Perimeter

New 4G, 5G Network Flaw 'Worrisome'

Weaknesses in the voice and data convergence technology can be exploited to allow cybercriminals to launch DoS attacks and hijack mobile data.

4G and 5G wireless networks' Evolved Packet Core (EPC) architecture can be exploited to intercept and collect mobile data as well as launch denial-of-service (DoS) attacks, according to new research. 

Positive Technologies recently discovered a key flaw in EPC's GTPv2 protocol: EPC's special interfaces used to exchange information between its components and based on its GTPv2 protocols lack built-in data encryption mechanisms.

The findings represent the latest in a string of vulnerabilities discovered in 4G networks. Researchers have spotted flaws that can be exploited to make IMSI-catchers more adept at snooping, as well as to allow the Diameter protocol to play a role in launching DoS attacks on 4G and 5G devices.

EPC converges voice and data on the network, a step up from processing voice and data separately. But EPC also has shortcomings, says Dmitry Kurbatov, head of Positive Technologies' telecommunications security department.

When a user is on a 4G network with his or her mobile phone, the EPC nodes use a number of protocols, including the General packet radio service Tunneling Protocol (GTP). This protocol is a group of IP-based communications protocols that carry general packet radio service within mobile networks. It allows mobile users to remain connected to the Internet when traveling or moving about, Kurbatov explains.

However, DoS attackers using brute force on Tunnel Endpoint Identifiers (TEIDs) can simultaneously disconnect a number of users at once, because multiple phone connections run through the same GTP tunnel, he adds.

"The potential risks are large enough to be worrisome," says Silke Holtmanns, a security expert at Nokia Bell Labs, who has conducted research on the 4G Diameter protocol.

Attackers looking to exploit these types of vulnerabilities in 4G networks do not need hard-to-obtain tools or considerable skill, says Kurbatov.

"Before 4G LTE, voice-call interception required that attackers have special equipment and in-depth knowledge of all the specific protocols used for voice calls," explains Kurbatov. "But since 4G networks are built on the principle of an all-IP network, the attacker can use all currently available hacking tools, which are largely automated and do not require a deep understanding of the nature of the attack."

Other risks include EPC nodes found exposed on the Internet that then can be hacked and, of course, there is always the potential of an insider gaining access to the infrastructure to launch attacks, says Pavel Novikov, head of Positive Technologies' research group for telecom security.

Security researchers like Andrew Blaich at Lookout say 4G and 5G attackers are likely to be groups with an interest in conducting surveillance on others, such as nation-states, or cybercriminals seeking to commit bank fraud and other crimes.

Risks to Smart Cities, Businesses, and Users

The 4G and 5G EPC attack scenarios largely fall into three categories: interception of data, such as text messages and unencrypted email messages; a collection of data, such as the location of the device; and disruption of services like DoS attacks.

"Just like with any DoS attack, IoT devices used in the infrastructure of smart cities can be almost permanently disconnected from the network, which means cities lose control over their operation," says Kurbatov.

Enterprises should assume that when they send something over a 4G or 5G network, it has the potential to be intercepted, says Blaich. As a result, organizations should safeguard their apps, devices, and services with their own security layer, rather than relying on the security of the network.

He also advises enterprises to use apps and services that have the latest version of TLS, or HTTPS, to ensure data cannot be easily decrypted when connected to a website. He adds that man-in-the-middle security technology should be deployed to catch improperly signed certificates that pretend to vouch for bogus services.

"These protections need to be enabled at the device and app layer as well as checks back on the services and server side to ensure proper end-to-end protection for sensitive data," Blaich advises.

For users, the risk on a 4G or 5G network is similar to other mobile networks as well as on Wi-Fi, warns Blaich. Users need to use apps that transmit data securely using secure transport channels and protocols, rather than relying on SMS/MMS for sensitive information, he adds.

Positive Technologies has not contacted mobile operators regarding its findings in its report, but instead has contacted industry trade groups, such as Groupe Speciale Mobile Association (GSMA), to notify them of its research and potential ways to address the architecture security issues, says Kurbatov. Ultimately, he notes, the responsibility mainly falls on mobile operators to resolve the issue.

Holtmanns holds a similar view. "There are huge differences between operators. Not all networks are equal," she warns, adding that some operators will push security improvements through, while others do not.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11378
PUBLISHED: 2019-04-20
An issue was discovered in ProjectSend r1053. upload-process-form.php allows finished_files[]=../ directory traversal. It is possible for users to read arbitrary files and (potentially) access the supporting database, delete arbitrary files, access user passwords, or run arbitrary code.
CVE-2019-11372
PUBLISHED: 2019-04-20
An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test in Tag/File__Tags.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11373
PUBLISHED: 2019-04-20
An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer.cpp in MediaInfoLib in MediaArea MediaInfo 18.12 leads to a crash.
CVE-2019-11374
PUBLISHED: 2019-04-20
74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the index.php?m=Admin&c=admin&a=add URI.
CVE-2019-11375
PUBLISHED: 2019-04-20
Msvod v10 has a CSRF vulnerability to change user information via the admin/member/edit.html URI.