Long Term Evolution (LTE/4G) establishes mutual authentication with a provably secure Authentication and Key Agreement (AKA) protocol on layer three of the network stack.
Permanent integrity protection of the control plane safeguards the traffic against manipulations. However, missing integrity pro- tection of the user plane still allows an adversary to manipulate and redirect IP packets, as recently demonstrated.
A group of academics from Ruhr University Bochum and New York University Abu Dhabi have uncovered security flaws in 4G LTE and 5G networks that could potentially allow hackers to impersonate users on the network and even sign up for paid subscriptions on their behalf.
The impersonation attack — named “IMPersonation Attacks in 4G NeTworks” (or IMP4GT) — exploits the mutual authentication method used by the mobile phone and the network’s base station to verify their respective identities to manipulate data packets in transit.
“The IMP4GT attacks exploit the missing integrity protection for user data, and a reflection mechanism of the IP stack mobile operating system. We can make use of the reflection mechanism to build an encryption and decryption oracle. Along with the lack of integrity protection, this allows to inject arbitrary packets and to decrypt packets,” the researchers explained.
The research was presented at the Network Distributed System Security Symposium (NDSS) on February 25 in San Diego.
The vulnerability impacts all devices that communicate with LTE, which includes all smartphones, tablets, and IoT devices currently being sold in the market.
This attack has far-reaching consequences for providers and users. Providers can no longer assume that an IP connection originates from the user.
Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers’ firewall can be bypassed. A possible impersonation also has consequences for legal prosecution, as an attacker can establish arbitrary IP connections associated with the victim’s identity.
IMP4GT can be deployed in two variants:
i) In the uplink impersonation variant, the attacker acts as a user towards the network; this variant can be used to establish a TCP/IP connection towards the Internet that is associated with the victim’s identity.
ii) In the downlink variant, the attacker im- personates the network and can establish a TCP/IP connection towards the phone. In doing so, the attacker circumvents the provider’s firewall and can potentially use this connection for malware deployment or data exfiltration.
In contrast to the layer-two redirection presented in earlier work, IMP4GT allows the attacker to not only manipulate the content of a connection, but adds substantially more degrees of freedom (e. g., establishing arbitrary network connections) to possible attack scenarios.
We are the first to combine the known layer-two vul- nerability with a layer-three attack to extend the adversary’s capabilities.
This broader view on the problem of missing integrity protection leads to the discovery of new vulnera- bilities that allow a full impersonation attack. In a series of empirical experiments, we provide a comprehensive view of the problem statement and explain the characteristics we make use of for IMP4GT.
Furthermore, we show the real-world applicability of the uplink and downlink attacks in an actual commercial network. To this end, we demonstrate how an attacker can access a service site that should only be accessible for the victim and how an attacker can bypass the provider’s firewall.
The feasibility of such an impersonation reveals that the dimension of missing integrity protection is more far- reaching than previously assumed. We describe the analysis in a step-by-step manner for the uplink and downlink variants of IMP4GT.
By performing the analysis and demonstrating the attack, we also aim at influencing the current 5G specification to mandate user plane integrity. In summary, we make the following three contributions:
- We introduce IMP4GT, an attack that exploits the missing integrity protection on layer two along with standard IP stack behavior on layer three. This cross-layer approach aggravates a prior redirection attack with the ability to perform a full impersonation on the user plane in both uplink and downlink direction.
- We provide a comprehensive series of experiments that enable us to understand the network characteristics we exploit for the IMP4GT attacks. In particular, we analyze the default IP stack behavior for two types of reflections, which allows us to build the encryption and decryption oracle for the impersonation attack.
- Finally, we successfully demonstrate full end-to-end im- plementations of the uplink and downlink variants of IMP4GT with a mobile phone in a commercial network. Furthermore, we discuss the implications of our attack for the current and upcoming mobile generations for both users and providers.
Responsible Disclosure. Following the guidelines of respon- sible disclosure, we informed providers and vendors about our findings through the GSMA’s coordinated vulnerability disclosure program.
By that, we hope to influence the LTE and 5G specifications to add full rate, mandatory integrity protection.
How does the IMP4GT attack work?
The researchers carried out the attacks using software-defined radios, which are devices that can read messages between a phone and the base station it’s connected to.
The man-in-the-middle attack, then, allows a hacker to impersonate a user towards the network and vice versa.
In other words, the attacker tricks the network into thinking the radio was, in fact, the phone (uplink impersonation), and also dupes the phone into assuming that the software-defined radio is the legitimate cell tower (downlink impersonation).
“The uplink impersonation allows an attacker to establish an arbitrary IP connection towards the Internet, e. g., a TCP connection to an HTTP server. With the downlink variant, the attacker can build a TCP connection to the UE,” the researchers said.
It’s to be noted that the adversary must be in close proximity — in the range of 2km — to the victim’s mobile phone to mount the IMP4GT attack.
As a consequence, these attacks are no different from those that involve cell-site simulators such as IMSI catchers (aka stingrays) that are used by law enforcement agencies to intercept mobile phone traffic.
Once this communication channel is compromised, the next stage of the attack works by taking advantage of the missing integrity protection in the LTE communication standard to arbitrarily modify the data packets that are being exchanged.
By forging the internet traffic, the attack could allow a hacker to make unauthorized purchases, access illegal websites, upload sensitive documents using the victim’s identity, and even redirect the user to a malicious site, a different form of attack called “aLTEr attack.”
“This attack has far-reaching consequences for providers and users,” the researchers said in the paper. “Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers’ firewall can be bypassed.”
Moreover, “by doing so, we show that an attacker can bypass the provider’s firewall mechanism, and the phone is open to any incoming connection. Such an attack is a stepping stone for further attacks, such as malware deployment.” DISCUSSION
During the attach procedure, LTE establishes mutual au- thentication with a provably secure AKA protocol. By itself, IMP4GT does not attack this AKA protocol and when the AKA is performed, both communication parties are authenticated on the control plane.
Even relaying the messages transparently with the relay would not be problematic if the chosen security measures were secure against manipulation. However, this is not the case for the user plane due to the lack of integrity protection.
Consequently, IMP4GT exploits the lack of integrity protection in combination with the IP stack behavior, effectively enabling an attacker to impersonate the respective party.
IMP4GT breaks mutual authentication only on the user plane. In this section, we first discuss the implications of our attack for providers, juridical entities, and users. We assess its real-world applicability, present possible countermeasures, and describe the state of integrity protection in the 5G specification.
Providers rely on mutual authentication for several use cases, such as billing and authorization. One essential require- ment for providers is the correct billing of the customers. Furthermore, certain services are only accessible by the authen- ticated identity, like service websites. Such authentication is performed through header enrichment, which uses only the IP address.
Additionally, some providers support third-party PDN networks that are only accessible with APN settings and the correct authentication. IMP4GT undermines user authentication and thereby puts the provider’s business model at risk.
For example, IMP4GT allows for draining the data volume or accessing the service site with a victim’s identity. Providers are required to analyze their risk for each case in which they rely on user authentication.
Additionally, law enforcement agencies have an interest in identifying the correct person during a prosecution. Lawful in- terception is one requirement that allows targeted wiretapping. Another method to identify a possible perpetrator of Internet crime is to request the identity of a user for a particular public IP address from the provider based on a lawful disclosure request.
With IMP4GT, an attacker can forge any traffic to the Internet. For example, an attacker can upload prosecution relevant material with the identity of the victim to the Internet. In those cases, the traces from an interception activity can show anomalies such as repetitive UDP packets and a high amount of ICMP packets.
However, an attacker can imitate legitimate traffic by simulating DNS traffic for the UDP connection and normal ICMP echo/reply traffic for the ICMP packets. When the agency requests the identity solely from the public IP address, any defects such as traffic anomalies are missing. In both cases, the law enforcement agencies cannot rely on mutual authentication and need to consider the possibility of a IMP4GT attack while investigating the case.
Users are affected by all points that apply for the provider and law enforcement agencies. For example, the provider charges the user’s bank account when additional packages are bought, or a law enforcement agency initiates an investigation based on the false assumption of mutual authentication. In those cases, the user has no means to prove his/her innocence.
Additionally, the downlink impersonation is an attack directed against the user’s phone and can be a stepping stone for further attacks. An attacker can exploit vulnerabilities of network applications, e. g., IoT applications or the operating system. In the light, of zero-day attacks discovered in the wild, IMP4GT can be an additional stepping stone of such an attack. Our attack shows that the user cannot rely on the provider’s firewall and they need to harden their device.
B. Real-World Considerations
We have demonstrated the feasibility of the uplink and downlink IMP4GT attack with an unmodified phone in a com- mercial network. Nevertheless, the attack implementation in its current form has limitations regarding stealth, performance, and real-world applicability.
- Stealth: In our experiments, we filtered unwanted traffic at the relay by dropping packets with an unexpected length. During the attack, we also terminate legitimate connections but restore the regular Internet connectivity after the attack. Ad- ditionally, we conduct the attack without any user interaction, which makes it independent from an active usage of the phone. Therefore, we need to consider two cases for reviewing the stealth of the attack. If the victim is actively using the phone, she/he will notice a short time of Internet connection loss. In the case of accessing the local service site, the time of Internet loss amounts to 4 sec, which is justifiable for the attack. With some engineering effort, the filtering can be improved such that the Internet connection remains intact for the user. In case the victim is idle, the loss of Internet connection remains unnoticed.
- 2) Performance: The attack performance depends on the reflection mechanism because it is one central component of the attack. The only reflection that is limited is the unreachable reflection. Because the uplink impersonation builds upon this reflection, it has performance impairments. In particular, the unreachable reflection limits the downlink decryption. We only need to consider the limited length, as the reflection can be triggered with full-rate due to the multi-peer mechanism (see Section IV). We discuss the performance impairments due to the length limitations of the unreachable reflection.
Android and iOS (IPv6 only) reflect only the minimum MTU of the incoming packet, which restricts the length of the to-be-decrypted packet. The attacker cannot directly limit the downlink packet length sent by the target server. However, the attacker can indirectly force the TCP implementation of the target server to send shorter packets, i. e., by setting the TCP window size to the minimum MTU for the TCP connection. The disadvantage of this option is that each downlink TCP packet needs to be acknowledged. In turn, this limits only the throughput of the connection for the uplink impersonation.
Consequently, the uplink IMP4GT attack may not be suit- able for low-latency and high data-rate applications, e. g., video streaming, but sufficient to access a website. The downlink IMP4GT remains unaffected of any performance impairments and can be used in full-rate to establish a connection to a UE.
- Real-World Applicability: For our experiments, we use a shielding box to prevent interference with the licensed spectrum and unwanted UEs with the relay. In a real-world setting, the attacker needs to consider interference and multiple UEs on all layers for building a relay. However, from the UE’s perspective, such a relay attack is comparable to fake base station attacks, which are already conducted in the real- world. Nevertheless, we need to consider an attacker with strong domain knowledge along with several resources to implement such a MitM relay and carry out the IMP4GT attack.
Despite all limitations, we demonstrate the feasibility of the IMP4GT attack in a commercial network with an unmodified UE. Thus, it represents a threat for all users and stakeholders that rely on mutual authentication in LTE.
C. Potential Countermeasures
IMP4GT exploits the specification flaw of missing integrity protection along with the RFC conform reflection behavior of the IP stack. We first discuss possible mitigations on the higher layers. Then we discuss the opportunity of mitigation in the IP stack, but will argue that the only sustainable countermeasure is mandatory integrity protection.
One possibility is to protect against the initial DNS spoof- ing attack with DNSSec, DNS over TLS, or DNS over HTTPs. However, IMP4GT does not necessarily need the initial DNS spoofing attack. A
s soon as the attacker knows the IP address of an outgoing TCP connection, she can directly redirect the TCP connection with the ALTER attack and, thus, hijack the connection for continuing the preparation phase of IMP4GT. An example of outgoing TCP connections are the connections of the email client that connects periodically to pre-known IP addresses. Another possibility would be to secure all TCP connection with TLS such that the client can detect a
redirection based on mismatching certificates. However, the TCP proxy transparently relays the TLS connections, and thus the redirection remains undetected. Also, a VPN connection has only limited mitigation properties as not all connections can use the VPN connection and are therefore protected. For example, the connectivity check of Android connects to a service before the OS notifies other applications about the Internet, such as VPN applications. Those connections remain attackable by IMP4GT.
One mitigation is to disable the IP reflection mechanism at the UE, as IMP4GT relies on it. However, any modification would invalidate the RFC conformity of the IP stack and harm interoperability.
For example, the ICMP echo request (ping) is often used to check if the device is reachable and disabling the echo responses would break the ping protocol. Consequently, it would be impossible to check if the device is reachable on the IP layer. Thus, any modification of the IP stack might work, but comes at the cost of interoperability.
The main reason for IMP4GT is the lack of integrity protection and thus the possibility of user data manipula- tion. Mandatory integrity protection was neglected due to the additional overhead on the radio layer. The retrospective specification and deployment of integrity protection in LTE requires financial and logistic efforts, as all UEs and eNodeBs must be updated to be secured against IMP4GT. Despite these efforts, this paper should be read as a reminder of the urgency for mandatory integrity protection on the user plane in LTE.
D. Integrity Protection in 5G
While LTE is already used for nearly a decade, the cur- rently deployed 5G specification comes with different states regarding user-plane integrity protection. We discuss the state of integrity protection for the two deployment phases.
Non-standalone (NSA) with dual connectivity is the first phase, in which the phone connects via 4G for all control data, but uses 5G for user data. The 3GPP 5G Security working group stated: “Although integrity protection for UP data is supported in 5G networks, it will not be used in dual connectivity case.” Thus, the early 5G deployments cannot prevent IMP4GT attacks.
The second phase will be the standalone (SA) phase, in which the UE has a control connection to the 5G core network along with the 5G radio layer.
At the time of publication, this phase was still under development; its current state is as follows: First, user-data integrity protection is optional to use and the provider can decide to enable it.
Second, the phone can implement integrity protection within full-rate or only up to 64 kbit/s, whereas only the latter option is demanded in the specification. Most data connections exceed this data rate, as 5G promises high data rates up to 20 Gbit/s and, thus, the user-plane integrity protection cannot be applied .
Obviously, the requirement for high-data rates contradicts the requirement for security and the attack vector remains exploitable in 5G .
We emphasize the requirement for a mandatory and full-rate integrity protection for all 5G data connections to prevent IMP4GT.