentication relay attack, which the paper said “enables an adversary to connect to the core networks – without possessing any legitimate credentials – while impersonating a victim cellular device”.

Every LTE call, text, can be intercepted, blacked out, hacker finds

READ MORE

The network would record a user in (for example) London when they were in Paris, providing a way to set up a false alibi or undermine a criminal investigation with fake evidence, the researchers wrote.

Worryingly, the paper expresses scepticism about fixes: “retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny”, it states.

The protocol attacks

Attacks against the attach procedure included forging attach_request messages from a malicious device to block the victim's phone from attaching (“authentication synchronisation failure attack”); tracking a user through a malicious node (a “traceability attack” using the security_mode_command instruction); and another service disruption attack that works by injecting malicious control plane commands, also using a malicious node such as a Stingray.

Simplicity itself: the researchers' authentication synchronisation attack

All of the paging protocol attacks need a malicious node. With that, an attacker can hijack the paging channel to disrupt victim's services, including what the authors call a “Panic Attack”, consisting of fake emergency warnings.

The paging channel could also be attacked to drain a victim's battery, by forcing the target device to repeatedly re-attach to the network (the attach procedure, the paper noted, is cryptographically-expensive).

As with paging attacks, the attacks against the detach protocol also need the victim to connect to a malicious node.

Simply issuing a detach_request against the victim would degrade their service, the paper said.

The attacks the researchers discovered can also be chained, which is how they developed the authentication relay attack.

The adversary: LTEInspector

The technology the team developed for the attacks is called LTEInspector, which they describe as a “lazy” (it's only called on-demand) combination of symbolic model checker and cryptographic protocol verifier.

LTEInspector architecture

LTEInspector examines the order of events and actions; cryptographically-protected messages and constructs; and other “rich constraints” such as linear integer arithmetic constraints.

From this, they wrote, “the set of properties that LTEInspector aims to check include authenticity (e.g., disallowing impersonation), availability (e.g., preventing service denial), integrity (e.g., restricting unauthorized billing), and secrecy of user’s sensitive information (e.g., preventing activity profiling)”. ®

Sign up to our NewsletterGet IT in your inbox daily

12 Comments

More from The Register

VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Researchers using the service found a bunch of flaws

Apple gets around to patching all the other High Sierra security holes

Another week, another Mac patch to install

Hackers' delight: Mobile bank app security flaw could have smacked millions

Certificate pinning unpicked

You get a lawsuit! And you get a lawsuit! And you! Now Apple sued over CPU security flaws

iGiant up next in the Meltdown-Spectre-sueball-a-palooza

White-box security webcam scatters vulnerabilities through multiple OEMs

Hands up anyone who tests what they stick their labels on. Anyone? We thought not

Apple hurls out patches for dozens of security holes in iOS, macOS

Project Zero, GCHQ, and city of Mishawaka, Indiana among credited bug-hunters

Cisco gobbles up security cloud upstart Observable Networks

Switchzilla needs its five startups a day

Mobile stock trading apps riddled with security holes

Did someone just nick your shares?

No way, RSA! Security conference's mobile app embarrassingly insecure

Sorry about the hard-coded passwords, can we sell you some crypto now?

Mobile point of sale gets a PCI security standard

Because crooks salivate when you punch a PIN into a smartmobe at a market stall