Secure Systems Group

Blog for Helsinki Area Secure Systems Collective.

Tuesday, October 27, 2015

Practical attacks against 4G (LTE) access network protocols

(Countries with commercial LTE service as of December 7, 2014 shaded in red; Source Wikipedia article)

4G mobile communication networks, also known as "LTE" (Long Term Evolution) are widely deployed. How good is LTE security? Ravishankar Borgaonkar, a postdoc in my research group, and Altaf Shaik, a doctoral student at TU Berlin, discovered several surprising lapses in 4G security standards and baseband chipsets which they will demonstrate at the forthcoming T2 Security Conference 2015Black Hat Europe 2015. We will also be presenting an academic paper on the topic at the prestigious Internet Society NDSS conference in February 2016.  More technical details in our arXiv report (see our project page)

Security in mobile communications networks has been improving in every generation. 3G introduced mutual authentication that made it a lot harder to mount fake base station attacks (such as those used in IMSI catchers). 4G tightened up many signaling protocols by requiring authentication and integrity protection for them. The generally held belief has been that 4G security is robust and in particular, fake base station attacks mostly difficult to mount.

Over the last several months Ravishankar Borgankar and Altaf Shaik, working with me, Valtteri Niemi (University of Helsinki) and Jean-Pierre Seifert (TU Berlin), painstakingly experimented with several LTE devices in a laboratory setting and uncovered two classes of vulnerabilities:

Leaking information about user locations: Already when 2G (GSM) networks were being designed, location privacy was considered important. When a mobile device attaches to a network, it is given a temporary identifier (known as TMSI - Temporary Mobile Subscriber Identity). All the signaling messages between the mobile device and the network will thereafter refer only to the TMSI, rather than the user's permanent identifiers (such as phone numbers or IMSIs - International Mobile Subscriber Identity). TMSIs are random and updated frequently (e.g., whenever the mobile device moves to a new location area). The idea is that an attacker passively monitoring radio communication would not be able to link TMSIs to permanent identifiers or track movements of a given user (since his TMSIs would change over time). A couple of years ago, Dennis Foo Kune and Yongdae Kim showed that an attacker in a 2G (GSM) network can trigger a paging request (by sending a silent text message or initiating and quickly terminating a call) to be sent to a target user with a given phone number. Paging requests contain TMSIs. The attacker can thereby link TMSIs to phone numbers.

We discovered that paging requests can be triggered in a new and surprising manner -- via social network messaging apps. For example, if someone who is not your Facebook friend sends you an instant message, Facebook will silently put it in the "Other" folder as a spam protection mechanism (unless the spammer pays Facebook 1€!). If you have Facebook Messenger installed on your LTE smartphone, incoming messages, including those destined to the Other folder, will trigger a paging request, allowing a passive attacker to link your TMSI to your Facebook identity and track your movements. To make matters worse, we noticed that TMSIs are not changed sufficiently frequently -- in one urban area TMSIs assigned by multiple mobile carriers persisted up to three days! In other words, once the attacker knows your TMSI, he can passively track your movements for up to three days.

An active attacker using a fake base station can do even better. LTE access network protocols incorporate various reporting mechanisms that allow the network to troubleshoot faults, recover from failures and assist mobiles in handovers. For example, after a failed connection, a base station can ask an LTE device to provide a failure report with all sorts of measurements including which base stations are seen by the device and with what signal strength. Once an attacker grabs such a report, he can use the information to triangulate the device's location. In fact, at least one device we tested even reported its exact GPS location. Failure recovery mechanisms are essential to the reliable operation of large mobile networks -- LTE designers had a difficult design trade-off between potential loss of user privacy and ensuring network reliability.

Denial of service: Imagine that you travel to a different country but your mobile subscription does not include roaming. When your phone tries to connect to the network at your destination, it will be rejected with an appropriate "cause number" (such as "ROAMING NOT ALLOWED"). Your phone will dutifully accept this directive and will not attempt to connect again until you re-initialize the device (e.g., by rebooting it). This is so that your device does not waste its battery in vain by repeatedly trying to connect to a network only to be rejected. It is also a way to minimize unnecessary signaling over the air. In other words, this design decision was also motivated by a desire to trade-off in favor of reliability and performance. You can guess the rest: we show, for example, that an attacker can deny 4G and 3G services to a 4G device, thereby effectively downgrading it to 2G. Once downgraded, the device is open to all the legacy 2G vulnerabilities. The parameter negotiation during the LTE connection set up process is vulnerable to bidding down attacks by a man-in-the-middle who can fool an LTE device and an LTE network into concluding that they can only communicate using 2G.

The equipment for our attacks (a USRP board and antennas, along with open source software openLTE) is inexpensive and readily available. It costs a little over 1000 €!

Why do these vulnerabilities exist in the first place? A likely reason is that designing a complex system like LTE is a complicated task that calls upon the designers to make several difficult trade-offs (such as the privacy vs. availability trade-off we mentioned above). The trade-offs embedded in the design of LTE were made in the late 2000s when LTE was being designed. Several years on, the equilibrium points in the trade-offs have changed, making the kinds of attacks like ours very practical and economically viable for a potential attacker. We recommend that future standardization incorporate agility of trade-offs in the face of such changes. Software-defined networking will make it easier to build in such agility.

We discovered the vulnerabilities and attacks earlier this year. We notified affected manufacturers and carriers during June and July. We have been following the standard responsible disclosure practices and waited till the end of the 90-day waiting period before publicising the attacks. We have also been working with relevant standards organizations to address these vulnerabilities. Several manufacturers have already issued patches. 3GPP, the body that standardizes LTE, has initiated several specification changes to address the vulnerabilities we discovered.

Our arXiv technical report has more technical details. (see our project page)