Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Mobile Networks Vulnerable to IMP4GT Impersonation Attacks

A group of researchers at Ruhr-Universität Bochum and NYU Abu Dhabi have discovered a new attack on 4G and 5G mobile networks that can be used to impersonate users.

A group of researchers at Ruhr-Universität Bochum and NYU Abu Dhabi have discovered a new attack on 4G and 5G mobile networks that can be used to impersonate users.

Called IMP4GT (IMPersonation attacks in 4G NeTworks), the attack demonstrates that the currently used mutual authentication method, where the smartphone and the network verify their identities, is not a reliable security feature in Long Term Evolution (LTE). The authentication is established on the control plane and does not feature integrity protection of the user plane.

By exploiting the missing integrity protection for user data, IMP4GT allows an attacker to impersonate a user towards the network and vice versa. Furthermore, a reflection mechanism of the IP stack mobile operating system can be abused to build an encryption and decryption oracle and inject arbitrary packets and to decrypt packets, the researchers reveal.

In IMP4GT attack, the researchers explain in a whitepaper (PDF), the impersonation can be conducted on either the uplink direction (the attacker poses as the user towards the network, using the victim’s identity to access IP services) or the downlink direction (the attacker establishes a TCP/IP connection to the phone, bypassing the LTE network’s firewalls).

“This attack has far-reaching consequences for providers and users. Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers’ firewall can be bypassed,” the researchers say.

According to the researchers, the attack may also impact investigations conducted by law enforcement agencies, given that an attacker can use the victim’s identity to establish arbitrary IP connections. They could, for example, upload sensitive documents and have the operation blamed on the victim.

However, an adversary needs to be “highly skilled and in close proximity to the victim” to mount such an attack. Specialized hardware, a customized implementation of the LTE protocol stack, and significant engineering effort (if a shielding box is not used) are also required, meaning that the investment would only be worth for high-value targets, the researchers say.

While the technical characteristics of the attack are comparable to IMSI catchers/stingrays, in the case of IMP4GT, the relay actively sends data to the network and also operates as a man-in-the-middle, and the attacker impersonates a victim or network — classical IMSI catchers try to identify and localize the victim.

“IMP4GTallows an active radio attacker to establish arbitrary TCP/IP connections to and from the Internet through the victim’s UE. IMP4GTexploits the lack of integrity protection along with ICMP reflection mechanisms. As a result, the attacker can circumvent any authorization, accounting, or firewall mechanism of the provider,” the researchers conclude.

The researchers, who contacted the GSMA last year to report the discovery, say that all network vendors are equally vulnerable and that their attack works on some 5G networks as well. All devices that connect to an LTE network are affected, including phones, tablets, and appliances.

The vulnerability could be addressed in the now-rolling-out 5G networks by implementing mandatory user-plane integrity protection, but that would require higher costs for network operators — the additional protection would generate more data during transmission — and the replacing of current mobile phones. Base stations would also need to be expanded.

Related: Researchers Uncover Vulnerabilities in LTE Wireless Protocol

Related: Researchers Devise New Attacks Against 4G LTE Mobile Networks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.