Experts found 36 vulnerabilities in the LTE protocol

cyber

A team of researchers from the Korea Advanced Institute of Science and Technology Constitution (KAISTdiscovered 36 vulnerabilities in the LTE protocol.

Security experts from the Korea Advanced Institute of Science and Technology Constitution (KAIST) have discovered 36 vulnerabilities in the LTE protocol used by most mobile carriers.

The researchers used a fuzzing technique to discover the vulnerabilities, they developed a semi-automated testing tool named LTEFuzz based on open-source LTE software.

LTE

The experts classified problematic behaviours to random tests in five categories:

  • improper handling of unprotected initial procedure;
  • crafted plain requests;
  • messages with invalid integrity protection;
  • replayed messages;
  • security procedure bypass;

“Based on the security property, LTEFuzz generates and sends the test cases to a target network, and classifies the problematic behavior by only monitoring the device-side logs.” reads the research paper.

“The impact of the attacks is to either deny LTE services to legitimate users, spoof SMS messages, or eavesdrop/manipulate user data traffic,”

The experts worked with carriers to explore the effects of the attacks on commercial networks. The flaws discovered by the researchers reside in design and implementation among the different carriers and device vendors.

“The purpose of our study was not to identify failures causing crashes or memory leaks. Instead, we focused on finding semantic failures in LTE operations.” continues the experts. “To this end, we generated all possible test cases that would have been correctly parsed in the receiving entities as the field values are created based on the control plane logs from the operational networks.”

According to the researchers, the Radio Resource Control (RRC) Connection procedure is not encrypted and an attacker could modify data transferred. An attacker could exploit the messages in this procedure to spoof the contents or deny the connection of the victim device.

An attacker could send invalid plain requests through an RRC Connection impersonating the victim device. The network may accept invalid messages, de-register an existing connection when receiving a message with an invalid MAC, and accept replayed messages.

The researchers also demonstrated how to bypass the security context of the entire control plane and data plan.

An attacker could target either the network (remote de-registration of the victim device, SMS phishing) or the victim device (forcing the device to connect to a rogue LTE network).

The experts also discovered vulnerabilities in baseband chipsets manufactured by Qualcomm and HiSilicon. They plan to release the LTEFuzz tool only to the impacted carriers and vendors to avoid abuses.

“Our findings were interesting in two respects: 1) even within a single carrier, two MMEs (possibly from different vendors) have different vulnerabilities, and 2) two MMEs (in two carriers) manufactured by a single device vendor have different vulnerabilities.” concludes the experts.

Source : https://securityaffairs.co/wordpress/82936/hacking/lte-vulnerabilities.html

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

An Iran-linked cyber-espionage group that has been found targeting critical infrastructure, energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday. Widely known as APT33, which Symantec calls Elfin, the cyber-espionage group has been active since as early […]