Researchers Demonstrate How LTE Communications Can Be Hacked

A Chinese IT security firm has demonstrated exploits on 4G LTE networks that allow attackers to intercept calls and text messages or force handsets offline.

The exploits affect all LTE networks, including those that power the UK’s 4G networks, according to Qihoo 360, which presented its findings at the Ruxcon conference in Melbourne over the weekend.

Live demonstration

They build on research presented last year that demonstrated how inexpensive hardware could be used to exploit security holes in the LTE specification to determine the location of particular handsets, according to Qihoo’s presentation.

While the vulnerabilities haven’t yet been addressed, Qihoo said handset makers could implement workarounds, and noted that efforts are underway to make changes to the LTE standard that would fix the bugs.

During the presentation Qihoo researcher Wanqiao Zhang demonstrated recording an LTE call on a live network, according to a report by IT news site The Register.

The exploit involves setting up a malicious network using a small, low-power base station called a femtocell and using custom-built equipment that sniffs out the International Mobile Subscriber Identity (IMSI) number of the target handset, according to Zhang.

The attacker then tricks the target handset into switching over to the malicious network, allowing it to intercept or initiate calls and texts, Zhang said.

Failover mechanism

3GPP, the body that oversees the LTE standard, recognised in 2006 that such an exploit could allow an attacker to direct a device to a malicious network. The feature was left in place as it is intended to be used in cases such as natural disasters where operators need to balance loads across multiple base stations, she said.

The attack is made possible in part by the so-called IMSI catcher, which uses about £1,100 worth of hardware and runs freely available open source software, according to the researchers who detailed its workings at an IT security conference in November of last year.

The researchers said at the time their paper represented the first publicly reported practical attacks against LTE access protocols.

Workarounds

Zhang said handset makers could solve the problem by implementing workarounds that would ignore the command to switch to a different network and instead search for other available base stations.

Alternatively, phone software could implement a warning message to alert users when such a switch takes place. 3GPP’s SA WG3 working group in May proposed standards changes that should eliminate the hole, Zhang said.

Any security issues affecting 4G LTE may be a cause of concern for the government, whose proposed successor to the UK’s current emergency services network is based on EE’s commercial 4G LTE platform.

Are you a security pro? Try our quiz!