Experts from Ruhr University reported an IMP4GT (IMPersonation Attacks in 4G NeTworks) problem. Modern LTE-enabled devices are vulnerable to IMP4GT, therefore, it threatens almost all smartphones, tablets, and IoT devices.
A bug allows simulating another user’s operator’s network, which means an attacker will be able to issue paid subscriptions at the expense of other people or publish something (for example, secret documents) under the mask of other files.
“In mobile networks, mutual authentication ensures that the smartphone and the network can verify their identities. In LTE, mutual authentication is established on the control plane with a provably secure authentication and key agreement protocol. However, missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets”, — write experts from Ruhr University.
A key element of IMP4GT attacks is software-defined radio (this is why an attacker must be close to his victim in order to carry out an attack). Such a device is capable of intercepting signals between a mobile device and a base station, and, using them, trick a smartphone into giving itself up to a base station, or, on the contrary, trick a network into pretending to be a smartphone. As soon as the communication channel is compromised, manipulation of the data packets that circulate between the device and the base station begins.
“Data packets between the mobile phone and the base station are transmitted in encrypted form, which protects data from listening. However, it is possible to modify these data packets. We don’t know what is in the data packet, but we can provoke errors by changing bits from 0 to 1 or from 1 to 0”, – say the experts.
As a result, such bugs can force the mobile device and the base station to decrypt or encrypt messages, convert information into plain text, or create a situation where an attacker can send commands without authorization.
Such teams can be used to purchase paid subscriptions or to book services (when someone else pays the bill), but they can also have more serious consequences. For example, an attacker can visit sites under another person’s account and transmit information on behalf of another person, thereby substituting other people.
The authors of the study emphasize that IMP4GT attacks are dangerous for some 5G networks. The vulnerability can be eliminated in 5G networks by introducing mandatory integrity protection at the user level, but this will require considerable expenses on the part of telecom operators (additional protection will generate large data transfer, and base stations need changes), as well as replacing existing smartphones.
Specialists will present a detailed report on the problem at the NDSS Symposium 2020 conference, which will soon be held in San Diego.
Finally, I remind you that data privacy is quite shaky thing, and so: for example, US authorities can hack iPhone, but may have difficulties with Android.