In the last few days a whitepaper concerning a research about 4G LTE protocol has been published by Purdue University and University of Iowa’s researchers.
The whitepaper describes a set of vulnerabilities identified on the protocol, succesfully tested both in theory and in a test environment.
The document describes also vulnerabilities detected and the exploiting method. Actually no proof-of-concept has been released.
Following you can find the vulnerabilities detected, exploiting a testing methodology named LTEInspector:
- A1 – Authentication Synchronization Failure Attack
- A2 – Traceability Attack
- A3 – Numb Attack
- A4 – Authentication Relay
- P1 – Paging Channel Hijacking
- P2 – Stealthy kicking-off Attack
- P3 – Panic Attack
- P4 – Energy Depletion Attack
- P5 – Linkability Attack
- D1 – Detach / Downgrade Attack
8 attacks of 10 detected have been reproduced in a test bed with real carriers SIM cards. In particulare, one of them (A4), is considered the most significant attack.
All attacks can be conduced theoretical with dedicated hardware for about $ 4.000.
A4 – AUTHENTICATION RELAY ATTACK
Regular Authentication Process
Poisoned Authentication Process
Authentication relay is a Man-In-The-Middle attack. Through a malicious base station (eNodeB), it’s possible to send a deauthentication to victim client (Victim UE, a mobile device) in order to force one following authentication that is intercepted and sent from a malicious device on real network. In this way it’s possible to compromise link and act as attacked device, intercepting encryption keys and SMS, conversations, etc.
In addition, the consequences of the attack could be: location history poisoning, user profiling and/or DoS attacks on the service.
The other attack types are related to SOS broadcast messages, deauthentication attacks, etc.
HOW TO DEFEND YOURSELF
Actually no suggestions concerning Authentication Relation attack remediations have been released. Whitepaper describes some possible mitigation areas. Furthermore, an important protocol re-design could be necessary.