Critical flaws in 4G LTE protocols leaving mobile devices vulnerable
Critical flaws in 4G LTE protocols leaving mobile devices vulnerable
Unpatched security vulnerabilities in the 4G LTE protocol allow anyone to connect to a network by impersonating a victim's phone without possessing legitimate credentials, launch DDoS attacks, and hijack a phone's paging channel to inject fabricated messages, researchers have revealed.

In the US a team of security researchers from Purdue University and the University of Iowa recently conducted a series of tests to analyse the security around some processes that are considered critical for the reliable functioning of the 4G LTE protocol. 

According to the researchers, they aimed to uncover potential design flaws in the LTE protocol and vulnerabilities in attach, paging, and detach procedures in the protocol to expose flaws that could be exploited by cyber-criminals in various ways. These included mounting DDoS attacks, planting of fake messages in a victim's device, blocking notifications, and remotely changing the location of a victim's device.

"Notable among our findings is the authentication relay attack which enables an adversary to connect to the core networks—without possessing any legitimate credentials— while impersonating a victim cellular device. 

"Through this attack the adversary can poison the location of the victim device in the core networks, thus allowing setting up a false alibi or planting fake evidence during a criminal investigation," the researchers said.

They added that hackers could also exploit flaws in the 4G LTE protocol to possibly hijack a cellular device's paging channel not only to stop notifications from reaching the device but also to inject fabricated messages resulting in multiple implications including energy depletion and activity profiling.

In all, the researchers uncovered ten new vulnerabilities and were able to demonstrate eight exploits in real-time using a model-based testing approach named LTEInspector. To build this testbed, they used low-cost software defined radios and open-source LTE software stack that cost them around £2,800, a cost which is quite affordable for a motivated adversary.

In an email to SC Magazine UK, Keith Graham, CTO at SecureAuth, said that vulnerabilities discovered by the researchers posed serious ramifications for two-factor authentication security models.

"These flaws would allow attackers to target individuals and intercept or send messages on their behalf, spoof locations, and even disconnect mobile devices entirely from the mobile network – all elements that are used to verify users are who they say they are.

"As cyber-security becomes more important to organisations and consumers, we're seeing greater adoption of two-factor authentication. But the reality is, in light of these findings, they really won't be that much more secure. 

"Two-factor alone is just not enough. The only way to prevent these exploits affecting you is to avoid all basic authentication methods; this includes one-time-passcodes delivered by SMS, e-mail or voice. And leverage modern adaptive access control capabilities to better secure the login process," he added.

Mark James, security specialist at ESET, told SC Magazine UK that mobile SMS texts and messages hold a higher level of trust than emails as its often treated as a much harder platform to spoof. SMS texts are extensively used by people as a means to deliver Two Factor Authentication (2FA), and any vulnerability that could be exploited by hackers to steal credentials could seriously compromise the security of users.

"Hopefully this issue will be fixed, but at the time of writing hopes remain low as previous flaws have been left unfixed due to the problems of adding security features and breaking backward compatibility," he added.