Many people think that using 4G LTE instead of public Wi-Fi is a perfectly safe solution to stay safe browsing on the go. However, recently a group of American researchers have published a new research paper that show that 4G LTE protocols can be cracked to generate fake messages, users can be snooped on, and that user location data can be forged. Perhaps most worrying about these findings are that the vulnerabilities are written inside the LTE protocols which means that even upcoming 5G Protocols would be impacted.
The vulnerabilities were found by Purdue University’s Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino with the University of Iowa’s Omar Chowdhury. They found that there were three affected protocol procedures being “Attach”, “Detach”, and “Paging”. Each protocol has vulnerabilities when interactions happen with the network from the phone. Attach is when a user turns on their phone, detach is when a user turns off their phone, and paging is when the device has call setups or when the device needs to acquire system info, or in emergency warning applications.
The researcher’s paper describers than an attack can happen through a tool called “LTEinspector” . LTEinspector is a combination of what is called a symbolic model checker and cryptographic protocol verifier. The tool allows the examination of events and actions as well as cryptographically protected messages and constructs as well as linear integer arithmetic constraints. LTEinspector has the possibility of 10 attacks, some of which have been protected against with new fixes, but some that could still work.
The worst attack is an authentication relay attack which can enable the attacker to “connect to the core networks – without possessing any legitimate credentials – while impersonating a victim cellular device”. This attack has a wide range of possibilities, one of which would let attackers provide false alibis in investigations to fake evidence. The worst part is that the researchers aren’t confident in fixes: “retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny”, it states.
While some issues from the LTEinspector tool have been fixed, there are still some vulnerabilities that haven’t been fixed.
Hussain, one of the researchers, explains that “Among the 10 newly detected attacks, we have verified eight of them in a real testbed with SIM cards from four major US carriers.”