4G LTE attacks
By Mohammed Oosman - March 23, 2018
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.
We all are well versed that how the technology is amalgamating with all our basic necessities day-by-day. Well, there is one more thing we all need to be very cautious about with these ever trending technologies, the security part of it. We know very well how the hackers are enhancing their skill levels day by day in order to take inappropriate advantage of these trend setting technologies.
So keeping the above scenario in mind, security researchers around the world are working really hard to discover a flaw in the technologies which the hacker can discover.
Recently, security researchers belonging to Purdue University and University of Iowa discovered a whooping “10 new cyber attacks” against the 4G LTE wireless data communications technology for mobile devices and data terminals.
In order to understand the working of attacks, we first have to understand what exactly LTE is?. So, here we go:
What is Long Term Evolution (LTE)?
Long Term Evolution (LTE) is a mobile communications standard that has been designed to support only packet-switched services (Packets are individually placed onto the carrier’s packet-switched network and switched from circuit to circuit until they reach their destination). It aims to provide seamless Internet Protocol (IP) connectivity between user equipment (UE) and the packet data network (PDN), without any disruption to the end users’ applications during mobility.
As claimed by the standard, users of the LTE network have data speeds that are up to 10 times faster than the 3G network.
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging. So, let’s have a look at these procedures in order to get clarity on the attacks discovered.
Attach, Paging and detach
In order to understand paging, attach and detach procedures in LTE standard, first, we have to understand the following terms:
User Equipment (UE): Refers to the actual communication device used by the user to connect to a particular network. For example, Users’ Smartphone.”
Mobile Management Entity (MME) It is responsible for authenticating and allocating different services such as data connectivity to the UE, when the user wants to connect to the network. It is also responsible for security (setting up integrity and encryption) and tracking UE’s location.
Home Subscriber Server (HSS) The HSS is usually centralized database which stores UEs’ identities and other data required for identifying the UE.
Evolved Packet Core (EPC) It is basically the name given to the framework comprising of MME, HSS along with other components.
IMSI(International Mobile Subscriber Identifier): Refers to a unique string used to identify a valid LTE user.
evolved NodeB (eNodeB) In LTE, the base station is referred to as eNodeB.
So, now let’s have a look at what exactly attach, paging and detach procedures in general mean.
Attach refers to the process of UE connecting to EPC. Initially, when the UE wants to connect to the EPC, it scans for system_info_block messages which are broadcasted uniformly by the surrounding eNodeB’s for respective UEs to connect. The UE then initiates the process of forming a connection with a eNodeB which has highest signal power (for better connectivity and rich user experience). After successful establishment of connection between UE and EPC, the process of attachment begins.
The attachment procedure in LTE is divided into four different stages (Identification, authentication, Security algorithm negotiation and secure temporary identifier exchange) as shown in the above diagram.
Paging refers to the process when MME needs to locate a UE in a particular area and deliver various services, such as incoming calls. The UE actively communicates with the networks and updates the MME accordingly whenever there are changes in the location. Whenever the UE has no data to send, it goes into idle mode and wakes up periodically to check for any paging messages (like incoming calls/messages).
Detach refers to the procedure which is called when either UE or MME chooses to terminate the established connection by generating a detach_request along with a cause of detach. Upon receiving the detach_request, UE/MME is expected to acknowledge back with a detach_accept message to complete the process. After the detach process, the UE is completely isolated from the network preventing it to send/receive any information which it has to communicate.
So now after getting a general understanding of attach, paging and detach procedures of LTE technology, let us now look in a nutshell at the flaws in these procedures which helped the security researchers to successful implementation of the attacks.
Attacks against Attach Procedure
Security researchers were successfully able to carry out 3 attacks against this procedure of the LTE technology, they were named as follows.
Authentication Synchronization Failure Attack:
To successfully carry out this attack, the attacker needs to set up a malicious UE and also requires the victim UE’s IMSI.In this attack, the attacker interacts with the HSS using malicious UE and successfully desynchronizes the attach sequence of the victim UE and the HSS thereby preventing the actual user to successfully complete the attach procedure with the EPC.As we can see, this attack causes disruption of services to the victim UE.
Bingo, you’ve got that right. As the name suggests, using this attack the attacker can successfully trace/track the victim UE.To successfully carry out this attack, the attacker needs to set up a malicious eNodeB. This attack makes use of security algorithm negotiation stage of the attach procedure. The attacker even needs to have access to the unique security_mode message of the victim beforehand.
In this attack, the attacker successfully forces the victim UE to connect to its own malicious eNodeB thereby verifying the integrity of the victim UE and rejecting rest of the UE in that terrestrial area as we have the unique security _mode message of the victim UE only.As we can see, just by knowing the unique security_mode of the user, the attacker can make use of this attack to track down the location of the victim UE.
This attack is similar to the authentication synchronization failure attack. Here, the attacker needs to set up a malicious eNodeB.In this attack, when the victim connects to the malicious eNodeB, the malicious eNodeB sends an auth_reject message to the victim thereby disrupting the required services for the user irrespective of the context of the victim UE.The attack was named as “Numb” because the UE of the victim remained in the numb state until the user restarted the UE.
Attacks against Paging Procedure
For all the attacks classified against this procedure, the attacker needs to set up a malicious eNodeB and also needs to know the victim UE’s IMSI. A total of 5 attacks were discovered against this procedure of the LTE technology, they were named as follows:
Paging Channel Hijacking
To successfully carry out this attack, the malicious eNodeB which has been set up by the attacker needs to operate at the same frequency bandwidth as that of the legitimate eNodeB.
In this attack, the malicious eNodeB sends empty paging messages to the victim UE. To make sure that the victim UE responds to these empty paging messages, the attacker has to make sure that the empty paging messages from the malicious eNodeB are broadcasted when the victim UE wakes up to check for the paging messages. This synchronization is really important for this attack to take place.
The victim UE receives the paging messages from both legitimate and malicious eNodeB at the same time. The UE only responds to the first received paging message. To make sure that the victim UE accepts paging message from the malicious eNodeB, the malicious eNodeB broadcasts the paging messages with higher signal power.
So after making sure that all the above conditions are met, the attacker now successfully hijacks the paging channel of the victim UE thereby preventing valid paging messages from MME getting received by victim UE.
Stealthy kicking off Attack
This attack is carried out after successfully hijacking the paging channel of the victim UE using the attack described previously.
In this attack, the attacker by making use of malicious eNodeb sends a paging message to the victim UE with one of the records of the paging message being set to the victim’s UE IMSI. The other fields in the paging record are similar to the original paging record. Upon reception of the paging message with IMSI being set in the paging record by the victim UE, the victim UE disconnects from the MME and sends an attach_request thereby initiating the overall process all over again.
This attack again like other attacks described, causes service disruption to a legitimate user.
Energy depletion Attack
As the name of the attack suggests, this attack is usually used to deplete the energy (maximize the utilization of different resources like CPU cycle, battery etc., of the victim UE). The attacker achieves this by setting one of the records of the paging messages to IMSI of the victim UE, thereby forcing the victim UE to carry out the attach procedure over and over again with the MME and forcing the victim UE to drain out the energy.
This attack is used by the attacker to send fake emergency messages to all the surrounding UEs by making use of the malicious eNodeB set by the attacker.
In this attack, the attacker sends paging messages with empty records comprising of fake emergency warnings to all the surrounding UEs connected to the malicious eNodeB.
As we can clearly see, the attacker by making use of this attack can create chaos among people and can be used by malicious parties to hide their agenda.
This attack focuses on breaking the unlinkability guarantee. This attack is not applicable to 4G LTE, so let’s not focus too much on this.
Attacks against Detach Procedure
There were a total of 2 attacks discovered based on this procedure of 4G LTE technology. The attacks were named as follows:
To carry out this attack, the attacker needs to setup a malicious eNodeB and also needs to know the IMSI of the victim UE. In this attack, the attacker injects a detach_request to disrupt the services on the victim UE.
Authentication Relay Attack using Attack Chaining
This is the final attack which according to the security researchers is of greater concern and needs to be addressed as soon as possible because this attack let’s an attacker to impersonate the victim UE to connect to the EPC without providing proper credentials and in the same time can even spoof the location of the victim UE.
To successfully carry out this attack, the attacker is required to setup malicious eNodeB, UE and should also be having the IMSI of the victim UE. It is also assumed that there is a private channel between the user UE and eNodeB.
In this attack, the attacker impersonates the victim UE and tries to connect to the EPC. If the victim is already attached to the legitimate eNodeB, then the attacker achieves this attack by segmenting the attack in two steps.
Force the UE of the victim to disconnect from the EPC:
For achieving this, we can make use of stealthy kicking off attack as described earlier.
The Attacker UE connects to the EPC by impersonating as victim UE
After forcing the UE of the victim to disconnect from the EPC due to paging with IMSI as described earlier, it will now try to connect with the eNodeB with highest signal strength, which is malicious eNodeB. In this case the malicious eNodeB acts as an proxy where it forwards the attach_request from the UE of the victim to the malicious UE which sends this request to legitimate eNodeB and also receives a valid challenge back from it, thereby intercepting every step involved in the attach procedure and impersonating requests of a valid user to a legitimate MME.
The implications of this attack include:
Location History poisoning.
Loss of Confidentiality.
You might be thinking that these attacks are just theoretical and can be just explained in paper. Well, that’s not the case here. These attacks were successfully implemented by the security researchers by making use o their own setup called LTEInspector, which barely cost them $3900 to setup this device.
The researchers have decided not to release the proof-of-concept code for the discussed attacks until the flaws are fixed.
So we would like to close this article with a spooky question. Do you still think you are safe while with your smartphones and tabs?