Search This Blog

Showing posts with label LTE Network. Show all posts

Flaws in LTE can allow hackers to spoof presidential alerts

Last year, the United States performed the first public test of the national Wireless Emergency Alert (WEA), an alert system designed to send messages to smartphones, TVs, and other systems simultaneously. The test was specifically for the 'Presidential Alert,' a new category that can't be opted out of (like AMBER alerts). It turns out these types of alerts can be easily spoofed, thanks to various security vulnerabilities with LTE towers.

Researchers figured out a way to exploit the system that sends presidential emergency alerts to our phones, simulating their method on a 50,000 seat football stadium in Colorado with a 90 percent success rate.

A group of researchers at the University of Colorado Boulder released a paper that details how Presidential Alerts can be faked. An attack using a commercially-available radio and various open-source software tools can create an alert with a custom message.

Why it matters: The Wireless Emergency Alert (WEA) system is meant to allow the president to promptly broadcast alert messages to the entire connected US population in case of a nationwide emergency. It can also send out bad weather or AMBER alerts to notify citizens in a particular region or locality, thus making its operation critical. However, the exploitation of LTE networks used in it can enable the transmission of spoofed messages that can cause wide spread of misinformation and panic among the masses.

The researchers didn’t perform an actual attack on a live crowd at the stadium or on actual mobile devices, Eric Wustrow, a researcher on the paper, told Gizmodo in an email. The tests performed were instead done in isolated RF shield boxes, Wustrow said, “and our analysis of Folsom Field was a combination of empirically gathered data and simulation.”

First, alerts come from a specific LTE channel, so malicious alerts can be sent out once that channel is identified. Second, phones have no way of knowing if an alert is genuine or not. Adding digital signatures to alerts could potentially solve the latter problem, but the task would require device manufacturers, carriers, and government agencies to work together.

LTE vulnerabilities could allow eavesdroping

There are new vulnerabilities discovered with the 4G network used by smartphones. South Korean researchers discovered 36 new flaws using a technique called 'fuzzing'.

It turns out that our mobile networks may not be the safest. As LTE gets ready to make way for 5G, researchers have discovered several flaws in the Long-Term Evolution (LTE) standard, which could allow an attacker to intercept data traffic or spoof SMS messages.

The 4G LTE standard has vulnerabilities that could allow a hacker to intercept data that is being transferred on the networks. Although there has been plenty of research about LTE security vulnerabilities published in the past,  what's different about this particular study is the scale of the flaws identified and the way in which the researchers found them.

Researchers at the Korea Advanced Institute of Science and Technology Constitution (KAIST) have discovered 51 vulnerabilities with the 4G LTE standard—this includes 15 known issues and 36 new and previously undiscovered flaws with the standard.

LTE, although commonly marketed as 4G LTE, isn’t technically 4G. LTE is widely used around the world and often marketed as 4G. LTE can be more accurately described as 3.95G.

Given the widespread use of LTE, the latest findings have massive implications and clearly show wireless networks that consumers often take for granted aren't foolproof.

In their research paper [PDF], the researchers claim to have found vulnerabilities enabling attackers to eavesdrop and access user data traffic, distribute spoofed text messages, interrupt communications between base station and phones, block calls, disconnect users from the network and also access as well as manipulate data that is being transferred. The researchers are planning to present these at the IEEE Symposium on Security and Privacy in May.

“LTEFuzz successfully identified 15 previously disclosed vulnerabilities and 36 new vulnerabilities in design and implementation among the differ- ent carriers and device vendors. The findings were categorized into five vulnerability types. We also demonstrated several attacks that can be used for denying various LTE services, sending phishing messages, and eavesdropping/manipulating data traffic. We performed root cause analysis of the identified problems by reviewing the related standard and interviewing collaborators of the carriers,” said the researchers in the report.

4G Network Is Under Attack!

As of yesterday a team of academics published a report on a research conducted that described three attacks against the mobile communication standard LTE (Long Term Evolution), otherwise called the 4G network.

As indicated by the researchers, two of the three attacks are 'passive', which means that they allow an attacker to gather meta-information about the user's activity and in addition to this also enable the attacker to determine what sites a user may visit through his LTE device. Then again the third is a functioning attack or an active attack in other words, that gives the attacker a chance to manipulate data sent to the user's LTE gadget.

Researchers nicknamed the active attack aLTEr in view of its intrusive capacities, which they utilized as a part of their experiments to re-direct users to malevolent sites by altering the DNS packets.
In any case, the researchers said that the regular users have nothing to fear, until further notice as carrying out any of the three attacks requires extremely unique and costly hardware, alongside custom programming, which for the most part puts this kind of attack out of the reach of most cyber criminals.

"We conducted the attacks in an experimental setup in our lab that depends on special hardware and a controlled environment," researchers said. "These requirements are, at the moment, hard to meet in real LTE networks. However, with some engineering effort, our attacks can also be performed in the wild."

The equipment expected to pull off such attacks is fundamentally the same as purported "IMSI catchers" or "Stingray" gadgets, equipment utilized by law enforcement around the globe to trap a target's phone into interfacing with a fake telecommunication tower.

The contrast between an aLTEr attack and a classic IMSI catcher is that the IMSI catchers perform 'passive' MitM attack to decide the target's geo-area, while aLTEr can actually alter what the user views on his/her device.

With respect to the technical details of the three attacks, the three vulnerabilities exist in one of the two LTE layers called the data layer, the one that is known for transporting the user's real information. The other layer is the control layer as that is the one that controls and keeps the user's 4G connection running.

As indicated by researchers, the vulnerabilities exist on the grounds that the data layer isn't secured, so an attacker can capture, change, and after that transfer the altered packets to the actual cell tower.
The research team, made up of three researchers from the Ruhr-University in Bochum, Germany and a specialist from New York University, say they have warned the relevant institutions like the GSM Association (GSMA), 3rd Generation Partnership Project (3GPP), as well as the telephone companies about the issues they had found.

Cautioning that the issue could likewise influence the up and coming version of the 5G standard in its present form. Experts said that the 5G standard incorporates extra security features to forestall aLTEr attacks; however these are as of now discretionary.

The research team has although, published its discoveries in a research paper entitled "Breaking LTE on Layer Two," which they intend to display at the 2019 IEEE Symposium on Security and Privacy , to be held in May 2019 in San Francisco.

Below is a link of a demo of an aLTEr attack recorded by researchers.