Researchers at the Purdue University and the University of Iowa, USA, have managed to break the key 4G LTE protocols for generation of fraudulent messages, spy upon users and modify user location data. Researchers Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino from Purdue University and Omar Chowdhury from the University of Iowa collaborated to identify vulnerabilities in 4G LTE protocols. They believe that the identified flaws are quite concerning as these are directly written into the LTE protocols and can cause a widespread impact on the tech industry.
As per the findings of researchers [PDF], the 4G LTE protocol is a combination of various critical procedures, and each of them needs an intensive security and privacy analysis. The procedures affected by the protocol include the Attach process that lets a subscriber associated device with the network; Detach process that allows the device to disconnect from the network after the device is switched off; and Paging protocol that forces the device to regain system information and used in emergency warning applications.
Researchers developed a tool called LTEInspector to ‘lazily scan’ and detect the vulnerabilities in 4G LTE protocol. The tool checks exploitable vulnerabilities identified in the common wireless telecommunications standard that can help attackers launch ten new kinds of attacks and nine already existing attacks.
“The set of properties that LTEInspector aims to check include authenticity (e.g., disallowing impersonation), availability (e.g., preventing service denial), integrity (e.g., restricting unauthorized billing), and secrecy of user’s sensitive information (e.g., preventing activity profiling),” explained researchers.
Purdue and Iowa University researchers state that 4G LTE networks’ security is based on obscurity and a majority of the implementations are proprietary “black boxes” that make it difficult to perform in-depth security evaluation. Given the broad range of sub-components that need to be configured and the requirement of handling devices configured for another carrier, LTE implementations are quite complex and there is little to no transparency in network security.
The findings were publicly disclosed in a paper published last month [PDF]. The new attacks include an authentication relay attack that lets an attacker connect to an LTE network while tricking another device’s identity and location without needing to submit legitimate credentials. Researchers have referred to this as the worst of all attacks. Moreover, an attacker can easily change the victim’s device location in the core networks that would allow setting up of false alibi or inclusion of fake evidence in case a criminal investigation is underway.
Furthermore, an attacker can perform a variety of functions such as tracking the device’s location, intercepting phone calls and text messages and injecting false emergency alerts to create what researcher refer to as “artificial emergency.”
The paper is an attempt to show the way LTEInspector works and researchers have suggested that developing sufficient defensive measures is difficult without overhauling the 4G LTE infrastructure.
Researchers noted: “We deliberately do not discuss defenses for the observed attacks as retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny.”
Remember, an example of fake or faulty emergency alert can be taken from January 2017’s Hawaii’s false missile alert sent by a troubled worker who thought an attack was imminent. Therefore, the vulnerability is critical and taken seriously by the concerned authorities.