New LTE attacks open users to eavesdropping, fake messages, location spoofing

A group of researchers has uncovered ten new attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals.

LTE attacks

The attacks exploit design flaws in the communications protocol and unsafe practices employed by the stakeholders and can be used to achieve things like impersonating existing users, spoofing the location of the victim device, delivering fake emergency and warning messages, eavesdropping on SMS communications, and more.

The attacks

The researchers – Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino from Purdue University, and Omar Chowdhury from the University of Iowa – have employed a systematic model-based adversarial testing approach to expose the vulnerabilities in 4G LTE’s critical procedures (most notably attach, paging, and detach procedures).

LTE attacks

Among the uncovered attacks they consider one particularly worrying: an authentication relay attack that allows an adversary to impersonate an existing user (mobile phone) without possessing any legitimate credentials.

“Through this attack the adversary can poison the location of the victim device in the core networks, thus allowing setting up a false alibi or planting fake evidence during a criminal investigation,” they pointed out.

“Other notable attacks reported in this paper enable an adversary to obtain user’s coarse-grained location information and also mount denial of service (DoS) attacks. In particular, using LTEInspector, we obtained the intuition of an attack which enables an adversary to possibly hijack a cellular device’s paging channel with which it can not only stop notifications (e.g., call, SMS) to reach the device but also can inject fabricated messages resulting in multiple implications including energy depletion and activity profiling.”

To ensure that these attacks they found are realizable in practice and pose actual threats, they have validated eight of them through experimentation in a real-world scenario (a custom-built LTE network or commercial networks with a logical Faraday cage).

In the paper they explain how they set up malicious:

  • eNodeB base stations by using a Universal Software-defined Radio Peripheral device and an open source LTE protocol stack implementation
  • Malicious UEs (mobile phones)
  • Victim EUs, and
  • A low-cost, real-time LTE channel decoder.

The highest amount spent on a particular setup was $3900, and that’s within reach for many adversaries.

Defenses against the attacks

There are possible defenses against these attacks, but the researchers refrained from offering any ideas.

“We deliberately do not discuss defenses for the observed attacks as retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny,” they noted.

“It is also not clear, especially, for the authentication relay attack whether a defense exists that does not require major infrastructural or protocol overhaul. A possibility is to employ a distance-bounding protocol; realization of such protocol is, however, rare in practice.”

4G LTE is set to be supplanted by 5G technology, but a complete switch won’t happen for many years. These vulnerabilities can become a big problem in the interim.