4G LTE pried open to reveal a slew of new protocol-level attacks

Monday 5th March 2018 02:04 GMT elDog

A rhetorical question: Is it better or worse to have your own service provider hacking you

Or some other "malicious node"? That term "malicious node" did not seem to be well explained in this article.

It's also not clear if the "lazy" LTEInspector was so named because it is passive. It sounds like it wouldn't take much to make something like that pretty hyper.

So, much like most of our other protocols back to smoke signals, the developers couldn't have foreseen a future where every bit transmitted was suspect. And Alice and Bob may not even be who they say they are.

1 0 Reply
1. Monday 5th March 2018 14:03 GMT JetSetJim
  
  Re: A rhetorical question: Is it better or worse to have your own service provider hacking you
  
  > That term "malicious node" did not seem to be well explained in this article.
  
  A "malicious node" is a fake base station. You can buy the hardware off the shelf for around $1k, connect it to a regular PC/laptop and run open source LTE code to provide a base station - I've done it with Open Air Interface, and have connected that up to an open source core network to actually make a full 4G network broadcasting with a test license at low power.
  
  The trick needed here is to convince an operator network to let this node actually connect to it - something I find hugely unlikely as they are usually on their own private network, connected via protected links (IPSec probably). Determining the IP address of the MME & SGW that you'd need to connect to, then getting them reconfigured to allow connection from a new IP address (and knowing which are available to use) is a moderately high bar to jump. The malicious node would then start getting reported in statistics to the operations centre, which should ring alarm bells. All of these network elements are usually explicitly configured to say that "box A with name X at IP xxx.xxx.xxx.xxx can connect to box B with name Y at IP yyy.yyy.yyy.yyy" - which is a right pain in the arse to manage across the whole network, but possibly a better solution that allowing open access.....
  
  Overall, not something even a technically aware black-hat could achieve easily without getting detected.
  
  OTOH, perfectly simple for a govmt sponsored agency to achieve with cooperation from the operator
  
  1 0 Reply
Monday 5th March 2018 04:18 GMT Anonymous Coward

False emergency alerts "Panic Attack"

No need to hack. Just get a job at the Hawaii State Emergency Management Office (I understand that there's an opening), and push the button.

4 1 Reply
Monday 5th March 2018 06:01 GMT Anonymous Coward

Insecurity Mandated by Design ?

... and if hadn't been for you darn kids ...

1 0 Reply
1. Monday 5th March 2018 10:28 GMT Anonymous Coward
  
  Re: Insecurity Mandated by Design ?
  
  You mean by "Insecurity Mandated by Design" like how some A5/1 64-bit GSM keys had ten fixed zeroes, substantially reducing the complexity of intercept by providing an effective key length of 54 bits . . ?
  
  so . . . (from this paper)
  
  "The [4G] cellular protocol lacks a formal specification"
  
  "the [4G] standard often suffers from ambiguity and under-specification"
  
  "The cellular protocol — comprising of multiple (cryptographic) sub-protocols — is stateful in nature"
  
  Naw, it might just be an accidental oversight from all the standards professionals in the south of France, they are after all probably cognisant with this section of the paper "Resourceful adversaries (e.g., nation-states, foreign intelligence agencies, terrorists) can wreak havoc by exploiting vulnerabilities of the cellular network ecosystem . . . surveillance . . . cyberwarfare . . ."
  
  mesh?
  
  4 0 Reply
  1. Monday 5th March 2018 13:08 GMT Missing Semicolon
    
    Re: Insecurity Mandated by Design ?
    
    "the [4G] standard often suffers from ambiguity and under-specification"
    
    Oh yes. Very much so.
    
    Anyone who has anything to do with 3GPP specifications knows them to be incomplete, arcane and ambiguous to a fault. With an extra-special dose of utter non-cross-referencing in a network of specs that rely on cross-referencing.
    
    They are intended to be that way, to ensure that only the established manufacturers could ever make any infrastructure, I presume.
    
    2 0 Reply
Monday 5th March 2018 07:42 GMT Anonymous Coward

Hardly surprising

I'm not sure if the protocol spec is publicly available, but even if it is there isn't any way for most people to test it - you'd quickly get in trouble if you tried it on a public cell. Setting up a private LTE base station or base station simulator isn't something the typical person has the financial resources and technical ability to do. If it was open and easily available to every curious hacker the way TCP/IP or SSH is these sorts of problems would have been shaken out in the pre-standard phase (i.e. the phase 5G is in right now)

Good thing no one is talking about connecting nearly every device on the planet to 5G. Oh crap...this is how Skynet begins, isn't it?

7 0 Reply
1. Monday 5th March 2018 10:22 GMT Mage
  
  Re: isn't something the typical person has the financial resources
  
  Like 2G/3G it will get cheaper.
  
  Also possibly hack a femto cell (bought, borrowed or stolen).
  
  2 0 Reply
2. Monday 5th March 2018 14:15 GMT JetSetJim
  
  Re: Hardly surprising
  
  > I'm not sure if the protocol spec is publicly available
  
  Yep, they are. Get them here. Enjoy wading through thousands of pages of technical jargon
  
  > Setting up a private LTE base station or base station simulator isn't something the typical person has the financial resources and technical ability to do
  
  Takes about $1.2K, plus a laptop, but yes, non-trivial technically (other solutions are available, possibly cheaper too)
  
  0 0 Reply
  1. Monday 5th March 2018 21:15 GMT Anonymous Coward
    
    Re: Hardly surprising
    
    That's just a radio right? You need all the LTE software to manage a base station which I'm sure costs a LOT more as I've never heard of an open source LTE base station. Writing your own from spec would take so long we'd be on 6G by the time you're done!
    
    0 0 Reply
    1. Tuesday 6th March 2018 09:23 GMT JetSetJim
      
      Re: Hardly surprising
      
      > That's just a radio right?
      
      Yep, that's just the radio, and you also need a controlling PC that is a bit better than a $200 Chromebook. And you'll need to buy the right antennas ($10-20). And ideally a GPS antenna to ensure a good frequency lock in the SDR (<$20). And perhaps you want to house the circuitry in a sturdy box for another $50.
      
      The software, however, can be completely free and there's even other free and open options like this and this.
      
      These may not be commercial grade implementations, which also exist to purchase from places for prices in the low $'000s, but they cover the essentials within a 4G eNodeB.
      
      0 0 Reply
Thursday 19th April 2018 08:40 GMT arielp

practical?

This is may be working in test environtment..

but in the real network..

the victim UE will not get "signal" , as it will not connected to the EPC.. due its only connected to fake eNB

and this only working IF the victim is not mobile. once the victim is outside fake enb coverage.. it will get normalized.

also, the how strong is the fake eNB RF output?? it would be costly to have a good coverage to be useful

i believe this would made available in test environtment.. but in real.. will not so effective.. due to the cost needed for the fake enb, portability, etc.

so test environtment, yes it may be.. real network.. not so useful.

and maybe (maybe, i speculate) this is purposely allowed , maybe for Lawful Interception by authorities? like the one GSM/3G have now. for pinpointing criminal in certain area.

*if the sole purpose is only for blackout.. a portable rf jammer would be far less cheaper :D

--

cmiiw

--

ALP

0 0 Reply