The flaws were discovered using a semi-automated testing tool named LTEFuzz, which generates and sends test cases to a target network and then classifies problematic behavior by monitoring device-side logs. The results were confirmed against operational LTE networks.
Security vulnerabilities have been discovered in the control plane procedures of LTE networks, but the control plane components in LTE remain unexplored, which determined the researchers to investigate potential issues in this area.
Researchers Uncover New Attacks Against LTE Network Protocol
For their testing, the researchers used open-source LTE implementations meant to create concrete security properties and test cases, and also worked with carriers as part of the investigation, to demonstrate the attacks on commercial networks. They eventually uncovered 36 new flaws in design and implementation among the different carriers and device vendors.
An attacker could send invalid plain requests through an RRC Connection spoofed as the victim device, and the network may accept invalid messages, de-register an existing connection when receiving a message with an invalid MAC, and accept replayed messages. Furthermore, it is possible to bypass the security context of the entire control plane and data plan, the researchers say.
Possible attacks would target either the network (remote de-registration of the victim device, SMS phishing) or the victim device (an adversary located sufficiently close to the victim device could trigger handover to a rogue LTE network), the researchers say.
The network would record a user in (for example) London when they were in Paris, providing a way to set up a false alibi or undermine a criminal investigation with fake evidence, the researchers wrote.
The attacks exploit design flaws in the communications protocol and unsafe practices employed by the stakeholders and can be used to achieve things like impersonating existing users, spoofing the location of the victim device, delivering fake emergency and warning messages, eavesdropping on SMS communications, and more.
Among the uncovered attacks they consider one particularly worrying: an authentication relay attack that allows an adversary to impersonate an existing user (mobile phone) without possessing any legitimate credentials.
To ensure that these attacks they found are realizable in practice and pose actual threats, they have validated eight of them through experimentation in a real-world scenario (a custom-built LTE network or commercial networks with a logical Faraday cage).
The researchers have notified the GSM Association (GSMA) of their findings earlier this year, and they in turn informed network providers and the 3rd Generation Partnership Project (3GPP), which is the specification body responsible for the development and maintenance of LTE, related 4G standards, and 5G standards.
In a paper presented at Mobile World Congress in Barcelona this week, the researchers explained that the issues arise from weaknesses in the cellular paging (broadcast) protocol. They started with the fact that when a mobile device is in its idle, low-power state, it will conserve battery life partly by polling for pending services only periodically.
The researchers uncovered three connected types of attacks that use this paging mechanism. The primary attack, dubbed ToRPEDO (short for TRacking via Paging mEssage DistributiOn), can be used to verify the location of a specific device. Attackers could also inject fake paging messages and mount denial-of-service (DoS) attacks, the team said.
Rather than sniffing the link between a call made by the attacker and the resulting paging message, as earlier attacks have done, the ToRPEDO takes advantage of the fact that the paging protocol requires synchronization between the base station and the device.
Researchers from Ruhr-Universität Bochum & New York University Abu Dhabi have uncovered a new attack against devices using the Long-Term Evolution (LTE) network protocol. LTE, which is a form of 4G, is a mobile communications standard used by billions of devices and the largest cellular providers around the world.
The 2G mobile communication system has many security and privacy problems due to its inherent flaws in technical specifications, e.g., lack of mutual authentication between MSs (Mobile Stations) and the networks, difficulty to upgrade the weak cryptographic algorithms, and the MS always camps on the cell with the strongest radio signal power. Malicious people can easily set up fake base stations, known as IMSI (International Mobile Subscriber Identity) catchers, to spoof IMSIs and IMEIs (International Mobile Equipment Identity) of users, track their locations, and even intercept their calls and short messages by using the man-in-the-middle (MITM) attacks. 3G/UMTS and 4G/LTE were designed to sufficiently ensure the security and confidentiality, which motivating both to use much stronger cipher mechanism and mutual authentication. Even so, with the help of the accessible open source radio software tools, wireless security workers have disclosed more and more security and privacy vulnerabilities in LTE mobile networks such as protocol flaws and implementation flaws. One of the potential protocol flaws in LTE is that, the UE (User Equipment) may accept and process some signalling messages before the security context is established, according to 3GPP (Third Generation Partnership Project) specification [2], which can be exploited by the stakeholders to attack both the UEs and the networks. For instance, the Identity Request NAS (Non-Access Stratum) message is an enabler for IMSI catchers, and the Attach Reject and Tracking Area Update (TAU) Reject messages are used to execute DoS (Denial of Service) attacks on the mobile terminals. In this paper, we utilized the unencrypted and none-integrity protected RRCConnectionRelease message to redirect LTE mobile phones to start up the phone number catching process.
Long Term Evolution (LTE) systems are the most popular mobile communication systems around the world for not only the higher access rate and lower latency but also the enhanced security and privacy scheme for users. The IP-based LTE mobile network has a flat and much simpler structure comparing to the GSM. Figure 2 shows the interface protocols among the network units as well as two main sections of LTE network structure: the EUTRAN (Evolved Universal Terrestrial Radio Access Network) and the EPC (Evolved Packet Core), and each of which comprises several subdivisions.
Software-Defined Radio (SDR) is a wireless communication system where components are implemented completely by software on a general personal computer or embedded system rather than hardware [5]. SDR has become the analysis and testing tool for kinds of mobile communication systems due to its modifiability and flexibility over the last few years. Meanwhile, a great many of the open source projects have been developed. Such successful projects like srsLTE and OAI (OpenAirInterface) [6] for LTE, OpenBSC and OpenBTS for GSM have implemented most functions and protocol stacks of corresponding radio access network. Following are the open source projects which are used in our work:(i)srsLTE. Software radio systems LTE is a high-performance LTE open source library for software-defined radio applications [7]. These applications including srsUE, srsENB, srsEPC, are fully compliant with LTE Release 8 which provide us an excellent LTE experimentation platform. We use this software to build a rogue LTE Network for redirecting the target LTE phone to our rogue GSM network implemented by OpenBSC.(ii)OpenBSC. OpenBSC is a GSM open source project of Osmocom (Open Source Mobile Communication) community which is known as a collection of open source software projects in the area of mobile communications. OpenBSC aims to be a stable and all-in-one implementation system of the OsmoBSC, OsmoMSC, and OsmoHLR for the GSM/3GPP protocol stacks and elements [8].(iii)OsmocomBB. It is also an open source and free GSM Baseband software implementation of Osmocom community. Radio amateurs can make and receive phone calls, send, and receive SMS by using OsmocomBB on a compatible GSM phone such as MotorolaC118 which is used as a malicious MS in our experiment [9].
An entire signalling process of the phone number catcher model can be simplified in Figure 4. Since our catcher model involves many complex procedures of the 4G/LTE and 2G/GSM network protocols, we just list the main signalling in each procedure.
Researchers have devised a low-cost way to discover the precise location of smartphones using the latest LTE standard for mobile networks, a feat that shatters widely held perceptions that the standard is immune to the types of attacks that targeted earlier specifications.
"The LTE access network security protocols promise several layers of protection techniques to prevent tracking of subscribers and ensure availability of network services at all times," the researchers wrote in the paper, which is titled "Practical attacks against privacy and availability in 4G/LTE mobile communication systems."
Like some of its predecessors, LTE attempts to conceal the location of a specific phone by assigning it a regularly changing TMSI, short for a temporary mobile subscriber identity. When a network interacts with a handset, it will address it by its TMSI rather than by its phone number or other permanent identifier to prevent attackers monitoring network traffic from tracking the location of a given user. The 2G attack worked around this scheme by sending phones an invisible text message or imperceptibly brief call that caused the mobile network to locate the phone. That paging request allowed the researchers to tie the TMSI to the phone number.
The researchers behind the LTE attack found that similar paging requests can be triggered by social messaging apps such as those provided by Facebook, WhatsApp, and Viber, with little to no indication to the owner that any tracking is taking place. A Facebook message sent by someone not in the receiver's friend list, for instance, will cause the text to be silently diverted to a folder marked "other." But behind the scenes, an attacker can use the data sent over the network to link the receiver's Facebook profile to the TMSI. The TMSI, in turn, can be used to locate the phone and track it as it moves from place to place. 2ff7e9595c
Kommentare