There have been lots of reasons to be concerned about how easily someone with the right tools and knowledge could do very bad things with cellular communications networks. And while none of them have necessarily been to the level of some of the fictional stunts pulled off on television (see Mr. Robot), new research shows that things are even worse than they appear—and in many cases, that’s because of how carriers have implemented cellular standards.
As ZDNet’s Zack Whittaker reports, researchers at Purdue University and the University of Iowa conducting tests of 4G LTE networks have uncovered 10 new types of attacks. They made this discovery as part of their evaluation of a proof-of-concept 4G LTE penetration testing toolset, called LTEInspector. Combined with nine previously known attack methods that Syed Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino also identified as still being usable against many carrier networks, the collection of exploits could be used to track device owners, eavesdrop on texts and other sensitive data, and even pose as them on cellular networks and spoof location and other data. An attacker could even spoof warning messages like those used by government agencies and weather services—such as the false missile warning sent out by a Hawaii government employee.
The security of 4G LTE networks is largely based on obscurity—many of the implementations are proprietary “black boxes,” as the Purdue and Iowa researchers put it, which makes performing true security evaluations difficult. And because of the large range of sub-components that must be configured, along with the need to be able to handle devices configured primarily for another carrier, there is a lot of slush in LTE implementations and not a lot of transparency about network security. Recent IEEE-published research found that implementations of the “control plane” for various LTE networks varied widely—problems found on one network didn’t occur on others.
And that variation is true of security as well. In one case, the Purdue and Iowa researchers found that a carrier didn’t encrypt “control plane” messages at all, meaning an attacker could even eavesdrop on SMS messages and other sensitive data. That flaw has since been fixed by the carrier.
While 4G LTE provides for a level of privacy for cellular customers through the use of ephemeral “subscriber identities” over the air, researchers at the Korea Advanced Institute of Science and Technology recently found that the Globally Unique Temporary Identifier (GUTI) issued by a majority of 4G LTE carriers was far from temporary. While carriers do change the GUTI for phones periodically, the KAIS researchers found that 19 of the 28 carriers they surveyed did so in a very predictable way—making it easy to predict not only when a new ID would be assigned, but also what most of the new GUTI would be, because much of it went unchanged.
“In our global-scale measurement analysis, we did not find a single carrier that implemented GUTI reallocation securely,” the KAIS researchers wrote. A similar problem exists in 3G GSM networks’ temporary subscriber IDs.
The exploits discovered by the Purdue/Iowa team go beyond simple location tracking. One exploit allows tracking of a target by just using a phone number, sending a phone call while simultaneously blocking call notification by hijacking the target’s paging network connection. Another attack allows a malicious device to pose as the target device through an “authentication relay” attack before sending its own location data and other messages to distort carrier location data logs.
The paging network, which also carries SMS and other messages, can be hijacked for other purposes: to send messages to the network posing as the target, to inject fake emergency alert messages, quietly kick the victim off the cellular network, or to conduct denial-of-service and power depletion attacks against the victim.
All of these tricks are on top of other well-known attacks currently leveraged by “IMSI catchers” such as the controversial Stingray hardware used by law enforcement agencies. And that’s not to mention the various location-tracking techniques that exploit smartphones’ Wi-Fi or chatty mobile applications.