4G LTE protocols used by smartphones can be hacked, researchers found
Newer telecommunication protocols, which are replacing a current framework that connects phone services between multiple mobile networks, are susceptible to being hacked, according to research presented on Friday at the Black Hat Europe security conference.
Nokia Bell Labs researchers Silke Holtmanns, Bhanu Kotte and Siddharth Rao conducted experiments on a test network; simulating attacks launched from Finland against an unnamed British mobile operator. The research team discovered different ways to exploit the Diameter framework that disrupted services to both specific users and nodes that provide access for entire regions.
A denial of service attack proved successful in the experiment.
Diameter is replacing the SS7 protocol, with the latter in place since 1975. The increased use of 4G long-term evolution networks, or LTE, by mobile operators is responsible for a shift to Diameter. While understood to be more secure than SS7, Diameter allows for many of the same cyberattacks when deployed without additional security measures, Nokia Bell Labs security researchers found.
SS7 was in the news earlier this year after a 60 Minutes exposé led to calls for a congressional investigation and a FCC review.
Unlike SS7, Diameter relies upon a communications suite called internet protocol security, or IPsec, which works by authenticating and encrypting each IP packet in transit. Use of IPSec, however, is optional.
“Diameter is considered to be secure because it has IPSec within it. But there is no way to confirm whether the operators are actually implementing it,” said Rao.
In early March, the Nokia Bell Labs’ security team published a paper entitled “User Location Tracking Using Interworking Functionality.” The paper served as a sort of prologue for their recent BlackHat presentation by exploring how an attacker may be able to track an LTE user from a GSM network by exploiting the relationship that exists between SS7 and Diameter.
Smartphones running on 4G networks can still receive messages coming from a 2G network, meaning that the protocols from 2G networks are effectively converted to 4G — and vice versa — during communications.
“We exploited that to show 4G can be attacked and that it is not so secure. [But] by then we also realized that 4G is not as secure as [mobile operators] generally think. So we did further research and the results are provided in our BlackHat talk,” Rao said. The recent demonstration solely focused on 4G, showing that a highly targeted exploit can kick out users from an affected network.
While the Nokia Bell Labs’ team’s proof-of-concept attack should concern telecommunications executives, Rao cautioned that it would also be difficult to pull off.
“Gaining access to the telecommunication backbone is still not that easy. These attacks need in-depth knowledge of the protocols. Unlike the internet protocols which are open and easily available to play with, telecommunications protocol has not so widely [been] made open,” Rao told CyberScoop.
The researchers recommended that operators audit their systems and install efficient firewalls where and when necessary to avoid these attacks as their exploit can be realistically stopped with a little more caution and effort.
Nokia Bell Labs’ full presentation can be accessed here.