A team of researchers have uncovered critical flaws in 4G LTE protocol that could be exploited to intercept phone calls and text messages, knock devices offline, track devices’ locations and spoof emergency alerts.
The vulnerabilities, which were identified in a research paper by Purdue University’s Syed Rafiul Hussain, Shagufta Mehnaz and Elisa Bertino, and the University of Iowa’s Omar Chowdhury, are written into the LTE protocols, meaning they could have an industry-wide impact. It also makes them very hard to resolve, as the report states:
“[R]etrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny.”
What does it affect?
The researchers describe an attack tool called LTEInspector, which found ten vulnerabilities affecting three procedures:
- Attach: the procedure that associates a user’s device with the network;
- Detach: when the user’s device is turned off or otherwise disconnects from the network; and
- Paging: the mechanism in which the network wakes up the user’s device to let it know that it has data to receive.
The most significant exploit was an authentication relay attack, which the researchers said, “enables an adversary to connect to the core networks – without possessing any legitimate credentials – while impersonating a victim cellular device”.
Crooks could use this to “poison the location of the victim device in the core networks, thus allowing setting up a false alibi or planting fake evidence during a criminal investigation”. This would be a relatively straightforward process for a criminal hacker, and they wouldn’t need expensive kit. Security Affairs writes that software-defined radio devices and open source 4G LTE protocol software “could be bought by anyone […] for as little as $1,300 to $3,900” (about €1.050 to €3.150).
Any device that uses 4G LTE is susceptible to an attack, once again bringing into question the security of wireless networks. Users share huge amounts of personal data with Internet providers without ever checking who controls the network. The EU General Data Protection Regulation (GDPR), which takes effect on 25 May 2018, resolves some of those concerns by introducing strict rules about collecting EU residents’ personal data. This includes the need to regularly test for unpatched systems and software, which would identify flaws such as the ones the researchers discovered.
Organisations should have policies and procedures dedicated to patch management. If you don’t know what that entails, we recommend certifying to Cyber Essentials, a scheme that sets out a baseline of cyber security. It includes five key controls – including patch management – that can stop most cyber attacks and help organisations comply with the GDPR and other laws.
Organisations that certify to the Cyber Essentials scheme will be able to demonstrate their security to clients, insurers, investors and other interested parties. They’ll also save money, because insurance agencies look favourably on organisations with Cyber Essentials certification.
Those who want to experience these benefits should consider certifying to the Cyber Essentials scheme with IT Governance. We are the leading CREST-accredited certification body and have awarded hundreds of certifications since the scheme began.