Researchers uncover 4G LTE exploits that can be used to spy, spoof and cause panic
Vulnerabilities in a common wireless telecommunications standard could allow hackers to send a fake emergency alert message to almost anyone’s smartphone.
Researchers from Purdue University and the University of Iowa say they’ve discovered 10 new vulnerabilities in the 4G LTE protocol that can disrupt victims’ devices in several ways. They present the new findings in a paper published last month that showcases a tool they developed in order to detect such vulnerabilities.
Among the new attacks, the researchers highlight an authentication relay attack, which they say allows an attacker to connect to an LTE network while spoofing another existing device’s identity and location. This is done without having legitimate credentials.
“Through this attack the adversary can poison the location of the victim device in the core networks, thus allowing setting up a false alibi or planting fake evidence during a criminal investigation,” the paper says.
The researchers explain that the 4G LTE protocol is an “amalgamation of multiple critical procedures”, each of which requires an “in-depth security and privacy analysis of its own.” Thus, their research tackles the question of whether they can exploit three of these procedures—known as attach, detach and paging—and whether their findings could be implemented by malicious actors.
Other exploits include the ability to track a victim device’s location, intercept phone calls and messages and even inject fake emergency alerts. The researchers say this could create an “artificial emergency”, much like the panic caused by a faulty missile alert that caused a mass scare in Hawaii in January.
The paper presents a tool that the researchers developed to discover these exploits dubbed “LTEInspector.” The paper describes LTEInspector as a model that “lazily” scans a 4G LTE network for certain vulnerabilities.
Given that the main purpose of the paper is to show how LTEInspector works, the researchers say that they don’t dive into how to defend against the attacks they uncovered. They suggested that creating adequate defensive measures would be difficult without a significant overhaul of the 4G LTE infrastructure.
“We deliberately do not discuss defenses for the observed attacks as retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny,” the researchers say.