Ruxcon Hacker Wanqiao Zhang of Chinese hacking house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline.
The still-live attacks were demonstrated at the Ruxcon hacking confab in Melbourne this weekend, with the demo offering a recording of the hack perpetrated in part on a live network. It exploits fall-back mechanisms designed to ensure continuity of phone services in the event of overloads.
Well, this appears to be spoofing directed at forcing a directed handover. Not very interesting to me, it's basically the same as jamming the 3G signal so that phones connect to the unauthenticatable
2G signal. Which is what Stingray devices do.
However, the other bits are interesting to me. I'm not sure how familiar readers of Telecom DIgest are with VoLTE (and IMS), but they're vaguely interesting.
VoLTE (Voice over LTE) is a technology where the "telephone" functions (calling and SMS) are transferred as IP data. In particular, it's all SIP, encapsulated into an alternate datastream of the LTE network. Much like a VLAN on an Ethernet network; it's just IP datagrams separately tagged for special bandwidth/latency treatment by routers, and segregation in the core network to dedicated voice VLANs. (IMS, the IP Multimedia Subsystem, is a subset of this same mechanism, using only the SMS transport functionality. So when I say VoLTE, I mean "VoLTE and IMS".)
VoLTE does not encrypt itself; it depends on the transport for security.
The interesting bit is VoLTE can also work on 3G and 2G networks. It's not limited to LTE. As long as the provider has the appropriate technology in their core network to speak VoLTE, it doesn't particularly matter what the bearer technology is. All of the various GSM-family radio protocols support this mechanism of using multiple PDP contexts; after all, it's necessary for MMS sexting to work. So, if you can force a hand-down from LTE to EDGE, where the phone has no way to authenticate the network, and then you supply an EDGE base station, you can do basically anything you want.
The promised work-around mentioned in the article, that is, the LTE modem ignoring the directed hand-down request and performing a base-station search of its own, is completely ineffective against this attack if the attacker is able to jam all the carrier frequencies that they don't control. Tools for this are commercially available, as I'm sure other Telecom Digest readers well know by now.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.