A team of researchers from the Korea Advanced Institute of Science and Technology Constitution (KAIST) discovered 36 vulnerabilities in the LTE protocol.
Security experts from the Korea Advanced Institute of Science and Technology Constitution (KAIST) have discovered 36 vulnerabilities in the LTE protocol used by most mobile carriers.
The researchers used a fuzzing technique to discover the vulnerabilities, they developed a semi-automated testing tool named LTEFuzz based on open-source LTE software.
The experts classified problematic behaviours to random tests in five categories:
- improper handling of unprotected initial procedure;
- crafted plain requests;
- messages with invalid integrity protection;
- replayed messages;
- security procedure bypass;
“Based on the security property, LTEFuzz generates and sends the test cases to a target network, and classifies the problematic behavior by only monitoring the device-side logs.” reads the research paper.
“The impact of the attacks is to either deny LTE services to legitimate users, spoof SMS messages, or eavesdrop/manipulate user data traffic,”
The experts worked with carriers to explore the effects of the attacks on commercial networks. The flaws discovered by the researchers reside in design and implementation among the different carriers and device vendors.
“The purpose of our study was not to identify failures causing crashes or memory leaks. Instead, we focused on finding semantic failures in LTE operations.” continues the experts. “To this end, we generated all possible test cases that would have been correctly parsed in the receiving entities as the field values are created based on the control plane logs from the operational networks.”
According to the researchers, the Radio Resource Control (RRC) Connection procedure is not encrypted and an attacker could modify data transferred. An attacker could exploit the messages in this procedure to spoof the contents or deny the connection of the victim device.
An attacker could send invalid plain requests through an RRC Connection impersonating the victim device. The network may accept invalid messages, de-register an existing connection when receiving a message with an invalid MAC, and accept replayed messages.
The researchers also demonstrated how to bypass the security context of the entire control plane and data plan.
An attacker could target either the network (remote de-registration of the victim device, SMS phishing) or the victim device (forcing the device to connect to a rogue LTE network).
The experts also discovered vulnerabilities in baseband chipsets manufactured by Qualcomm and HiSilicon. They plan to release the LTEFuzz tool only to the impacted carriers and vendors to avoid abuses.
“Our findings were interesting in two respects: 1) even within a single carrier, two MMEs (possibly from different vendors) have different vulnerabilities, and 2) two MMEs (in two carriers) manufactured by a single device vendor have different vulnerabilities.” concludes the experts.