A group of researchers at Ruhr-Universität Bochum and NYU Abu Dhabi have discovered a new attack on 4G and 5G mobile networks that can be used to impersonate users.
Called IMP4GT (IMPersonation attacks in 4G NeTworks), the attack demonstrates that the currently used mutual authentication method, where the smartphone and the network verify their identities, is not a reliable security feature in Long Term Evolution (LTE). The authentication is established on the control plane and does not feature integrity protection of the user plane.
By exploiting the missing integrity protection for user data, IMP4GT allows an attacker to impersonate a user towards the network and vice versa. Furthermore, a reflection mechanism of the IP stack mobile operating system can be abused to build an encryption and decryption oracle and inject arbitrary packets and to decrypt packets, the researchers reveal.
In IMP4GT attack, the researchers explain in a whitepaper (PDF), the impersonation can be conducted on either the uplink direction (the attacker poses as the user towards the network, using the victim’s identity to access IP services) or the downlink direction (the attacker establishes a TCP/IP connection to the phone, bypassing the LTE network’s firewalls).
“This attack has far-reaching consequences for providers and users. Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers’ firewall can be bypassed,” the researchers say.
According to the researchers, the attack may also impact investigations conducted by law enforcement agencies, given that an attacker can use the victim’s identity to establish arbitrary IP connections. They could, for example, upload sensitive documents and have the operation blamed on the victim.
However, an adversary needs to be “highly skilled and in close proximity to the victim” to mount such an attack. Specialized hardware, a customized implementation of the LTE protocol stack, and significant engineering effort (if a shielding box is not used) are also required, meaning that the investment would only be worth for high-value targets, the researchers say.
While the technical characteristics of the attack are comparable to IMSI catchers/stingrays, in the case of IMP4GT, the relay actively sends data to the network and also operates as a man-in-the-middle, and the attacker impersonates a victim or network — classical IMSI catchers try to identify and localize the victim.
“IMP4GTallows an active radio attacker to establish arbitrary TCP/IP connections to and from the Internet through the victim’s UE. IMP4GTexploits the lack of integrity protection along with ICMP reflection mechanisms. As a result, the attacker can circumvent any authorization, accounting, or firewall mechanism of the provider,” the researchers conclude.
The researchers, who contacted the GSMA last year to report the discovery, say that all network vendors are equally vulnerable and that their attack works on some 5G networks as well. All devices that connect to an LTE network are affected, including phones, tablets, and appliances.
The vulnerability could be addressed in the now-rolling-out 5G networks by implementing mandatory user-plane integrity protection, but that would require higher costs for network operators — the additional protection would generate more data during transmission — and the replacing of current mobile phones. Base stations would also need to be expanded.
Related: Researchers Uncover Vulnerabilities in LTE Wireless Protocol
Related: Researchers Devise New Attacks Against 4G LTE Mobile Networks