Every LTE call, text, can be intercepted, blacked out, hacker finds

Emergency fail over provisions abused

Ruxcon Hacker Wanqiao Zhang of Chinese security house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline.

The still-live vulnerabilities were documented and discussed at the Ruxcon hacking confab in Melbourne, Australia, this weekend, including a demonstration of recording a call on a live network. To do this, an attacker must exploit fall-back mechanisms designed to ensure continuity of phone services in the event of overloads.

The team tested their work against Frequency Division Duplexing (FDD) LTE networks, which are more popular than Time Division Duplexing (TDD) LTE and are used in Britain, the US, and Australia. The competing TDD-LTE design is more common in Asian countries and in regions where population densities are higher.

Zhang conducted further tests after The Register inquired whether the attacks would work against TDD-LTE and found all LTE networks and devices are affected.

"I asked my colleagues to test TDD-LTE yesterday and it works well, so it really can work against all LTE devices," Zhang said. "This attack exists [and] it's still reasonable."

To exploit the LTE network, an attacker exchanges a series of messages between malicious base stations and targeted phones. This results in miscreants gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM mode where any voice and basic data services can be intercepted.

LTE attack flow.

From the presentation ... An LTE attack flow

Zhang said the attacks are possible because LTE networks allow users to be handed over to underused base stations to ensure connectivity during big emergencies such as natural disasters.

“You can create a denial of service attack against cellphones by forcing phones into fake networks with no services,” Zhang told the conference.

“You can make malicious calls and SMS and … eavesdrop on all voice and data traffic.”

The 3GPP telco body that oversees LTE standards has known about the security shortcomings since at least 2006 when it issued a document describing Zhang’s forced handover attack, and accepts it as a risk. The 3GPP’s SA WG3 working group which handles security of LTE and other networks proposed in a May meeting that it would refuse-one-way authentication and drop encryption downgrade requests from base stations.

Three of the fail-over emergency features can be abused for specific attacks, Zhang says; global roaming features allow IMSI capture, battery energy saving for denial of service, and load balancing for redirection.

Zhang uses Ravishankar Borgaonkar, and Altaf Shaik’s IMSI catcher with a femtocell to pull off the over-the-air meddling. A series of radio resource control protocol messages using the international mobile subscriber identity (IMSI) numbers captured in the IMSI catcher can be used to trigger a denial of service, place calls and send texts, or intercept communications.

Zhang modified code from the alpha-grade open-source Open LTE project to track network availability updates in the area, which is critical to successfully pulling off the attacks.

She says phone manufacturers should ignore base station redirection commands and instead use automatic searchers to find the best available. This would prevent attackers from forcing LTE devices to connect to malicious stations.

A warning message about security risks could suffice as a cheaper and less effective fix. ®

Similar topics

Broader topics

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022