IMP4GT Vulnerabilities Allow for Impersonation on 4G LTE, Early 5G Cellular Networks
A lack of protection at the user level leaves LTE and early 5G devices — including IoT and IIoT implementations — vulnerable to attack.
A team of researchers from Ruhr University Bochum and New York University Abu Dhabi have published details of a pair of impersonation attacks in 4G Long Term Evolution (LTE) networks — known as IMP4GT for short.
Mobile networks include, as is required for everything from call routing to billing, a mutual authentication scheme so that the network can verify the handset and vice-versa. While the authentication scheme used in Long Term Evolution (LTE) cellular networks is provably secure, there's a flaw: A lack of integrity protection at the user, rather than control, level means it's possible to manipulate and redirect packets.
"An attacker can book services, for example [to] stream shows," explains Professor Thorsten Holz from Horst Görtz Institute for IT Security of the vulnerabilities' impact, "but the owner of the attacked phone would have to pay for them."
IMP4GT comes in two variants: An uplink impersonation attack allows the attacker to generate IP traffic which will be associated with the IP address of the target, potentially triggering billing as per Holz' warning; downlink impersonation, meanwhile, lets an attacker create a TCP/IP connection to a target handset and immediately bypass any IP-level protections in the LTE network.
In testing, the researchers found that Android handsets were vulnerable to the IMP4GT attacks across both IPv4 and IPv6 networks; Apple's iOS, meanwhile, proved vulnerable only in IPv6 mode. While tricky to pull off — "the attacker needs to be highly skilled and in close proximity to the victim," the researchers advise — the attack could potentially spell trouble for high-value Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices which use LTE networks for data transmission.
The attacks aren't restricted to LTE networks, though those are its primary target: The researchers found that early 5G network implementations operating in non-standalone mode have the same lack of user-plane integrity protection as LTE; the second-phase standalone rollout, however, implements optional user-plane data integrity protections which block the attacks if enabled.
More information on the IMP4GT vulnerabilities can be found on the official website, and in a pre-print paper published ahead of a presentation at the NDSS Symposium 2020.