Data Centre


4G LTE pried open to reveal a slew of new protocol-level attacks

User location spoofing? Check. Fake emergency alerts? Check. Plenty more nasties, too

By Richard Chirgwin


A group of American university researchers have broken key 4G LTE protocols to generate fake messages, snoop on users, and forge user location data.

Those working on the coming 5G protocols should take note: the vulnerabilities are most worrying because they're written into the LTE protocols, and could therefore have an industry-wide impact.

Identified by Purdue University's Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino with the University of Iowa's Omar Chowdhury, the protocol procedures affected are:

The researchers' paper (PDF) describes an attack tool called LTEInspector, which the researchers said found exploitable vulnerabilities that resulted in "10 new attacks and nine prior attacks” (detecting old vulnerabilities helped the researchers validate that the new vulns were genuine).

The worst of these was an authentication relay attack, which the paper said “enables an adversary to connect to the core networks – without possessing any legitimate credentials – while impersonating a victim cellular device”.

Every LTE call, text, can be intercepted, blacked out, hacker finds


The network would record a user in (for example) London when they were in Paris, providing a way to set up a false alibi or undermine a criminal investigation with fake evidence, the researchers wrote.

Worryingly, the paper expresses scepticism about fixes: “retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny”, it states.

The protocol attacks

Attacks against the attach procedure included forging attach_request messages from a malicious device to block the victim's phone from attaching (“authentication synchronisation failure attack”); tracking a user through a malicious node (a “traceability attack” using the security_mode_command instruction); and another service disruption attack that works by injecting malicious control plane commands, also using a malicious node such as a Stingray.

Simplicity itself: the researchers' authentication synchronisation attack

All of the paging protocol attacks need a malicious node. With that, an attacker can hijack the paging channel to disrupt victim's services, including what the authors call a “Panic Attack”, consisting of fake emergency warnings.

The paging channel could also be attacked to drain a victim's battery, by forcing the target device to repeatedly re-attach to the network (the attach procedure, the paper noted, is cryptographically-expensive).

As with paging attacks, the attacks against the detach protocol also need the victim to connect to a malicious node.

Simply issuing a detach_request against the victim would degrade their service, the paper said.

The attacks the researchers discovered can also be chained, which is how they developed the authentication relay attack.

The adversary: LTEInspector

The technology the team developed for the attacks is called LTEInspector, which they describe as a “lazy” (it's only called on-demand) combination of symbolic model checker and cryptographic protocol verifier.

LTEInspector architecture

LTEInspector examines the order of events and actions; cryptographically-protected messages and constructs; and other “rich constraints” such as linear integer arithmetic constraints.

From this, they wrote, “the set of properties that LTEInspector aims to check include authenticity (e.g., disallowing impersonation), availability (e.g., preventing service denial), integrity (e.g., restricting unauthorized billing), and secrecy of user’s sensitive information (e.g., preventing activity profiling)”. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Outlook Mobile heads to the White House, passes infosec clearance for federal sector

Need to email an order for a s*$tload of hamburgers from your smartphone? Microsoft has an app for that

Stingray phone stalker tech used near White House, SS7 abused to steal US citizens' data – just Friday things

Second worst stingray in history (RIP Steve Irwin)

US Homeland Security installs AI cameras at the White House, Google tries to make translation less sexist

Roundup Plus: European AI researchers to create a new lab

UK white hats blacklisted by Cisco Talos after smart security code stumbles

Cisco gracefully says it won't charge for the privilege

White House calls its own China tech cash-inject ban 'fake news'

Chip slinger stocks dip as US investment crackdown turns out to be completely true

White House plan to nuke social security numbers is backed by Equifax's ex-top boss

We meant it, nothing matters any more. Nothing at all

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

Mobile networks are killing Wi-Fi for speed around the world

And that means smartphones will need to get smarter

Android fans get fat November security patch bundle – if the networks or mobe makers are kind enough to let 'em have it

And Apple fixes Watch-killing security patch of its own

Palo Alto Networks buys security startup Redlock for $173m

Threat detection outfit gets new owners