New Research Exposes Vulnerabilities in Cellular Networks
Graduate student Syed Hussain and a team of Purdue researchers have uncovered a host of new vulnerabilities that could cause chaos for 4G LTE network users by allowing attackers to eavesdrop on sensitive data and even deploy fake emergency alerts.
Hussain presented this research in a paper called “LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE” at the Network and Distributed System Security Symposium (NDSS ’18), held recently in San Diego. His co-authors are graduate student Shagufta Mehnaz, faculty member Elisa Bertino and Omar Chowdhury (a former Purdue postdoc now with the University of Iowa).
The team detected 10 new attacks, verifying eight of them in a real-world testbed using SIM cards from four major cellular carriers. Their paper exposes weaknesses in three critical operations of the cellular network (attach, detach and paging: the processes that allow users to connect to the network, disconnect from the network, and receive calls and messages).
"The root cause of most of these attacks are the lacks of proper authentication, encryption, and replay protection in important protocol messages,” Hussain said.
One attack they discovered was the authentication relay attack (also known as the mafia attack), which allows attackers to plant false data in a network’s records concerning the location of a victim’s device. By exploiting this vulnerability, attackers could potentially create a false alibi or plant fake evidence during a criminal investigation.
The paper shows that hackers could also exploit these vulnerabilities to intercept a victim’s text messages (if the service provider does not use encryption), track the victim’s location, and stop a phone from connecting to the network. Still more findings show that attackers could inject warning messages (like Amber alerts, weather warnings, or warnings like the recent ballistic missile alert in Hawaii).
The paper proposes LTEInspector, a testing framework that will help detect vulnerabilities in LTE networks and radios.
“We believe that the testing framework we proposed in this paper is crucial to testing the 5G LTE protocol standard, which many network providers are rolling out in the near future,” said Hussain. “Our approach will allow service providers and LTE radio manufacturers to rigorously test products before deployment. This testing is crucial, because retrospectively adding security to a deployed protocol often requires addressing challenges that are not purely technical.”
Hussain noted that one major United States carrier never used encryption for control plane messages, which attackers could exploit to eavesdrop on text messages and other sensitive data. The affected service provider fixed the issue after the Purdue team reported it to them.
The researchers are publicly releasing the theoretical models used for attack detection and the different configurations for the attack under the open-source license for community use. They will not release the proof-of-concept code until the issues are fixed.