There are many reasons to be concerned about how easily someone with the right tools and knowledge can do very bad things with cellular communications networks. And none of them have necessarily come to the level of some of the dramas pulled off on television (see Mr. Robot), new research shows that things are even worse than they appear-and in many cases, this is because of how the cars have implemented cellular standards.
According to ZDNet’s Zack Whittaker reports, researchers at Purdue University and the University of Iowa conducting tests of 4G LTE networks have revealed 10 new types of attacks. They made this discovery as part of their evaluation of a proof-of-concept 4G LTE penetration test kit, called LTEInspector. Combined with the nine known attack methods that Syed Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino also identified as being used against various carrier networks, the collection of operations can be used to track device owner, eavesdrop on texts and other sensitive data , and even pose as them on cellular networks and spoof location and other data. The teacher can even convey warning messages like those used by government agencies and weather services — such as a false missile warning sent by a Hawaii government official.
The security of 4G LTE networks is based on uncertainty—many implementations are proprietary “black boxes,” as the Purdue and Iowa researchers put it, which makes making true security assessments difficult. And because of the large number of features that must be configured, including the need to be able to take devices originally set up for another carrier, there is a lot of slush in LTE implementations and not much information about network security. A recent IEEE published study found that the implementations of the “control plane” for various LTE networks differ widely—problems seen on one network do not occur on others.
And the difference is true of security as well. In one case, the Purdue and Iowa researchers found that the carrier did not encrypt “control plane” messages at all, meaning an attacker could even listen to SMS messages and other sensitive data. That error has been fixed by the carrier.
While 4G LTE provides for a level of privacy for cellular customers by using ephemeral “subscriber identities” over the air, researchers at the Korea Advanced Institute of Science and Technology recently found that Global Unique Time Identification (GUTI) issued by many 4G LTE carriers is not far away. While cars change the GUTI for phones periodically, KAIST researchers found that 19 of the 28 cars they surveyed did so in a very predictable way—making it easy to predict not only when a new ID would be selected but also what most of the new GUTIs will be, because most of it is unchanged.
“In our global quantitative analysis, we did not find a single movement that implemented the GUTI habitat safely,” the KAIST researchers wrote. A similar problem exists in temporary subscriber IDs of GSM 3G networks.
The discoveries made by the Purdue/Iowa team go beyond simple location tracking. One exploit allows tracking a target using a phone number, sending a phone call while simultaneously blocking call notification by hijacking the target’s paging network connection. Another attack allows a malicious device to pose as a target device through an “authentication reference” attack before sending its own location data and other messages to alter the carrier’s location data logs.
The paging network, which also transmits SMS and other messages, can be hijacked for other reasons: to send messages to the network posing as a target, trigger acne alert messages, silently kick the victim out of the cellular network, or commit denial-of-service and reduced power against the victim.
All of these tricks are on top of other popular attacks currently powered by “IMSI catchers” such as the controversial Stingray tool used by law enforcement agencies. And that’s not to mention the many location tracking techniques that exploit smartphones’ Wi-Fi or chat mobile apps.