LTE security flaw can be abused to take out subscriptions at your expense

Researchers say the vulnerability impacts “virtually all” smartphones on the market.

A security vulnerability in LTE can be exploited to sign up for subscriptions or paid website services at someone else's expense, new research suggests. 

According to researchers from Ruhr-Universität Bochum, the flaw exists in the 4G mobile communication standard and permits smartphone user impersonation, which could allow attackers to "start a subscription at the expense of others or publish secret company documents under someone else's identity."

The research, titled "IMP4GT: IMPersonation Attacks in 4G NeTworks," is the work of David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper. 

See also: Honeywell, Verizon partner on integrating LTE, smart meters, lay groundwork for 5G

The IMP4GT attack impacts "all devices that communicate with LTE," which includes "virtually all" smartphones, tablets, and some Internet of Things (IoT) devices. 

Software-defined radios are a key element of IMP4GT. These devices are able to read the communications channels between a mobile device and base station, and by using them, it is possible to trick a smartphone into considering the radio is the base station -- and dupe the network into treating the radio as the mobile phone. 

Once this channel of communication is compromised, it is time to start manipulating data packets being sent between an LTE device and base station.

"The problem is the lack of integrity protection: data packets are transmitted encrypted between the mobile phone and the base station, which protects the data against eavesdropping," the researchers say. "However, it is possible to modify the exchanged data packets. We don't know what is where in the data packet, but we can trigger errors by changing bits from 0 to 1 or from 1 to 0." 

These errors can then force a mobile phone and base station to either decrypt or encrypt messages, converting information into plaintext or creating a situation in which an attacker is able to send commands without authorization. 

CNET: SIM swap fraud: What it is, why you should care and how to protect yourself

According to Holz, these commands could be used to purchase subscriptions and book services -- while sending the bill to someone else -- but could have more serious ramifications for law enforcement. Attackers could visit websites under someone else's identity, for example, framing someone else as a perpetrator in illegal contexts, as well as leak information on their behalf. 

Attackers do need to be nearby, however, to pull off this technique.

The only means to mitigate the risk of exploit is to change the hardware, an issue being highlighted now as 5G is on the rollout. However, the team notes that while technically possible, the chance of such changes is slim to none. 

"Mobile network operators would have to accept higher costs, as the additional protection generates more data during the transmission," Rupprecht says. "In addition, all mobile phones would have to be replaced and the base station expanded. That is something that will not happen in the near future."

TechRepublic: MGM Hotel breach highlights need for sophisticated cloud security

The research will be presented at the Network Distributed System Security Symposium (NDSS) on February 25 in San Diego. 

Several years ago, academics from the same institution highlighted security weaknesses in LTE which could be abused to track website visits and to perform Man-in-The-Middle (MiTM) attacks to reroute victims to malicious domains. 

The security flaws are "impossible to close," the team said, and are caused by a failure of LTE to verify encrypted payloads transmitted through data streams.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0