
4G LTE protocols used by smartphones can be hacked, researchers found - darkden
https://www.cyberscoop.com/4g-lte-protocols-used-smarthphones-can-hacked-researchers-found/
======
debatem1
This is really not much of a story, despite the exciting headline.

The claim is that IPSec core networks can be subjected to a denial of service,
and that this will result in a DoS for the users. That's correct but not very
interesting.

The researchers then go on to note that a DoS on 4G specifically can put users
into a vulnerable position by shoving them over onto 2G networks, which _are_
very vulnerable. But at the end of the day it's still only a DoS on LTE-- what
you've switched to after that is not LTE's problem.

That's not to say the LTE isn't vulnerable, of course. Breaking data plane
crypto at the ENB means that limited physical penetrations convert them into
very effective surveillance tools. And the data plane crypto isn't great
(lacks integrity protection). I've suspected in the cold quiet of my heart
that some operators run EIA0 in production. Etc.

So, yay for DoS, but I wish people would use the word "hacked" a bit more
clearly, or drop it all together.

~~~
tdkl
> people would use the word "hacked" a bit more clearly

It gets more clicks though nowadays. Bad password discipline ? It's a hack !

> shoving them over onto 2G networks

Wonder why Android doesn't have a setting to lock on LTE/4G as it does for 3G,
maybe in the future when LTE is more widespread.

~~~
digi_owl
Could be that by default LTE is only a data carrier.

Until you can be reasonably sure that there is VoLTE support everywhere,
restricting the phone to LTE service means you lose out on call capability.
And that is likely to be a big nono for emergency reasons. After all, a phone
without a SIM can still call the national emergency numbers around the world.

~~~
kalleboo
> After all, a phone without a SIM can still call the national emergency
> numbers around the world

This is actually not true in every country

------
pnathan
It's my perception that smart phones and their surrounding software, hardware,
and protocols are _very very hackable_ outside of the basic kernel and app-
level systems.

The baseband cpu is out of your control, the encryption is legendarily bad,
the protocols are MITM'able, the kernel is subject to patches from your cell
phone company...

~~~
londons_explore
Nearly all phones use a baseband from qualcomm. It has rather poor security.
I'm sure if you looked hard enough you could find a remotely accessible one

------
dmix
> SS7 was in the news earlier this year after a 60 Minutes exposé led to calls
> for a congressional investigation and a FCC review.

It was? Why didn't I hear about this? I don't remember this coming up on HN.
That is interesting that the mainstream media would take an interest in that
considering SS7 security was relatively an obscure subject until recently in
the tech community.

>> In his letter to FCC Chairman Tom Wheeler, Lieu said the flawed SS7 system
provides an open door for foreign hackers who want to intercept the private
communications of U.S. government officials.
[https://www.wirelessweek.com/news/2016/08/congressman-
urges-...](https://www.wirelessweek.com/news/2016/08/congressman-urges-fcc-
speed-investigation-ss7-flaws-light-dccc-rccc-hacks)

I don't think there has been enough research into the risks of these mobile
networks. Not just from external attack but exploitation by domestic nation
states to deploy malware onto peoples phones, mass location tracking, social
network modeling, etc.

The amount power these ubiquitous towers provide any nation state with a
modern security service and a penchant for secrecy is definitely underrated.
Forget all of those quotes from the US founding fathers about gun ownership as
a necessary affront to tyranny, controlling the communications networks makes
any type of internal non-political rebellion against the state a long lost
idea.

~~~
revelation
There has been plenty research into mobile networks by people who have the
resources to acquire the necessary test gear and documentation, aka nation
states and intelligence services.

It's just that they have decided they would rather keep us all insecure than
lose the ability to deploy their little spy toolkits on journalists and such.

Cool talk from Nohl where they deploy a location tracker over the air to the
SIM card:

[https://media.ccc.de/v/30C3_-_5449_-_en_-
_saal_1_-_201312271...](https://media.ccc.de/v/30C3_-_5449_-_en_-
_saal_1_-_201312271715_-_mobile_network_attack_evolution_-_karsten_nohl_-
_luca_melette)

If I remember correctly, that wasn't even a bug, but a feature mixed with
insecure configuration.

------
satbyy
The actual research presentation is here (by Nokia Bell Labs researchers Silke
Holtmanns, Bhanu Kotte and Siddharth Rao):

[pdf]:
[https://www.blackhat.com/docs/eu-16/materials/eu-16-Holtmann...](https://www.blackhat.com/docs/eu-16/materials/eu-16-Holtmanns-
Detach-Me-Not.pdf)

------
dvcc
Denial of service attacks against networks where devices need to be authorized
to connect? A little bit of an overreaching headline.

~~~
tmzt
They don't need to be authorized to attempt to connect, or to spam the channel
with unrelated frames.

------
samat
It is facinating how complex 4G networks are, compared to SS7 powered
networks. It's like Boeing 747 compared to the ww2 war planes. Obviously, you
have more vulnerabilities on the larger attack surface.

~~~
noselasd
The complex is more on the IMS side. Everything else in 4G is a bit simpler.
Fewer and less arcane protocols, a bit fewer nodes.

------
doubt_me
Of course its a proof of concept

------
zw123456
They mention a good counter measure is to install lots of Firewalls, I agree
with that. Oh, BTW, Nokia happens to have them available for purchase... I
don't want to seem too cynical here but... sounds a little like maybe the idea
is to generate some buzz for their FW product ?

