Abusing protocols in LTE networks to knock mobile devices off networks
8.11.2016 securityaffairs Mobil

A group of researchers from Nokia Bell Labs and Aalto University in Finland demonstrated how to hack protocols used in the LTE networks.
We discussed several times the rule of the SS7 signaling protocol in mobile communications and how to exploit its flaws to track users.

When mobile users travel between countries, their mobile devices connect to the infrastructure of a local operator that communicates with their operator back home. The SS7 protocol allows to implement roaming, but as explained it is also affected by many vulnerabilities that could be exploited for:

Location Tracking.
Eavesdropping.
Fraud.
Denial of Service user & network.
Credential theft.
Data session hijackingUnblocking stolen phoneSMS interception.
SMS interception.
Unblocking stolen phoneSMS interception.
SMS interception.
One time password theft and account takeover for Telegram, Facebook, Whatsapp.
Diameter is considered the evolution of the SS7 protocol for modern Long-Term Evolution (LTE) networks, respect its predecessor it is more secure, isn’t it?

Anyway. experts discovered that Diameter is also affected by security issues, one if them, is the lack of mandatory implementation of the Internet Protocol Security (IPsec) protocol.

According to researchers from Nokia Bell Labs and Aalto University in Finland, this means that Diameter could be hacked with the same techniques that are effective against SS7.

The team of experts made several tests to evaluate attacks against users connected to the LTE network. They simulated the attacks on a test network set up by an unnamed global mobile operator. In the tests, they powered a cyber attack against UK subscribers from Finland and discovered several methods of disrupting service to users.

The researchers were able to temporarily and permanently shut down users connections, they were also able to target entire regions.

The team presented the results of tests at the Black Hat Europe security conference in London.

In order to launch the attack against another operator’s systems or subscribers, the researchers need to access to the private interconnection network (IPX).The experts demonstrated that there are several ways to access IPX, for example, a persistent attacker like a government could oblige a local operator to gain access through it.

Attackers could act as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by an operator that is accessible from the internet. Let’s give a close look at LTE networks and their main components:

LTE Networks

LTE NetworksThe nodes of the LTE networks are called Mobility Management Entities (MMEs that provide session management, subscriber authentication, roaming and handovers to other networks. The signal is spread through cell towers meanwhile the home subscriber server (HSS) is the component that holds the master subscriber database.Other essential components of LTE networks are the Diameter Edge Agents (DEAs) that words as gateways to the interconnection network via IPX providers.In the attack scenario, the hacker needs the victim’s international mobile subscriber identity (IMSI), an information that is quite easy to obtain targeting the IPX network by masquerading as a Short Message service center (SMSC) that’s trying to deliver a text message to the victim phone number.This means that the knowledge of the victim’s phone number, aka Mobile Station International Subscriber Directory Number (MSISDN), and the DEA of the victim’s operator, are all you need to carry on the attack against a specific user.
The attacker sends a routing information request through the DEA to the operator’s HSS, which will respond with the subscriber’s IMSI as well as the identity of the MME the subscriber is connected to.

Great now the attacker has the info to start the attack!

At this point, the attacker masquerading as a partner’s HSS sends a Cancel Location Request (CLR) message to the victim’s MME causing the disconnection of the specific subscriber.

The CLR messages are normally used inside the LTE network when subscribers switch from one MME to another because of a change in location.

The researchers also highlighted another possible to exploit this mechanism to obtain a sort of amplification factor of the request. The researchers noticed that when the subscriber re-attaches, their device will send 20 different messages to the MME.

lte-networks-attack-dos

Imagine the case the attackers force the detachment of hundreds of subscribers at the same time, the MME will be flooded by ‘re-attach’ messages causing a DoS in large areas covered by Mobility Management Entities.

There is also a second DoS attack scenario in which the attackers can impersonate an HSS and send an Insert Subscriber Data Request (IDR) to the victim’s MME with a special value that means no service. This will permanently detach the mobile user from the network because their subscription will be changed in the MME’s records.

In this case, the only way to attach the network again is contacting the mobile operator.

As you can see also LTE networks and Diameter are vulnerable to hacking attack, for this reason, the researchers highlighted the need for further security measures.

For further information give a look at the slides (“Detach me not DoS attacks against 4G cellular users worldwide from your desk“) presented at the BlackHatEurope 2016.