Academics from Purdue University and the University of Iowa have uncovered new vulnerabilities in the core protocols that power 4G LTE mobile networks across the world.
The vulnerabilities affect the attach, detach, and paging procedures that are part of Long-Term Evolution (LTE), a standard for high-speed wireless communication for mobile devices.
Researchers say these flaws —detailed in a paper entitled "LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE" [1, 2]— allow an attacker to connect to 4G LTE networks without proper credentials.
An attacker could connect to a 4G LTE network using another user's identity, send messages on behalf of another user, intercept messages meant for that user, spoof the location of a mobile device, and even force other devices to disconnect from a mobile network.
Researchers fear that these bugs might be used in the real world to hide serious crimes. For example, a man committing a crime in the US could make it look like his device was connected to cell towers associated with an EU-based LTE network, creating a believable alibi for his whereabouts.
Academics used a special tool named LTEInspector to discover these flaws —ten new vulnerabilities and nine that were already known.
Researchers also validated the accuracy of their tool by successfully exploiting eight of the ten new flaws using a testbed rig and a faux mobile network. The testbed rig was built using readily-available equipment and software.
"We built a testbed using low-cost software defined radios and open-source LTE software stack having a price tag of around $3,900 which we would argue is within the reach of a motivated adversary," the research team explains.
Each of the bugs found with LTEInspector is detailed in the team's research paper, on page 7. Researchers have also open-sourced the LTEInspector tool on GitHub.
"Retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny," researchers said. "It is also not clear, especially, for the authentication relay attack whether a defense exists that does not require major infrastructural or protocol overhaul."