Hackers can abuse LTE protocols to knock phones off networks

Attacks on the global mobile interconnection network are still possible even with the new LTE Diameter protocol, researchers say

When you travel between countries, the mobile operators that temporarily provide service to your phone need to communicate with your operator back home. This is done over a global interconnection network where most traffic still uses an ageing protocol, called SS7, that's known to be vulnerable to location tracking, eavesdropping, fraud, denial of service (DoS), SMS interception and other attacks.

With the advance of Long-Term Evolution (LTE) networks, some roaming traffic is switching to a newer protocol, called Diameter, that's more secure than SS7 in theory, but which still allows for attacks if it's not deployed with additional security mechanisms.

For example, the Internet Protocol Security (IPsec), a secure communications suite that works by authenticating and encrypting each IP (Internet Protocol) packet, has been standardized for Diameter. But while its implementation is mandatory, its use is optional.

In practice, IPsec is rarely used on the global interconnection network for various reasons and this means that many of the attacks that are possible with SS7 are also possible or have equivalents in Diameter, according to researchers from Nokia Bell Labs and Aalto University in Finland.

The researchers ran experiments on a test network set up by an unnamed global mobile operator and simulated attacks launched from Finland against U.K. subscribers. They found several methods of disrupting service to users, temporarily and permanently, and even a method that could affect important nodes that provide service to entire regions. The results were presented Friday at the Black Hat Europe security conference in London.

First off, attackers would need to gain access to this private interconnection network (IPX) in order to attack another operator's systems or subscribers. However, this is not hard to achieve, as multiple incidents have shown in the past, and there are different  ways to do it.

Attackers could, for example, pose as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by existing operators, some of which are, sadly, accessible from the internet, when they shouldn't be.

If the attacker is actually a government, it could leverage its power over local operators to gain access through them. And if that doesn't work, bribing an employee from an operator is also an option.

Finally, access could be bought from other hackers that already have it. There have been services on the "dark" market that sold access to this network and there will probably be more in the future.

An operator's LTE network is made up of cell towers; nodes called MMEs (Mobility Management Entities) that provide session management, subscriber authentication, roaming and handovers to other networks; and a home subscriber server (HSS), the crown jewel that holds the master subscriber database. At the edge it has Diameter Edge Agents (DEAs), which serve as links to the interconnection network via IPX providers.

In order to pull off any attack on telecom networks, attackers need to know the victim's international mobile subscriber identity (IMSI), a unique number that's stored in the subscriber's SIM card. The researchers showed that attackers can easily obtain this number once they're on the IPX network by masquerading as a Short Message service center (SMSC) that's trying to deliver a text message to a phone number.

The attackers only need to know the victim's phone number in international format -- this is known as the Mobile Station International Subscriber Directory Number (MSISDN) -- and the DEA of the victim's operator. They can then send a routing information request through the DEA to the operator's HSS, which will respond with the subscriber's IMSI as well as the identity of the MME the subscriber is connected to. This provides the information needed to launch future attacks.

Such an attack involves the attackers masquerading as a partner's HSS and sending a Cancel Location Request (CLR) message to the victim's MME. This will cause the MME to disconnect the subscriber.

CLR messages are used on a regular basis inside the network when subscribers switch from one MME to another because of a change in location. However, the interesting aspect of this attack, aside from forcing an MME to detach a subscriber from the network, is that when the subscriber re-attaches, their device will send 20 different messages to the MME.

This amplification effect might pose risks to the MME if, for example, attackers force the detachment of hundreds of subscribers at the same time, although the researchers didn't test how many messages it would take to overload an MME. If an MME becomes unresponsive it would be bad, because there are only a few of them in a network and they serve large areas.

A second DoS technique devised by the researchers involves impersonating an HSS and sending an Insert Subscriber Data Request (IDR) to the victim's MME with a special value that means no service. This will permanently detach the user from the network because their subscription will be changed in the MME's records. Recovering from this can take a long time because the subscriber needs to call his mobile operator and sort out the situation.

The researchers also showed two other DoS techniques involving other types of Diameter messages, but they're only temporary as the user can recover by restarting their mobile device.

People seem to think that all will be better with LTE and Diameter, but in reality it will be different, not better, if mobile operators don't take additional security measures, said Silke Holtmanns, a security specialist with Nokia Bell Labs, during her talk at Black Hat Europe.

According to her, deploying IPsec is hard because not all traffic on the IPX network uses the Internet Protocol, and maintaining the kind of large public key infrastructures required by IPsec is costly for operators in developing countries. Nodes are also difficult to upgrade, and then there's the tough question of who should be in charge of creating and hosting the root certificates required by IPsec, which is likely to cause disputes between countries, she said.

And even if IPsec somehow becomes widely used, it still doesn't protect against attacks launched with the help of hacked nodes, rented network access, bribed employees or governmental ties, because these methods abuse legitimate access to the network.

According to the researchers, the best defense is a combination of measures. Operators should monitor the traffic on their networks and the traffic of their tenants and they should filter messages at their DEAs by using signaling firewalls. They should also harden their nodes, share their security experiences with other operators and put business rules in place so they can efficiently deal with misuse.

Join the PC World newsletter!

Error: Please check your email address.

Tags BLACK HAT EUROPE

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?