March 14, 2018
Attacks on 4G LTE networks could send fake emergency alerts
WEST LAFAYETTE, Ind. — Researchers have identified several new vulnerabilities in 4G LTE networks, potentially allowing hackers to forge the location of a mobile device and fabricate messages.
Ten new and nine prior attacks were outlined in a paper, including the authentication relay attack, which enables an adversary to connect to core networks without the necessary credentials. This allows the adversary to impersonate and fake the location of a victim device, according to researchers from Purdue University and the University of Iowa.
Another noteworthy attack allows adversaries to obtain a user’s location information and perform denial of service attacks. By hijacking the device’s paging channel, the attacker can stop notifications from coming in and even fabricate messages.
Other attacks identified in the paper enable adversaries to send fake emergency paging messages to a large number of devices, drain a victim device’s battery by forcing it to perform expensive cryptographic operations, and disconnect a device from the core network.
These attacks occur within three critical procedures of the 4G LTE protocol: attach, detach and paging. These processes allow a user to connect to the network, disconnect from the network, and receive calls and messages. These procedures are also critical to the reliable functionality of several other procedures.
The researchers used a testing approach they call “LTEInspector” to expose the vulnerabilities. The tool combines the power of a symbolic model checker and a protocol verifier.
“Our tool is the first one that provides a systematic analysis for these three particular procedures in 4G LTE networks,” said Syed Hussain, a graduate student in computer science at Purdue University. “Combining the strength of these two tools is novel in the context of 4G LTE.”
To confirm that the attacks identified in the paper pose a real threat, the researchers validated eight of the 10 new attacks through experimentation in a real testbed.
It looks as though there is no easy way to fix these vulnerabilities. Retrospectively adding security into an existing system without breaking backward compatibility often yields Band-Aid like solutions, which don’t hold up under extreme circumstances, according to the paper. Addressing the authentication relay attacks may require a major infrastructural overhaul.
“Device manufacturers and cell phone networks will both need to work to fix these problems,” Hussain said. “We need a major overhaul of the entire system to eliminate these vulnerabilities.”
Researchers from Purdue and the University of Iowa collaborated on this work. It was supported by Intel/CERIAS RAship, FFTF fellowship by Schlumberger Foundation, National Science Foundation (NSF) grants CNS-1657124 and CNS-1719369, and the NSF/Intel ICN-WEN program.
Writer: Kayla Zacharias, 765-494-9318, firstname.lastname@example.org
Source: Syed Hussain, email@example.com
LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE
Syed Rafiul Hussain, Omar Chowdhury, Shagufta Mehnaz, Elisa Bertino
In this paper, we investigate the security and pri- vacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders. For exposing vulnerabilities, we propose a model- based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model. Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, cate- gorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE. Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed.