A Chinese cybersecurity firm has demonstrated an attack that makes it possible to intercept all calls and SMS text messages on 4G LTE networks. Even scarier, the attack also makes it possible to hijack devices and knock them off the network, or to use the devices to make calls and send text messages.
Zhang Wanqiao, a security researcher at Qihoo 360, presented the attack at the recent Ruxcon Security Conference in Melbourne, Australia, showing a recording of a hack that was performed partly on a live network, according to The Register.
The attack works by attackers setting up malicious fake mobile base stations that they can use to intercept phone calls and read text messages, as well as having the ability to command the user's device to switch to the 2G network.
LTE networks are programmed to hand off users to any base stations that are not at full capacity, which is handy during a crisis, when everyone in a geographic area is trying to make calls or go online at the same time to get help or let loved ones know they're safe.
The hackers can manipulate this function by using an LTE IMSI catcher to detect the targeted device's unique identifying IMSI number. With the number, the attacker can issue a denial of service (DoS) attack that forces the device to connect to one of the fake base stations instead, where the hacker has full control and access to the targeted device.
Zhang confirmed that the attack works on all 4G LTE networks and devices in the world, whether the network is on FDD-LTE (used in the US, UK and Australia) or TDD-LTE (used more commonly in Asian countries).
But it gets worse. Apparently the 3GPP telephony standards body has known about this attack since at least 2006, when it released a paper about the attack and accepted it as a risk, yet the attack is still possible today.
Zhang advises that mobile operators should ensure that their base stations ignore redirection commands and instead use an automatic searcher to find the best available base station, which would prevent hackers from being able to switch 4G devices over to fake base stations.
In May, the 3GPP's working group handling LTE security proposed that the standards should be altered to refuse any requests for one-way authentication or to downgrade encryption from any mobile base stations.