back to article 4G LTE pried open to reveal a slew of new protocol-level attacks

A group of American university researchers have broken key 4G LTE protocols to generate fake messages, snoop on users, and forge user location data. Those working on the coming 5G protocols should take note: the vulnerabilities are most worrying because they're written into the LTE protocols, and could therefore have an …

  1. elDog Silver badge

    A rhetorical question: Is it better or worse to have your own service provider hacking you

    Or some other "malicious node"? That term "malicious node" did not seem to be well explained in this article.

    It's also not clear if the "lazy" LTEInspector was so named because it is passive. It sounds like it wouldn't take much to make something like that pretty hyper.

    So, much like most of our other protocols back to smoke signals, the developers couldn't have foreseen a future where every bit transmitted was suspect. And Alice and Bob may not even be who they say they are.

    1. JetSetJim Silver badge
      Stop

      Re: A rhetorical question: Is it better or worse to have your own service provider hacking you

      > That term "malicious node" did not seem to be well explained in this article.

      A "malicious node" is a fake base station. You can buy the hardware off the shelf for around $1k, connect it to a regular PC/laptop and run open source LTE code to provide a base station - I've done it with Open Air Interface, and have connected that up to an open source core network to actually make a full 4G network broadcasting with a test license at low power.

      The trick needed here is to convince an operator network to let this node actually connect to it - something I find hugely unlikely as they are usually on their own private network, connected via protected links (IPSec probably). Determining the IP address of the MME & SGW that you'd need to connect to, then getting them reconfigured to allow connection from a new IP address (and knowing which are available to use) is a moderately high bar to jump. The malicious node would then start getting reported in statistics to the operations centre, which should ring alarm bells. All of these network elements are usually explicitly configured to say that "box A with name X at IP xxx.xxx.xxx.xxx can connect to box B with name Y at IP yyy.yyy.yyy.yyy" - which is a right pain in the arse to manage across the whole network, but possibly a better solution that allowing open access.....

      Overall, not something even a technically aware black-hat could achieve easily without getting detected.

      OTOH, perfectly simple for a govmt sponsored agency to achieve with cooperation from the operator

  2. Anonymous Coward
    Anonymous Coward

    False emergency alerts "Panic Attack"

    No need to hack. Just get a job at the Hawaii State Emergency Management Office (I understand that there's an opening), and push the button.

  3. Anonymous Coward
    Anonymous Coward

    Insecurity Mandated by Design ?

    ... and if hadn't been for you darn kids ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Insecurity Mandated by Design ?

      You mean by "Insecurity Mandated by Design" like how some A5/1 64-bit GSM keys had ten fixed zeroes, substantially reducing the complexity of intercept by providing an effective key length of 54 bits . . ?

      so . . . (from this paper)

      "The [4G] cellular protocol lacks a formal specification"

      "the [4G] standard often suffers from ambiguity and under-specification"

      "The cellular protocol — comprising of multiple (cryptographic) sub-protocols — is stateful in nature"

      Naw, it might just be an accidental oversight from all the standards professionals in the south of France, they are after all probably cognisant with this section of the paper "Resourceful adversaries (e.g., nation-states, foreign intelligence agencies, terrorists) can wreak havoc by exploiting vulnerabilities of the cellular network ecosystem . . . surveillance . . . cyberwarfare . . ."

      mesh?

      1. Missing Semicolon
        Unhappy

        Re: Insecurity Mandated by Design ?

        "the [4G] standard often suffers from ambiguity and under-specification"

        Oh yes. Very much so.

        Anyone who has anything to do with 3GPP specifications knows them to be incomplete, arcane and ambiguous to a fault. With an extra-special dose of utter non-cross-referencing in a network of specs that rely on cross-referencing.

        They are intended to be that way, to ensure that only the established manufacturers could ever make any infrastructure, I presume.

  4. DougS Silver badge

    Hardly surprising

    I'm not sure if the protocol spec is publicly available, but even if it is there isn't any way for most people to test it - you'd quickly get in trouble if you tried it on a public cell. Setting up a private LTE base station or base station simulator isn't something the typical person has the financial resources and technical ability to do. If it was open and easily available to every curious hacker the way TCP/IP or SSH is these sorts of problems would have been shaken out in the pre-standard phase (i.e. the phase 5G is in right now)

    Good thing no one is talking about connecting nearly every device on the planet to 5G. Oh crap...this is how Skynet begins, isn't it?

    1. Mage Silver badge

      Re: isn't something the typical person has the financial resources

      Like 2G/3G it will get cheaper.

      Also possibly hack a femto cell (bought, borrowed or stolen).

    2. JetSetJim Silver badge

      Re: Hardly surprising

      > I'm not sure if the protocol spec is publicly available

      Yep, they are. Get them here. Enjoy wading through thousands of pages of technical jargon

      > Setting up a private LTE base station or base station simulator isn't something the typical person has the financial resources and technical ability to do

      Takes about $1.2K, plus a laptop, but yes, non-trivial technically (other solutions are available, possibly cheaper too)

      1. DougS Silver badge

        Re: Hardly surprising

        That's just a radio right? You need all the LTE software to manage a base station which I'm sure costs a LOT more as I've never heard of an open source LTE base station. Writing your own from spec would take so long we'd be on 6G by the time you're done!

        1. JetSetJim Silver badge

          Re: Hardly surprising

          > That's just a radio right?

          Yep, that's just the radio, and you also need a controlling PC that is a bit better than a $200 Chromebook. And you'll need to buy the right antennas ($10-20). And ideally a GPS antenna to ensure a good frequency lock in the SDR (<$20). And perhaps you want to house the circuitry in a sturdy box for another $50.

          The software, however, can be completely free and there's even other free and open options like this and this.

          These may not be commercial grade implementations, which also exist to purchase from places for prices in the low $'000s, but they cover the essentials within a 4G eNodeB.

  5. arielp

    practical?

    This is may be working in test environtment..

    but in the real network..

    the victim UE will not get "signal" , as it will not connected to the EPC.. due its only connected to fake eNB

    and this only working IF the victim is not mobile. once the victim is outside fake enb coverage.. it will get normalized.

    also, the how strong is the fake eNB RF output?? it would be costly to have a good coverage to be useful

    i believe this would made available in test environtment.. but in real.. will not so effective.. due to the cost needed for the fake enb, portability, etc.

    so test environtment, yes it may be.. real network.. not so useful.

    and maybe (maybe, i speculate) this is purposely allowed , maybe for Lawful Interception by authorities? like the one GSM/3G have now. for pinpointing criminal in certain area.

    *if the sole purpose is only for blackout.. a portable rf jammer would be far less cheaper :D

    --

    cmiiw

    --

    ALP

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019