4G LTE Weakness Leaves Devices Open to Eavesdropping

Wanqiao Zhang , a researcher for Qihoo 360 has shown that an active 4G LTE network weakness can allow attackers to intercept phone calls and texts, as well as track locations. This hack was demonstrated yesterday in Melbourne, Australia at the Ruxcon security conference. This vulnerability can be exploited on any LTE network and is based on a little known fail-safe that’s reserved for emergency situations.

At the outset, Wanqiao had shown that the attack worked on TDD-LTE networks that operated in Britain, the United States, and Australia. However Wanqiao has since confirmed that this attack is able to work on any LTE network in the world. It should also be noted that this attack works by downgrading network connections from LTE to a 3G connection and then to an unsecured 2G connection. It’s speculated that one of the reasons that this network weakness hasn’t yet been addressed is because it’s currently in use for law enforcement and government surveillance projects.

The 3GPP, the organization that sets mobile data network standards and enforces them, acknowledged this 4G LTE weakness in 2006 but didn’t take any steps to address it. Researchers have brought up this vulnerability to the public consciousness in 2015 in a research paper titled ” Practical Attacks Against Privacy and Availability in 4G LTE Mobile Communication Systems”. In the same year, the American Civil Liberties Union was able to get their hands on documents that described the  surveillance device had more functionalities than expected. The following year, Zhang Wanqiao extended the attack described by the researchers and alerted DEFCON 24 this past August. At Ruxcon, this October, the attack has been shown to be able to work with all LTE networks with the appropriate gear.

LTE networks are programmed to hand off users to any base stations that aren’t reaching full capacity, a function that’s very useful during a crisis. The hackers can manipulate this function by using an LTE IMSI catcher to detect the targeted device’s unique identifying IMSI. With that number,  the attacker can issue a denial of service attack that forces the device to connect to one of the fake base stations instead, allowing the hacker to have complete control and access over the device.

Zhang has advised that mobile operators should ensure that their base stations ignore redirection commands and instead use an  automatic searcher to identify the best available base station, which would prevent a hacker form being able to connect 4G connections to fake base stations.