Endpoint

11/9/2015
07:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New 4G LTE Hacks Punch Holes In Privacy

Black Hat Europe researchers to demonstrate newly found flaws in 4G mobile that expose privacy and disrupt phone service.

Flaws discovered in the 4G LTE protocols could allow an attacker to pinpoint the physical location of a mobile user and to block a user from placing or receiving voice calls on his mobile device.

Researchers at Black Hat Europe this week will demonstrate location data leaks and denial-of-service attacks they were able to simulate via flaws they found in 4G LTE protocols and equipment. The researchers, from Technische Universitat Berlin and Telekom Innovation Laboratories, University of Helsinki, and Aalto University, say these are the first "practical" attacks against the new generation of mobile networks.

4G LTE is a more secure version of the mobile baseband than its predecessors 3G and 2G, and was thought not to be susceptible to privacy problems suffered by these earlier network types.

The researchers say their research shows otherwise. ""We have two classes of vulnerabilities, one in the protocol standard [itself] and the other in [how] multiple vendors with 4G LTE chips have implemented the specifications. Those [products] have been patched by baseband vendors now but not by OEMs yet," says Ravishankar Borgaonkar, one of the researchers and postdoctoral researcher at Aalto University.

But work on the network access protocol to patch the data-leaking issue will take some time since it requires updates to the protocol stack by the standards body that oversees the spec, 3GPP. 3GPP has begun working on fixes.

The flawed 4G LTE access network protocol in question doesn't require any communication to a base station be authenticated, so an attacker's equipment could talk to a base station. The researchers were able to wage attacks in a 50m radius--but they say it's actually possible to do so up to a 2-kilometer radius--that forced an LTE mobile device to leak its physical location, and therefore, the user's whereabouts.  "We sent a legitimate but manipulated message and it gave us a report with information that could be used to find [a device's] precise location," Borgaonkar says. All LTE devices are vulnerable to these data-leak attacks.

In one attack, the research team used Facebook Messenger and WhatsApp to track down a user. In the case of Messenger, they used its little-known "Other" (spam) folder to send an instant message to a user who hadn't "friended" them. The researchers' hacking tool scans the 4G frequencies to see if the message is delivered to the user; if so, he or she is within the hacker's proximity.

"If you have Facebook Messenger installed on your LTE smartphone, incoming messages, including those destined to the Other folder, will trigger a paging request, allowing a passive attacker to link your TMSI [Temporary Mobile Subscriber Identity] to your Facebook identity and track your movements," blogged N. Asokan, one of the researchers.

Denial-of-service-wise, the researchers were able to block LTE and force the users to communicate via 2G or 3G networks. "This DOS with the protocol sends one message the phone goes to one network or the other," he says. An attacker then could block the victim's incoming voice calls, for example.

The good news: none of the flaws or attacks involve data stored on the mobile devices.

Borgaonkar, Asockan, and their fellow researchers--- Altaf Shaik, Valtteri Niemi, and Jean-Pierre Seifert --- spent just 1,250 euros for the hacking hardware they used to capture the phone traffic. While the equipment was easy to buy, an attacker would need some knowledge of how LTE works to pull off an attack, which most likely would be targeting an individual or a region's communications. IMSI-catchers could be used as well, he says.

The researchers won't be releasing any proof-of-concept code or tools during their Black Hat talk in Amsterdam, however. They say that would be carte blanche for copycat attacks by bad guys.

To date, baseband vendors have patched their devices, but most smartphone makers have not updated their devices as yet.

"The need for engineering the correct trade-offs between security and other requirements (availability, performance and functionality) led to the vulnerabilities in the first place. Such trade-offs are essential for the success of any large-scale system. But the trade-off equilibrium points are not static. We recommend that future standardization efforts take this into account," the researchers wrote in their paper.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
To Be Ready for the Security Future, Pay Attention to the Security Past
Liz Maida, Co-founder, CEO & CTO, Uplevel Security,  9/18/2017
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.