Chinese security researchers have found vulnerabilities in 4G LTE networks that allow hackers to intercept calls and text messages as well block mobile signals to targeted phones. 4G LTE mobile networks are widely used around the world, including in Australia.
Security researcher Wanqiao Zhang from Qihoo 360 presented her team’s findings at hacking conference Ruxcon 2016 in Melbourne. Her team found that 4G LTE networks have a fall-back mechanism, used to offload data to different mobile base stations in the event of an emergency, that can be exploited for man-in-the-middle attacks.
Zhang showed a video of her team putting the exploit in action at Ruxcon. The video showed the team setting up a fake 4G network using a computer and a software defined radio to act as a base station. Under normal circumstances, handsets and base stations would send each other a series of messages for authentication and direction.
The fake network can trick the phone into connecting to it by sending it a Radio Resource Control (RRC) release message telling it to do so. RRC is used to establish a connection between a network and a handset. It is possible to use this method to force users onto a fake 4G network because the RRC redirection messages aren’t encrypted.
From there, hackers can use other techniques to intercept calls and text as well as blacking out mobile service for users that are connected to the fake network.
The issue has been known by the Third Generation Partnership Project (3GPP) telco body since 2006 but has not been fixed. Register has confirmed with the Qihoo 360 team that the exploits work on both the 4G networks using FDD-LTE and TDD-LTE standard. The latter is used in Australia.
To remediate these security holes in 4G LTE networks, Zhang recommends that phone manufacturers make handsets that don’t follow the RRC redirection command and, instead, automatically searches for other available base stations. Should handsets continue to follow redirection commands, manufacturers could at least make phones that alert the user when they’re connected to a suspicious network.