Every LTE call, text, can be intercepted, blacked out, hacker finds

Emergency fail over provisions abused


Ruxcon Hacker Wanqiao Zhang of Chinese security house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline.

The still-live vulnerabilities were documented and discussed at the Ruxcon hacking confab in Melbourne, Australia, this weekend, including a demonstration of recording a call on a live network. To do this, an attacker must exploit fall-back mechanisms designed to ensure continuity of phone services in the event of overloads.

The team tested their work against Frequency Division Duplexing (FDD) LTE networks, which are more popular than Time Division Duplexing (TDD) LTE and are used in Britain, the US, and Australia. The competing TDD-LTE design is more common in Asian countries and in regions where population densities are higher.

Zhang conducted further tests after The Register inquired whether the attacks would work against TDD-LTE and found all LTE networks and devices are affected.

"I asked my colleagues to test TDD-LTE yesterday and it works well, so it really can work against all LTE devices," Zhang said. "This attack exists [and] it's still reasonable."

To exploit the LTE network, an attacker exchanges a series of messages between malicious base stations and targeted phones. This results in miscreants gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM mode where any voice and basic data services can be intercepted.

LTE attack flow.

From the presentation ... An LTE attack flow

Zhang said the attacks are possible because LTE networks allow users to be handed over to underused base stations to ensure connectivity during big emergencies such as natural disasters.

“You can create a denial of service attack against cellphones by forcing phones into fake networks with no services,” Zhang told the conference.

“You can make malicious calls and SMS and … eavesdrop on all voice and data traffic.”

The 3GPP telco body that oversees LTE standards has known about the security shortcomings since at least 2006 when it issued a document describing Zhang’s forced handover attack, and accepts it as a risk. The 3GPP’s SA WG3 working group which handles security of LTE and other networks proposed in a May meeting that it would refuse-one-way authentication and drop encryption downgrade requests from base stations.

Three of the fail-over emergency features can be abused for specific attacks, Zhang says; global roaming features allow IMSI capture, battery energy saving for denial of service, and load balancing for redirection.

Zhang uses Ravishankar Borgaonkar, and Altaf Shaik’s IMSI catcher with a femtocell to pull off the over-the-air meddling. A series of radio resource control protocol messages using the international mobile subscriber identity (IMSI) numbers captured in the IMSI catcher can be used to trigger a denial of service, place calls and send texts, or intercept communications.

Zhang modified code from the alpha-grade open-source Open LTE project to track network availability updates in the area, which is critical to successfully pulling off the attacks.

She says phone manufacturers should ignore base station redirection commands and instead use automatic searchers to find the best available. This would prevent attackers from forcing LTE devices to connect to malicious stations.

A warning message about security risks could suffice as a cheaper and less effective fix. ®


Keep Reading

Tech Resources

The State of Application Security 2020

Forrester analyzed the state of application security in 2020 and found over 75% of external attacks are attributed to web application and software exploits.

How backup modernization changes the ransomware game

If the thrill of backing up your data and wondering if you will ever see it again has worn off, start the new year by getting rid of the lingering pain of legacy backup. Bipul Sinha, CEO of the Cloud Data Management Company, Rubrik, and Miguel Zatarain, Director of Global Infrastructure Technology at PACCAR, Fortune 500 manufacturer of trucks and Rubrik customer, are talking to the Reg’s Tim Phillips about how to eliminate the costly, slow and spotty performance of legacy backup, and how to modernize your implementation in 2021 to make your business more resilient.

Webcast Slide Deck | Three reasons you need a hybrid multicloud

Businesses need their IT teams to operate applications and data in a hybrid environment spanning on-premises private and public clouds. But this poses many challenges, such as managing complex networking, re-architecting applications for the cloud, and managing multiple infrastructure silos. There is a pressing need for a single platform that addresses these challenges - a hybrid multicloud built for the digital innovation era. Just this Regcast to find out: Why hybrid multicloud is the ideal path to accelerate cloud migration.

Anatomy of a Private Cloud

Learn the key elements that combined, build a true Private Cloud

Biting the hand that feeds IT © 1998–2021