The importance of mobile communication is unmeasurable. We could go back all the way to Alexander Graham Bell’s strike of genius, just to prove how much of an influence the telephone has had on the world we live in today. But we don’t really need to. The bottom line is that everybody knows that without mobile communication, our personal and professional lives would be very different.
Unfortunately, mobile communication users are also exposed to evolving threats. A group of security researchers from Finland and Germany – Aalto University, the University of Helsinki, Technische Universitat Berlin and Telekom Innovation Laboratories, managed to hack 4G mobile networks using commercial LTE mobile devices in real LTE networks, and inexpensive, available equipment. Their attacks exploited 4G/LTE vulnerabilities and proved that an attacker can find the location of a device, or even deny network access.
A brief journey into mobile network history
Mobile communication has extended around the globe. Beginning with the second Global System for Mobile Communications (2G/GSM) and the third generation Universal Mobile Telecommunication Systems (3G/UMTS), people all over the world have become more connected. The fourth and latest network generation – “Long Term Evolution” (4G/LTE) systems, should reach by the end of 2015 about 1.37 billion users worldwide.
The evolution of network systems over the years improved both functionality and security. During the 2G era, the lack of mutual authentication between mobile users and the network gave the opportunity for attackers to set up fake base stations and trick mobile devices into connecting with them. The solution was the introduction of temporary mobile subscriber identifiers for 2G systems. However, in the absence of mutual authentication, fake base stations were used as “IMSI catchers” to harvest IMSIs and to track movements of users.
The researchers remind us that the evolution of these mobile communication systems specified by 3GPP (Third Generation Partnership Project) have not only incorporated improvements in functionality but also strengthened security. 3G specifications introduced mutual authentication and the use of stronger and well-analyzed cryptographic algorithms. LTE specifications further strengthened signaling protocols by requiring authentication and encryption (referred to as “ciphering” in 3GPP terminology) in more situations than was previously required. Consequently, there is a general belief that LTE specifications provide strong privacy and availability guarantees to mobile users. Previously known attacks, such as the ability to track user movement were thought to be impossible or ineffective in LTE.
The researchers based their attacks on vulnerabilities they discovered during their analysis of the LTE access network protocol specifications. The attacks focused on location leaks and service denial, showing that messaging applications like Facebook Messenger or WhatsApp can be used by an attacker.
Telecommunication systems software and hardware used to be difficult to come by and expensive. Recently this isn’t the case anymore. The selected hardware included low-cost off-the-shelf equipment for the most part, but the researchers mentioned that some components can be replaced with cheaper options:
Hardware components for eNodeB, MME, and UE are needed to build our experimental LTE network. On the network side, we used a USRP B210 device  connected to a host laptop (Intel i7 processor & Ubuntu 14.04 OS), acting as an eNodeB. USRP is a software-defined radio peripheral that can be connected to a host computer, to be used by host-based software to transmit/receive data over the air. Even though we utilized USRP B210 which costs around one thousand euros, passive attacks can be realized practically with other cheaply available radio hardware. For example, RTL-SDR  dongles which cost around 15 euros can be leveraged to passively listen over LTE the air-interface.
Popular LTE phones available in the market were also used. The researchers don’t mention the models used, but from the research we can at least figure out the brands: Apple, BlackBerry, HTC, LG, and Samsung.
The attack orchestrated by the researchers used an adversary model that had 3 important goals:
- To find the precise location of a user in a geographical area.
- Deny access to a network service for a user.
- Force the user to use less secure networks (such as GSM or 3G) and expose them to various attacks.
In order to achieve these goals, the researchers build an eNodeB that impersonates a real network operator. “Although this application cannot be compared to a full-fledged commercial eNodeB, it has the capability to execute a complete LTE Attach procedure. In addition, some functionality of the MME is implemented in LTE_Fdd_enodeb. Upon successful completion of Attach, LTE_Fdd_enodeb can also handle UEoriginated services,” said the researchers.
2G tracking area versus 4G cells
Some features in social network messaging applications can be used to trigger LTE paging requests. The research has shown that both Facebook’s ‘Other’ message folder, and Whatsapp’s ‘typing notification’, can trigger paging requests, which means that an attacker can target device in a 2km² geographic area.
Even if the new LTE network generation should be more secure, the researchers from Finland and Germany have shown in their paper that vulnerabilities still exists, and attacks are not so hard to put together. Major LTE providers have already been informed about the results, and the paper contains recommended fixes. It’s a game of wait-and-see for users from this point on.