Skip to main content

New Vulnerability In 4G and 5G Networks Could Allow Hackers To Trick Network Service Providers And Users Of Smartphones, Tablets And IoT Devices.





A group of academics from Ruhr University Bochum and New York University Abu Dhabi have uncovered security flaws in 4G LTE and 5G networks that could potentially allow hackers to impersonate users on the network and even sign up for paid subscriptions on their behalf.
The impersonation attack — named "IMPersonation Attacks in 4G NeTworks" (or IMP4GT) — exploits the mutual authentication method used by the mobile phone and the network's base station to verify their respective identities to manipulate data packets in transit.
"The IMP4GT attacks exploit the missing integrity protection for user data, and a reflection mechanism of the IP stack mobile operating system. We can make use of the reflection mechanism to build an encryption and decryption oracle. Along with the lack of integrity protection, this allows to inject arbitrary packets and to decrypt packets," the researchers explained.
The research was presented at the Network Distributed System Security Symposium (NDSS) on February 25 in San Diego.
The vulnerability impacts all devices that communicate with LTE, which includes all smartphones, tablets, and IoT devices currently being sold in the market.

"The Bochum-based team is attempting to close the security gap in the latest mobile communication standard 5G, which is currently rolled out," the researchers said. The flaws were responsibly disclosed to the telecom standards body GSM Association last May.

How does the IMP4GT attack work?.
The researchers carried out the attacks using software-defined radios, which are devices that can read messages between a phone and the base station it's connected to. The man-in-the-middle attack, then, allows a hacker to impersonate a user towards the network and vice versa.
In other words, the attacker tricks the network into thinking the radio was, in fact, the phone (uplink impersonation), and also dupes the phone into assuming that the software-defined radio is the legitimate cell tower (downlink impersonation).

4g and 5g Network Hacking.
"The uplink impersonation allows an attacker to establish an arbitrary IP connection towards the Internet, e. g., a TCP connection to an HTTP server. With the downlink variant, the attacker can build a TCP connection to the UE," the researchers said.
It's to be noted that the adversary must be in close proximity — in the range of 2km — to the victim's mobile phone to mount the IMP4GT attack. As a consequence, these attacks are no different from those that involve cell-site simulators such as IMSI catchers (aka stingrays) that are used by law enforcement agencies to intercept mobile phone traffic.
Once this communication channel is compromised, the next stage of the attack works by taking advantage of the missing integrity protection in the LTE communication standard to arbitrarily modify the data packets that are being exchanged.

By forging the internet traffic, the attack could allow a hacker to make unauthorized purchases, access illegal websites, upload sensitive documents using the victim's identity, and even redirect the user to a malicious site, a different form of attack called "aLTEr attack."
"This attack has far-reaching consequences for providers and users," the researchers said in the paper. "Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers' firewall can be bypassed."
Moreover, "by doing so, we show that an attacker can bypass the provider's firewall mechanism, and the phone is open to any incoming connection. Such an attack is a stepping stone for further attacks, such as malware deployment."

What's the solution?.
The disclosure of the IMP4GT attack comes on the heels of similar research undertaken by academics at Purdue University and the University of Iowa, which uncovered three new security flaws in 4G and 5G networks that can be used to eavesdrop on phone calls and track the locations of cell phone users.
The incoming 5G standard, which is being rolled out in a handful of countries, aims to offer faster speeds and long-needed security features, including protection from IMSI catchers. But with hundreds of millions of devices impacted by these flaws, it's imperative that 5G implementations apply more robust security and data protection to fix the vulnerabilities.
"Mobile network operators would have to accept higher costs, as the additional protection generates more data during the transmission," David Rupprecht, one of the paper's co-authors, said. "In addition, all mobile phones would have to be replaced, and the base station expanded. That is something that will not happen in the near future."
While the scrutiny of the 5G standard has made it possible to catch and fix potential vulnerabilities before the 5G networks are widely deployed, the latest research is a sign that cellular network security needs further attention.

Comments

Popular posts from this blog

We Bring You Brief Series of Sanctions Against Uganda Government Officials.

📸: Gen Abel Kandiho. On 9-December-2021, USA slapped sanctions against the then CMI Commander Gen Abel Kandiho. 📸: Gen Kale Kayihura. On 9-December-2022, UK slapped sanctions against former Police Boss Gen Kale Kayihura. 📸: Commissioner General of Prisons, Johnson Byabashaija. Again on this 4-December-2023, the same USA has slapped sanctions against Uganda Prisons Commander Johnson Byabashaija over alleged torture and human rights abuses in Prisons across Uganda. We ask, has USA and UK made December as an LCM to slap sanctions against high ranking government officials in Uganda even when the sanctions just remain on paper without deeper investigations to ascertain logical conclusions or remedy to that effect ?. #iip_updates  #Information_is_Power  #we_inform_the_uninformed

How to Host a Website for Free From Your PC or Laptop.

Why pay for a web hosting service when your old computer can do the same thing? Learn how to self-host your site. If you're planning to launch a website but don't want to pay recurring monthly or annual hosting fees, you can use any old laptop or desktop PC to host a website for free. It's a great way to utilize your old system instead of throwing it away. In this guide, we will install and set up services on our 10-year-old laptop to host a WordPress, Joomla, or custom HTML or PHP-based website with a free SSL certificate. MAKEUSEOF VIDEO OF THE DAY Things You Will Need to Host a Website Following are the pre-requisites to host a website for free from home with just your computer: An old laptop or PC running Ubuntu Server. A registered domain name for your website Ethernet cable to connect the laptop or PC to router for reliable and fast connection Step 1: Update and Upgrade the Packages After  installing Ubuntu Server on your computer , execute the following c...

WHERE IS MINISTER OF SEX SIMON LOKODO?. (He deserves a battle of soda from me! Ministe`r esalanga mabee. He is quick to run after Mrs Dr Stella Nyanzi and other Opposition elements. Government aza aza edo zuu vaa kpere bua). Anyway, below is the article! POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit'  Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos. Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.

POLICE OFFICER AKOL ESTHER CHARGED OF BEING A PUBLIC NUISANCE Naughty Officer Officer who embarrassed police after leaking nude photo charged 13.03.2018 She serves in the 'Very Important Persons Protection Unit' Akol Esther  (Courtesy) A female police officer whose nude photo surfaced on social media has been charged of being a public nuisance. Akol Esther serves in the Very Important Persons Protection Unit (VIPPU) of the police force. Kampala Metropolitan Police spokesperson Luke Owoyesigire says  Akol Esther might be demoted or expelled from the police force if found guilty of circulating nude photos . Police court is yet to announce date when Akol Esther is expected to appear for a hearing. This comes at a time when Pornography Control Committee is taking tough measures against persons circulating pornography content. The committee warned and promised to arrest persons who will circulate pornographic content.