
Practical attacks against 4G (LTE) access network protocols - Oatseller
http://secure-systems-aalto.blogspot.com/2015/10/lte-attacks-2015.html
======
rmac
tldr:

1) LTE uses broadcast messages to do push notifications. These are unencrypted
and unauthenticated. Researchers can trigger them silently by spamming you on
Facebook, and triangulate your location since the LTE network only sends the
pages to the geographic location you are in.

2) LTE supports crash reports that can potentially include your GPS coords. A
rouge base station can request these from your phone without setting up an
encrypted channel due to shitty baseband implementations.

3) something about denial of service

the excellent paper is here:
[http://arxiv.org/pdf/1510.07563v1.pdf](http://arxiv.org/pdf/1510.07563v1.pdf)

~~~
TorKlingberg
I'd like to add a few things:

1) This is really a fundamental limitation of all encryption: It hides what
you are sending, but not the fact that you are sending something. Paging in
mobile networks is a broadcast message that basically just says "Device with
ID XXXX, please wake up and check in with the network". If you can cause pages
(by calling, texting or with Facebook messages) then you can see in what area
the pageing is sent, and you can find out the ID (TMSI) of the device.

2) It is not a crash report, but a connection failure report.

3) During the initial connection, before encryption is started, an rogue
transmitter can send a connection rejection message to the phone, pretending
to be the network. The phone will not try 4G/3G again and downgrade to 2G. The
attacker can then break the weak 2G authentication and make the phone believe
that it is a real base station. The last part is what an IMSI catcher /
Stingray device does.

~~~
Natanael_L
1) but you can hide who it is sent to, such that only timing attacks are
plausible (see Tor and every VPN)

------
zurn
Paper says they are leveraging GNU Radio hardware (USRP) and using parts of
this SDR LTE implementation:
[https://github.com/srsLTE/srsLTE](https://github.com/srsLTE/srsLTE)

Pretty cool.

I wonder how much of "some assembly required" there is to get this kind of
experiment up and running.

------
ck2
The LTE hack when it was first announced made me a little ill.

[http://www.zdnet.com/article/at-t-t-mobile-verizon-
vulnerabl...](http://www.zdnet.com/article/at-t-t-mobile-verizon-vulnerable-
to-several-lte-flaws/)

I always avoid wifi thinking cell data is safer but apparently not at all.

Sometimes I wish phones/tablets had ethernet ports.

~~~
xorcist
What's "safer" (or less safe) about different transport protocols, when you're
carrying Internet traffic?

~~~
bigiain
It take a somewhat more privileged network position to MITM a 4G connection
from your phone than "some guy with a wifi pineapple" impersonating some wifi
base station your phone already trusts. It's easy enough to set up a wifi
radio which says: "You wanna connect to 'Netgear'? Or 'Starbucks Free Wifi'?
Sure - I can be that for you!". At least if I'm using 4G at Starbucks you'd
need to be sitting on a backbone or in front of redtube^h^h^h^h^h^h^h
wikipedia.com's servers to MITM me...

------
chinathrow
On a related note, Google still hasn't added TLS to blogspot.com...

~~~
aiiane
It's available to be turned on for individual blogs:

[https://support.google.com/blogger/answer/6284029?hl=en](https://support.google.com/blogger/answer/6284029?hl=en)

