An academic paper published last month presents 10 previously undiscovered vulnerabilities in the 4G LTE wireless protocol, including one that researchers say allows unauthenticated attackers to spoof the location of a legitimate user to the network, and another that reportedly can be used to distribute fake emergency messages.
Researchers Syed Hussain, Shagufta Mehnaz and Elisa Bertino of Purdue University and Oman Chowdhury of the University of Iowa state in their report that they were able to validate eight out of the 10 new attacks by conducting experiments in a real testbed, also noting that they confirmed nine other attacks that were already known.
Specifically, the researchers tested LTE’s attach, paging and detach procedures, which are critically important for reliable and secure functionality, using an adversarial model-based testing approach that they dubbed LTEInspector. (Some of the discovered attacks do require certain conditions to be met in order to be effective.)
According to the report, attacks against the attach procedure include an “authentication synchronization failure attack” that causes disruption by sabotaging the user device’s sequence number sanity check; a “traceability attack” that allows malicious actors to track a particular person’s device; and a “numb attack,” whereby an adversary causes severe service problems by injecting an out-of-sequence control-plan protocol message.
The researchers also found five attacks against the paging procedure. The first is a “paging channel hijacking attack” that renders an affected device unable to receive messages from the Mobility Management Entity. This, in turn, enables a “stealthy kicking-off attack” that disconnects users from the service. The third exploit is a “panic attack” that lets attackers “inject fake emergency paging messages to a large number of” user devices, which could trigger a mass panic.
Rounding out the paging category are an “energy depletion attack” that forces devices to conduct cryptographic operations, and a fifth attack that breaks unlinkability guarantees.
There is also one detach attack, in which the adversary infects a request in order to disrupt a victim’s service.
The researchers further note that attackers can pull off the aforementioned authentication relay attack by chaining one of the other exposed attacks with a relay attack in which an adversary “impersonates the victim UE [user equipment] to connect to the EPC [Evolved Packet Core] without possessing proper credentials.” By spoof the victim device so, the attack in essence enters false information into the victim’s location history. This malicious technique also enables denial of service attacks, spying on user’s communications (the researchers say that the four major U.S. operators vulnerable to this exploit successfully addressed this problem) and tracking victims’ metadata such as device usage patterns.