New 4G LTE vulnerabilities: mass mailing, impersonation of subscriber devices and others
LTE network architecture
At the last San Diego NDSS 2018 Network and Distributed Systems Security Conference, there were a lot of interesting things, but the report of American researchers from the University of Iowa and Purdue University on vulnerabilities in fourth-generation communication networks (4G) attracted the most attention: LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE (pdf) . Such attention is understandable, given the widespread use of 4G LTE networks.
The researchers focused on the analysis of three critical procedures that are used in the protocol:
')
- Attach - a procedure that connects the subscriber device with the network (for example, when you turn on the phone).
- Detach - performed when the device is turned off or the network is turned off (for example, due to poor signal quality or if the phone cannot be authenticated on the network).
- Paging — This protocol is part of the call setup to force the device to re-receive system information as well as emergency messages.
Attach, paging, and detach procedures
These procedures are critical to the reliable functioning of the rest. For example, without the proper execution of the Attach procedure, the entire subsequent chain of security does not work and serious consequences arise, such as MiTM attacks.
To test LTE networks, researchers created a tool called LTEInspector, which they launched in the relevant model ( code on GitHub ).
LTEInspector Architecture
Vulnerabilities were found in the LTE simplified ecosystem model after checking 14 protocol properties, according to standards. Although the model is abstract and simplified, but researchers have verified that most of the new attacks (8 out of 10) are realizable in practice with the SIM cards of American telecom operators. Such attacks will be relatively inexpensive (equipment costs from $ 1,300 to $ 3,900), if we ignore the legal consequences. In most cases, such testing in real conditions will be a violation of the law.
LTE Simplified Ecosystem Model
Following the test, LTEInspector was able to detect new vulnerabilities that can be used to conduct 10 new attacks. Separately, there is an authentication relay attack, which allows an attacker to connect to the main networks, passing his terminal on the victim’s device. In this way, you can change the coordinates of the registration of the device in the network - for example, it can be used to create a “fake alibi” or, conversely, fabricate evidence in a criminal investigation. If the victim’s phone at the time of the crime was in the vicinity of the crime scene, then this information will be known to the investigating authorities - and an innocent person may be suspected.
Other uses of the detected vulnerabilities are to obtain approximate information about the user's real location, a denial of service (DoS) attack, and an introduction to the operator’s paging channel. In the latter case, you can not only block the victim from receiving calls or SMS, but also send him a fabricated “emergency” message over official cellular channels.
For example, an authentication transfer attack belongs to the class of attacks against the attach procedure (attack A-4 in the table below). Here, the attacker must install an intermediate cellular node (eNodeB) and know the victim's IMSI device. For correct operation of a fake cellular node, you must first connect to the operator’s network with its SIM card and find out the parameters that the operator sends in
system_info_block messages. For interception and wiretapping of inbound and outbound LTE messages, a sniffer and QXDM (Qualcomm Extensible Diagnostic-Monitor) are used . The following configuration parameters are intercepted from the system_info_block operator messages: band, dl_earfcn, mcc, mnc, p0_nominal_pucch, p0_nominal_pusch, q_rx_lev_min, q_hyst, DRX cycle.An IMSI number of a subscriber unit can be detected by an attacker when it will connect to its eNodeB. Then the
identity_request request is sent to the device - and the identity_response response comes.
Authentication Attack
This is the most “expensive” attack, because its validation requires the installation of three USRP devices at a cost of about $ 1,300 each. This is necessary in order to raise its own fictitious network, similar to the real network of the operator, and to carry out validation in it without breaking the law.
USRP is a peripheral hardware platform for a software-defined radio system (SDR). In field trials, researchers used a USRP B210 ($ 1315) board with the srsUE program, which is part of srsLTE (the source code is open in the repository on GitHub).
The table lists all new attacks discovered during the study. Seven of them are fully proven in practice, one partially (P-4), and two not confirmed (P-3 and P-5). The cost of attack validation ranges from $ 1,300 to $ 3,900, depending on the number of required USRP boards. In fact, this is the maximum cost of equipment to attack, not counting the cost of the terminal device (UE). In reality, USRP can be found cheaper, and in some cases, a real attack does not need as much USRP as for its validation.
| ID | Attack name | Conditions | Standard / Subject | Consequences |
|---|---|---|---|---|
| A-1 | Authentication sync error | Known IMSI, Malicious UE | 3GPP | Connection failure, service failure |
| A-2 | Traceability | Valid security_mode command, malicious eNodeB | Operator networks, mobile devices | Sample location information |
| A-3 | Disconnection via auth_reject | malicious eNodeB | 3GPP | Denial of all cellular services |
| A-4 | Authentication transfer | Known IMSI, malicious eNodeB | 3GPP, network operators | Reading the incoming / outgoing messages of the victim, covertly shutting down all or certain services, changing the history of locations |
| P-1 | Channel capture paging | Known IMSI, malicious eNodeB | 3GPP | Silently disable incoming services |
| P-2 | Discreet reset | Known IMSI, malicious eNodeB | 3GPP | Unnoticed by the victim from the network |
| P-3 | Panic | Malicious eNodeB | 3GPP | Mass distribution of emergency warnings about the threat to life: for example, artificial chaos in the event of terrorist activity |
| P-4 | Energy depletion | Known IMSI, GUTI, malicious eNodeB | 3GPP | Low battery |
| P-5 | Connectivity | Famous IMSI or Old Pseudo-IMSI | 3GPP Extended 5G AKA | Sample location information |
| D-1 | Shutdown / downgrade | Malicious eNodeB known by IMSI (for targeted version) | 3GPP | Denial of service, downgrade to 2G / 3G |
It should be noted that “Panic” attacks are really capable of causing chaos in the population. In January 2018, the Hawaiian Emergency Agency accidentally sent out an emergency message about the approach of a ballistic missile , frightening the locals, who massively went to bomb shelters.
The authors of the study are skeptical about the ability to close the identified vulnerabilities in existing protocols. According to them, if you retrospectively add security measures to existing protocols without violating backward compatibility, this often leads to unreliable “patchwork” solutions. Therefore, before using communication protocols, it is important to first test them thoroughly.
Source: https://habr.com/ru/post/351470/
All Articles