Hackers can abuse LTE protocols to knock phones off networks

Attacks on the global mobile interconnection network are still possible even with the new LTE Diameter protocol, researchers say

When you travel between countries, the mobile operators that temporarily provide service to your phone need to communicate with your operator back home. This is done over a global interconnection network where most traffic still uses an ageing protocol, called SS7, that's known to be vulnerable to location tracking, eavesdropping, fraud, denial of service (DoS), SMS interception and other attacks.

With the advance of Long-Term Evolution (LTE) networks, some roaming traffic is switching to a newer protocol, called Diameter, that's more secure than SS7 in theory, but which still allows for attacks if it's not deployed with additional security mechanisms.

For example, the Internet Protocol Security (IPsec), a secure communications suite that works by authenticating and encrypting each IP (Internet Protocol) packet, has been standardized for Diameter. But while its implementation is mandatory, its use is optional.

In practice, IPsec is rarely used on the global interconnection network for various reasons and this means that many of the attacks that are possible with SS7 are also possible or have equivalents in Diameter, according to researchers from Nokia Bell Labs and Aalto University in Finland.

The researchers ran experiments on a test network set up by an unnamed global mobile operator and simulated attacks launched from Finland against U.K. subscribers. They found several methods of disrupting service to users, temporarily and permanently, and even a method that could affect important nodes that provide service to entire regions. The results were presented Friday at the Black Hat Europe security conference in London.

First off, attackers would need to gain access to this private interconnection network (IPX) in order to attack another operator's systems or subscribers. However, this is not hard to achieve, as multiple incidents have shown in the past, and there are different  ways to do it.

Attackers could, for example, pose as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by existing operators, some of which are, sadly, accessible from the internet, when they shouldn't be.

If the attacker is actually a government, it could leverage its power over local operators to gain access through them. And if that doesn't work, bribing an employee from an operator is also an option.

Finally, access could be bought from other hackers that already have it. There have been services on the "dark" market that sold access to this network and there will probably be more in the future.

An operator's LTE network is made up of cell towers; nodes called MMEs (Mobility Management Entities) that provide session management, subscriber authentication, roaming and handovers to other networks; and a home subscriber server (HSS), the crown jewel that holds the master subscriber database. At the edge it has Diameter Edge Agents (DEAs), which serve as links to the interconnection network via IPX providers.

In order to pull off any attack on telecom networks, attackers need to know the victim's international mobile subscriber identity (IMSI), a unique number that's stored in the subscriber's SIM card. The researchers showed that attackers can easily obtain this number once they're on the IPX network by masquerading as a Short Message service center (SMSC) that's trying to deliver a text message to a phone number.

The attackers only need to know the victim's phone number in international format -- this is known as the Mobile Station International Subscriber Directory Number (MSISDN) -- and the DEA of the victim's operator. They can then send a routing information request through the DEA to the operator's HSS, which will respond with the subscriber's IMSI as well as the identity of the MME the subscriber is connected to. This provides the information needed to launch future attacks.

Such an attack involves the attackers masquerading as a partner's HSS and sending a Cancel Location Request (CLR) message to the victim's MME. This will cause the MME to disconnect the subscriber.

CLR messages are used on a regular basis inside the network when subscribers switch from one MME to another because of a change in location. However, the interesting aspect of this attack, aside from forcing an MME to detach a subscriber from the network, is that when the subscriber re-attaches, their device will send 20 different messages to the MME.

This amplification effect might pose risks to the MME if, for example, attackers force the detachment of hundreds of subscribers at the same time, although the researchers didn't test how many messages it would take to overload an MME. If an MME becomes unresponsive it would be bad, because there are only a few of them in a network and they serve large areas.

A second DoS technique devised by the researchers involves impersonating an HSS and sending an Insert Subscriber Data Request (IDR) to the victim's MME with a special value that means no service. This will permanently detach the user from the network because their subscription will be changed in the MME's records. Recovering from this can take a long time because the subscriber needs to call his mobile operator and sort out the situation.

The researchers also showed two other DoS techniques involving other types of Diameter messages, but they're only temporary as the user can recover by restarting their mobile device.

People seem to think that all will be better with LTE and Diameter, but in reality it will be different, not better, if mobile operators don't take additional security measures, said Silke Holtmanns, a security specialist with Nokia Bell Labs, during her talk at Black Hat Europe.

According to her, deploying IPsec is hard because not all traffic on the IPX network uses the Internet Protocol, and maintaining the kind of large public key infrastructures required by IPsec is costly for operators in developing countries. Nodes are also difficult to upgrade, and then there's the tough question of who should be in charge of creating and hosting the root certificates required by IPsec, which is likely to cause disputes between countries, she said.

And even if IPsec somehow becomes widely used, it still doesn't protect against attacks launched with the help of hacked nodes, rented network access, bribed employees or governmental ties, because these methods abuse legitimate access to the network.

According to the researchers, the best defense is a combination of measures. Operators should monitor the traffic on their networks and the traffic of their tenants and they should filter messages at their DEAs by using signaling firewalls. They should also harden their nodes, share their security experiences with other operators and put business rules in place so they can efficiently deal with misuse.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection


Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?