The impersonation attack — named "IMPersonation Attacks in 4G NeTworks" (or IMP4GT) — exploits the mutual authentication method used by the mobile phone and the network's base station to verify their respective identities to manipulate data packets in transit.
"The IMP4GT attacks exploit the missing integrity protection for user data, and a reflection mechanism of the IP stack mobile operating system. We can make use of the reflection mechanism to build an encryption and decryption oracle. Along with the lack of integrity protection, this allows to inject arbitrary packets and to decrypt packets," the researchers explained.
The research was presented at the Network Distributed System Security Symposium (NDSS) on February 25 in San Diego.
The vulnerability impacts all devices that communicate with LTE, which includes all smartphones, tablets, and IoT devices currently being sold in the market.
"The Bochum-based team is attempting to close the security gap in the latest mobile communication standard 5G, which is currently rolled out," the researchers said. The flaws were responsibly disclosed to the telecom standards body GSM Association last May.
How does the IMP4GT attack work?
The researchers carried out the attacks using software-defined radios, which are devices that can read messages between a phone and the base station it's connected to. The man-in-the-middle attack, then, allows a hacker to impersonate a user towards the network and vice versa.
In other words, the attacker tricks the network into thinking the radio was, in fact, the phone (uplink impersonation), and also dupes the phone into assuming that the software-defined radio is the legitimate cell tower (downlink impersonation).
"The uplink impersonation allows an attacker to establish an arbitrary IP connection towards the Internet, e. g., a TCP connection to an HTTP server. With the downlink variant, the attacker can build a TCP connection to the UE," the researchers said.
It's to be noted that the adversary must be in close proximity — in the range of 2km — to the victim's mobile phone to mount the IMP4GT attack. As a consequence, these attacks are no different from those that involve cell-site simulators such as IMSI catchers (aka stingrays) that are used by law enforcement agencies to intercept mobile phone traffic.
Once this communication channel is compromised, the next stage of the attack works by taking advantage of the missing integrity protection in the LTE communication standard to arbitrarily modify the data packets that are being exchanged.
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
By forging the internet traffic, the attack could allow a hacker to make unauthorized purchases, access illegal websites, upload sensitive documents using the victim's identity, and even redirect the user to a malicious site, a different form of attack called "aLTEr attack."
"This attack has far-reaching consequences for providers and users," the researchers said in the paper. "Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers' firewall can be bypassed."
Moreover, "by doing so, we show that an attacker can bypass the provider's firewall mechanism, and the phone is open to any incoming connection. Such an attack is a stepping stone for further attacks, such as malware deployment."
What's the solution?
The disclosure of the IMP4GT attack comes on the heels of similar research undertaken by academics at Purdue University and the University of Iowa, which uncovered three new security flaws in 4G and 5G networks that can be used to eavesdrop on phone calls and track the locations of cell phone users.
The incoming 5G standard, which is being rolled out in a handful of countries, aims to offer faster speeds and long-needed security features, including protection from IMSI catchers. But with hundreds of millions of devices impacted by these flaws, it's imperative that 5G implementations apply more robust security and data protection to fix the vulnerabilities.
"Mobile network operators would have to accept higher costs, as the additional protection generates more data during the transmission," David Rupprecht, one of the paper's co-authors, said. "In addition, all mobile phones would have to be replaced, and the base station expanded. That is something that will not happen in the near future."
While the scrutiny of the 5G standard has made it possible to catch and fix potential vulnerabilities before the 5G networks are widely deployed, the latest research is a sign that cellular network security needs further attention.