LTE technology is considered one of the safest telecommunications solutions we use. 3GPP standards provide for the possibility of using authorization keys that are safer than solutions used in GSM. In addition, the operators have the ability to encrypt IP packets, which makes it impossible to eavesdrop on transmitted messages. However, researchers from the universities of Iowa City and West Lafayette have managed to develop 10 types of attacks on LTE networks that can be carried out with inexpensive equipment.

US researchers have developed a model of LTE network that served them to study the resistance of cellular networks to attacks. The LTEInspector tool allows you to modify and replace messages sent between LTE network elements. Thanks to this, you can check the behaviour of the system for man in the middle attacks. In practice, this means that the offender would have to have a device that would impersonate a smartphone or base station. In the age of software incompatible radio solutions, this is not the slightest problem. Researchers have confirmed the effectiveness of their attacks by conducting them in a small LTE network built for this purpose. A fake base station can be built using the USRP B210 platform, which costs $1300 (about Rs. 85 000). The same equipment can be used to impersonate the victim’s smartphone.

Researchers have found 10 loopholes in basic LTE procedures

The developed attacks are based on the change of messages transmitted during the implementation of the basic procedures: attach (connection of the smartphone with the LTE network), detach (disconnection of the smartphone with the network) and paging (calling the device over the LTE network). The attacks are quite interesting. Most of them block access to the network for a selected person or disconnect it from the network. The most creative attack can be used to cause panic among the inhabitants of the selected geographical area by sending false warning messages. In the United States and Japan there are systems of warning people about cataclysms (earthquakes, tsunamis, etc.) and other threats. For example, at the beginning of this year, such a system operator operating in Hawaii accidentally sent a false alarm about a rocket attack.

LTE attacks

Researchers point out that current LTE networks may not be protected from exposed vulnerabilities. Implementation of any changes that would not be compliant with 3GPP standards could cause compatibility problems with the hardware that is currently on the market. However, the operators are not helpless in this situation. In Europe, many providers encrypt IP packets that are exchanged between the base station and the operator’s core network elements. However, devices that masquerade as smartphones and LTE modems can be detected by monitoring incorrect behaviour on the network.

Source: Ars Technica, LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE