4G and 5G wireless networks' Evolved Packet Core (EPC) architecture can be exploited to intercept and collect mobile data as well as launch denial-of-service (DoS) attacks, according to new research.
Positive Technologies recently discovered a key flaw in EPC's GTPv2 protocol: EPC's special interfaces used to exchange information between its components and based on its GTPv2 protocols lack built-in data encryption mechanisms.
The findings represent the latest in a string of vulnerabilities discovered in 4G networks. Researchers have spotted flaws that can be exploited to make IMSI-catchers more adept at snooping, as well as to allow the Diameter protocol to play a role in launching DoS attacks on 4G and 5G devices.
EPC converges voice and data on the network, a step up from processing voice and data separately. But EPC also has shortcomings, says Dmitry Kurbatov, head of Positive Technologies' telecommunications security department.
When a user is on a 4G network with his or her mobile phone, the EPC nodes use a number of protocols, including the General packet radio service Tunneling Protocol (GTP). This protocol is a group of IP-based communications protocols that carry general packet radio service within mobile networks. It allows mobile users to remain connected to the Internet when traveling or moving about, Kurbatov explains.
However, DoS attackers using brute force on Tunnel Endpoint Identifiers (TEIDs) can simultaneously disconnect a number of users at once, because multiple phone connections run through the same GTP tunnel, he adds.
"The potential risks are large enough to be worrisome," says Silke Holtmanns, a security expert at Nokia Bell Labs, who has conducted research on the 4G Diameter protocol.
Attackers looking to exploit these types of vulnerabilities in 4G networks do not need hard-to-obtain tools or considerable skill, says Kurbatov.
"Before 4G LTE, voice-call interception required that attackers have special equipment and in-depth knowledge of all the specific protocols used for voice calls," explains Kurbatov. "But since 4G networks are built on the principle of an all-IP network, the attacker can use all currently available hacking tools, which are largely automated and do not require a deep understanding of the nature of the attack."
Other risks include EPC nodes found exposed on the Internet that then can be hacked and, of course, there is always the potential of an insider gaining access to the infrastructure to launch attacks, says Pavel Novikov, head of Positive Technologies' research group for telecom security.
Security researchers like Andrew Blaich at Lookout say 4G and 5G attackers are likely to be groups with an interest in conducting surveillance on others, such as nation-states, or cybercriminals seeking to commit bank fraud and other crimes.
Risks to Smart Cities, Businesses, and Users
The 4G and 5G EPC attack scenarios largely fall into three categories: interception of data, such as text messages and unencrypted email messages; a collection of data, such as the location of the device; and disruption of services like DoS attacks.
"Just like with any DoS attack, IoT devices used in the infrastructure of smart cities can be almost permanently disconnected from the network, which means cities lose control over their operation," says Kurbatov.
Enterprises should assume that when they send something over a 4G or 5G network, it has the potential to be intercepted, says Blaich. As a result, organizations should safeguard their apps, devices, and services with their own security layer, rather than relying on the security of the network.
He also advises enterprises to use apps and services that have the latest version of TLS, or HTTPS, to ensure data cannot be easily decrypted when connected to a website. He adds that man-in-the-middle security technology should be deployed to catch improperly signed certificates that pretend to vouch for bogus services.
"These protections need to be enabled at the device and app layer as well as checks back on the services and server side to ensure proper end-to-end protection for sensitive data," Blaich advises.
For users, the risk on a 4G or 5G network is similar to other mobile networks as well as on Wi-Fi, warns Blaich. Users need to use apps that transmit data securely using secure transport channels and protocols, rather than relying on SMS/MMS for sensitive information, he adds.
Positive Technologies has not contacted mobile operators regarding its findings in its report, but instead has contacted industry trade groups, such as Groupe Speciale Mobile Association (GSMA), to notify them of its research and potential ways to address the architecture security issues, says Kurbatov. Ultimately, he notes, the responsibility mainly falls on mobile operators to resolve the issue.
Holtmanns holds a similar view. "There are huge differences between operators. Not all networks are equal," she warns, adding that some operators will push security improvements through, while others do not.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.