IMP4GT

IMPersonation Attacks in 4G NeTworks
David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper

Ruhr University Bochum & New York University Abu Dhabi
PDF

Introduction

In mobile networks, mutual authentication ensures that the smartphone and the network can verify their identities. In LTE, mutual authentication is established on the control plane with a provably secure authentication and key agreement protocol. However, missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets.

The IMP4GT (IMPersonation Attacks in 4G NeTworks) (/ˈɪmˌpæk(t)/) attacks exploit the missing integrity protection, and extend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards the network and vice versa. We conduct two IMP4GT variants in a LTE commercial network and demonstrate how this completely breaks the mutual authentication of the user plane LTE and early 5G networks.

In the following, we provide an overview of the IMP4GT attacks and their implications. Our work will appear at the NDSS Symposium 2020 and all details are available in a pre-print version of the paper.

 

IMP4GT Attacks


What does IMP4GT exploit?
The IMP4GT attacks exploit the missing integrity protection for user data, and a reflection mechanism of the IP stack mobile operating system. We can make use of the reflection mechanism to build an encryption and decryption oracle. Along with the lack of integrity protection, this allows to inject arbitrary packets and to decrypt packets (see paper for details).

Attack Variants
The impersonation can be conducted in uplink or in downlink direction:

With the uplink impersonation, the attacker impersonates a victim towards the network and can use arbitrary IP services (websites) with the identity of the victim. All traffic generated by the attacker is associated with the victim's IP address.
The downlink impersonation allows an attacker to establish a TCP/IP connection to the phone that bypasses any firewall mechanism of the LTE network. The attacker is not able to break any security mechanism above the IP layer.

Results

Preliminary Experiments
We conduct several experiments to verify the assumed behavior of Android and iOS. In particular, we test if an unreachable reflection and a ping reflection is triggered for IPv4 and IPv6. The results indicate that those reflections are triggered for IPv4 only for Android and for IPv6 for Android and iOS.

Vulnerable iOS Android
IPv4 no yes
IPv6 yes yes
Commercial Network
To demonstrate the practical feasibility of the IMP4GT attacks, we have implemented a full end-to-end version of the attack within a commercial network and commercial phone within our lab environment. For the LTE relay, we use the open source LTE Software Stack srsLTE by Software Radio System. A shielding box stabilizes the radio layer and prevents interferences with the real network. We provide traces for the interested parties, e.g., researchers or providers.

Am I affected?

Attack Probability
Probably not! The attacker needs to be highly skilled and in close proximity to the victim. Besides the specialized hardware and a customized implementation of the LTE protocol stack, conducting the attack outside a controlled lab environment and withouth a shielding box would also require more engineering effort. However, for single targets of high interest it might be worth to meet the constraints above

 

Consequences

The attacker can impersonate the victim or the network on the IP layer, which means that it is possible to send and receive IP packets with the stolen identity. However, the attacker cannot access your private mail account or messengers, place phone calls, or break the TLS encryption. We list the consequences for operators, law enforcement, and users as follows.


Operators
Operators rely on mutual authentication for billing or authorization, for example, certain service websites are only accessible with network-layer identifier. IMP4GT allows allows an adversary to use the victim's identity on such service sites if no additional authorization is required, e.g., to buy a data pass. In case you work for a provider and need more information, please contact the GSMA security group.

Law enforcement
With IMP4GT, an attacker can forge any traffic to the Internet, e.g., to use the identity of a victim for uploading critical material. In cases where law enforcement agencies request the identity of a user for a particular public IP address (lawful disclosure request), the activities of an IMP4GT influence the results of an investigation.

Users
Users must deal with the consequences of impersonations targeting operators, and impersonations that interfere with law enforcement. For example, the provider charges the user's bank account when additional packages are bought, or a law enforcement agency initiates an investigation based on the false assumption of mutual authentication. Besides these uplink attacks, the downlink impersonation can be a stepping stone for follow-up attacks that exploit vulnerabilities in network applications.

Is 5G also vulnerable?

The attack exploits missing integrity protection and the reflection mechanism of the operating system. Only the first attack vector is specific for mobile networks, the latter is defined by the operating system of a mobile phone. We discuss the vulnerability of 5G regarding its two deployment phases:

Non-standalone (NSA)
Non-standalone (NSA) with dual connectivity is the first phase, in which the phone connects via 4G for all control data, but uses 5G for user data. The 3GPP 5G Security working group stated: ``Although integrity protection for UP (user plane) data is supported in 5G networks, it will not be used in dual connectivity case''. Thus, the early 5G deployments is vulnerable to IMP4GT attacks.

Standalone (SA)
The second phase will be the standalone (SA) phase, in which the phone has a control connection to the 5G core network along with the 5G radio layer. Its current state is as follows: User-data integrity protection is optional with either a full rate or limited to 64 kbit/s. As 5G promises connections of up to 20Gbit/s, the attack vector remains exploitable in 5G [TS38.300, TS33.501]

We emphasize the need for a mandatory full-rate integrity protection for 5G.

Technical Paper
Our work will appear at the NDSS Symposium 2020. A pre-print of the paper that contains all details is already available (PDF file).

Abstract
Long Term Evolution (LTE/4G) establishes mutual authentication with a provably secure AKA (Authentication and Key Agreement) protocol on layer three of the network stack. Permanent integrity protection of the control plane safeguards the traffic against manipulations. However, missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets, as recently demonstrated.
In this work, we introduce a novel cross-layer attack that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three. More precisely, we take advantage of the default IP stack behavior of operating systems and show that this combination allows an active attacker to impersonate a user towards the network and vice versa; we name these attacks IMP4GT (IMPersonation attacks in 4G neTworks). In contrast to a simple redirection attack as demonstrated in prior work, our attack dramatically extends the possible attack scenarios and thus emphasizes the need for user plane integrity protection in mobile communication standards. The results of our work imply that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution. On the other side, users are exposed to any incoming IP connection as an adversary can bypass the provider's firewall. To demonstrate the practical impact of our attack, we conduct two IMP4GT attack variants in a commercial network, which---for the first time---completely break the mutual authentication aim of LTE on the user plane in a real-world setting.

BibTeX
If you want to cite the paper, please use the following BibTeX entry:

@inproceedings{rupprecht-20-imp4gt,
author = {Rupprecht, David and Kohls, Katharina and Holz, Thorsten and P\"{o}pper, Christina},
title = {IMP4GT: IMPersonation Attacks in 4G NeTworks},
booktitle = {ISOC Network and Distributed System Security Symposium (NDSS)},
year = {2020},
month = feb,
publisher = {ISOC}
}