Adoption of Fourth generation Long Term Evaluation (4G LTE) — the de facto standard for cellular telecommunication — has seen stable growth, replacing prior generations due to its promise of improved assurances, but there are security issues.
Ten new attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals ended up uncovered by a group of researchers.
The attacks exploit design flaws in the communications protocol and unsafe practices employed by the stakeholders and can end up used to achieve impersonation of existing users, spoofing the location of the victim device, delivering fake emergency and warning messages, and eavesdropping on SMS communications.
The researchers – Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino from Purdue University, and Omar Chowdhury from the University of Iowa – used a systematic model-based adversarial testing approach to expose the vulnerabilities in 4G LTE’s critical procedures like attach, paging, and detach procedures.
Among the uncovered attacks they consider one worrying: An authentication relay attack that allows an adversary to impersonate an existing user (mobile phone) without possessing any legitimate credentials.
“Through this attack the adversary can poison the location of the victim device in the core networks, thus allowing setting up a false alibi or planting fake evidence during a criminal investigation,” they said in a paper on the subject.
“Other notable attacks reported in this paper enable an adversary to obtain user’s coarse-grained location information and also mount denial of service (DoS) attacks. In particular, using LTEInspector, we obtained the intuition of an attack which enables an adversary to possibly hijack a cellular device’s paging channel with which it can not only stop notifications (e.g., call, SMS) to reach the device but also can inject fabricated messages resulting in multiple implications including energy depletion and activity profiling.”
To ensure these attacks actually pose as real threats, they validated eight of them through experimentation in a real-world scenario.
In the paper, they set up malicious:
• eNodeB base stations by using a Universal Software-defined Radio Peripheral device and an open source LTE protocol stack implementation
• Malicious UEs (mobile phones)
• Victim EUs
• A low-cost, real-time LTE channel decoder
The highest amount spent on a particular setup was $3900, and that’s within reach for attackers.
There are possible defenses against these attacks, but the researchers refrained from offering any ideas.
“We deliberately do not discuss defenses for the observed attacks as retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny,” they said.
4G LTE is set to be supplanted by 5G technology, but a complete switch won’t happen for years. These vulnerabilities can become a big problem in the interim.