Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

Mobile Networks Vulnerable to IMP4GT Impersonation Attacks

A group of researchers at Ruhr-Universität Bochum and NYU Abu Dhabi have discovered a new attack on 4G and 5G mobile networks that can be used to impersonate users.

A group of researchers at Ruhr-Universität Bochum and NYU Abu Dhabi have discovered a new attack on 4G and 5G mobile networks that can be used to impersonate users.

Called IMP4GT (IMPersonation attacks in 4G NeTworks), the attack demonstrates that the currently used mutual authentication method, where the smartphone and the network verify their identities, is not a reliable security feature in Long Term Evolution (LTE). The authentication is established on the control plane and does not feature integrity protection of the user plane.

By exploiting the missing integrity protection for user data, IMP4GT allows an attacker to impersonate a user towards the network and vice versa. Furthermore, a reflection mechanism of the IP stack mobile operating system can be abused to build an encryption and decryption oracle and inject arbitrary packets and to decrypt packets, the researchers reveal.

In IMP4GT attack, the researchers explain in a whitepaper (PDF), the impersonation can be conducted on either the uplink direction (the attacker poses as the user towards the network, using the victim’s identity to access IP services) or the downlink direction (the attacker establishes a TCP/IP connection to the phone, bypassing the LTE network’s firewalls).

“This attack has far-reaching consequences for providers and users. Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers’ firewall can be bypassed,” the researchers say.

According to the researchers, the attack may also impact investigations conducted by law enforcement agencies, given that an attacker can use the victim’s identity to establish arbitrary IP connections. They could, for example, upload sensitive documents and have the operation blamed on the victim.

However, an adversary needs to be “highly skilled and in close proximity to the victim” to mount such an attack. Specialized hardware, a customized implementation of the LTE protocol stack, and significant engineering effort (if a shielding box is not used) are also required, meaning that the investment would only be worth for high-value targets, the researchers say.

While the technical characteristics of the attack are comparable to IMSI catchers/stingrays, in the case of IMP4GT, the relay actively sends data to the network and also operates as a man-in-the-middle, and the attacker impersonates a victim or network — classical IMSI catchers try to identify and localize the victim.

Advertisement. Scroll to continue reading.

“IMP4GTallows an active radio attacker to establish arbitrary TCP/IP connections to and from the Internet through the victim’s UE. IMP4GTexploits the lack of integrity protection along with ICMP reflection mechanisms. As a result, the attacker can circumvent any authorization, accounting, or firewall mechanism of the provider,” the researchers conclude.

The researchers, who contacted the GSMA last year to report the discovery, say that all network vendors are equally vulnerable and that their attack works on some 5G networks as well. All devices that connect to an LTE network are affected, including phones, tablets, and appliances.

The vulnerability could be addressed in the now-rolling-out 5G networks by implementing mandatory user-plane integrity protection, but that would require higher costs for network operators — the additional protection would generate more data during transmission — and the replacing of current mobile phones. Base stations would also need to be expanded.

Related: Researchers Uncover Vulnerabilities in LTE Wireless Protocol

Related: Researchers Devise New Attacks Against 4G LTE Mobile Networks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

Former Wiz executive Trish Cagliostro has joined Orchid Security as Chief Revenue Officer.

Transcend has named former UnitedHealth Group CISO Aimee Cardwell as CISO in Residence.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.