LTE (4G) is more secure than GSM (2G) and UMTS (3G) but that doesn't make it impervious to International Mobile Subscriber Identity (IMSI) catchers.
That's the conclusion of a presentation due to be given at Black Hat Europe this week, by Ravishankar Borgaonkar, Altaf Shaik, N. Asokan, Valtteri Niemi and Jean-Pierre Seifert.
To prove the point, the researchers will build an LTE IMSI catcher and demonstrate how "most popular phones" fail the test courtesy of vulnerabilities in baseband software and deployed networks that bypass enhanced LTE security measures. If that weren't enough, the same team reckon it has also managed to perform what it describes as being rudimentary Denial of Service (DoS) attacks that effectively block the LTE signal and force the handset to dropdown to a 3G or 2G connection on demand.
The researchers from Aalto University, the Technische Universitat Berlin, University of Helsinki, University of Turku and Telekom Innovation Laboratories, claim that these represent the first wave of practical attacks aimed at 4G networks. Pinpointing a location invades privacy, and service disruption could prevent calls from being made. However, none put any data stored on the target devices at risk.
All of which is hugely interesting from a mobile network nerds perspective, pretty interesting from a security nerds perspective, but should ends users actually be worried by all of this or would they be better aiming their anxiety at existing credential logging, data stealing, money spending malware instead?
SCMagazineUK.com got in touch with Jonathan Parker-Bray, CEO of Criptyque and a former telecoms executive with 25 years of network building experience who has now moved into end-to-encryption with a secure mobile platform called Pryvate.
We asked him just how problematical, in the real world and for most users, is the notion that someone could triangulate the precise location of their smartphone or other mobile device?
"The thought of a hacker triangulating someone's mobile device is not only a worrying notion but a very real threat that could be used for many purposes such as criminals targeting high-profile individuals and professionals," Parker-Bray told us.
He said hackers "have access to tools which enable them to intercept and record calls and text messages from up to 30 kilometres away" which, when coupled with location knowledge, "could lead to critical communications being overheard."
Parker-Bray also pointed out that triangulation isn't actually even necessary to determine location as it's quite possible to obtain a user's unique MAC address from a cellular intercept, and that can then be monitored for approximate positioning of the device.
Wim Remes, strategic services manager EMEA at Rapid7, isn't so convinced it will concern most folk. “Most users already use a large amount of location apps. Find your friends, Swarm, Facebook, Twitter, Uber, Tinder and their peers hold and share information about where you are exactly at what moment. Not to mention a history of where you were," he said.
Using mobile network technology to locate individuals is obviously possible but with the pervasiveness of location technology not very probable for the average end user. "Unless you are a target that has to practice OPSEC against a very sophisticated attacker," Remes said, "the ability of that attacker to triangulate your position is probably not your biggest concern."
There is a caveat though, namely that this kind of data is of extreme value to certain industries. "There are companies that would pay for the ability to push an ad for peanut butter on to your phone right when you walk into the grocery store" Remes says, adding "there is a boundary debate here but I'm not immediately sure if this is also a security debate."
So how problematical, in the real world once again, is the ability to force a handset to drop a 4G connection and grab a 3G or 2G one instead? It's service disruption, but not a DoS as we know it.
However, as Wim Remes points out, by forcing the handset to an older and less secure connection, the attacker would be able to exploit the weaknesses of that technology to intercept, record, or interfere with communications. "If I were an attacker, I'd consider a lot of different options before going through the trouble of performing this type of attack," Remes admitted, "but if a state or very well-funded attacker is in your threat model, it might be a concern."
That's the thing though, isn't it, with 4G (LTE) being inherently more secure than 2G or 3G anyway, even allowing for these vulnerabilities, surely the advice would be to carry on regardless? "There isn't really another option," Parker-Bray told SC. "4G LTE is becoming the standard for mobile phone connections so it is what people will have to use."
And as Wim Remes said, we've built entire business ecosystems on top of flawed tech such as IPv4, and the world is still turning. "4G LTE has a lot of security technology built in, is inherently more secure than its predecessors, and has a plethora of other benefits both for the users and the network providers," Remes insisted. "The risks outweigh the benefits and as such there is no business case to not use it."
At the end of the day then, are these vulnerabilities really things that users need to concern themselves about, or are they actually more of interest to security researchers and network engineers?
Bharat Mistry, cyber security consultant at Trend Micro UK, is in no doubt. "At the moment I would say these concerns are the primary interest of researchers," he said. "However, I could easily see threat actors, such as nation states, taking up interest in this space with a view to developing 'next generation' exploits to target specific network carriers and handset types."
Sean Sullivan, security advisor at F-Secure, summed it up: "These concerns are not something I'd worry about as a consumer here and now. These concerns are brought forward by researchers so network engineers can correct them before they're a practical problem."