. . . Proves That Big Wireless Is Selling A Defective Product/Service
IMP4GT Attacks (IMPersonation attacks in 4G neTworks) allows an attacker to impersonate a user towards the network and vice versa:
For the first time. our demonstrated exploit completely breaks the mutual authentication aim of 4G/LTE and 5G on the user plane in realworld settings
The results of our work demonstrate that Wireless carriers can no longer rely on mutual authentication for billing, access control, and legal prosecution.
The work emphasizes the need for user-plane integrity protection in mobile communication standards, which means the US Government — as a matter of National Security — should not allow the installation of the current 5G equipment, until this problem is fixed at the hardware layer.
Long-standing, Established 3G/4G/5G Equipment Security Flaw
Security researchers have discovered a novel 4G LTE / 5G attack vector.
Link to Forget TikTok. Feebly Secured Infrastructure Is Our Real Problem
A team of researchers who have been poking at modern cell phone security and integrity are presenting the worrisome results of their latest research today, the 25th of February, 2020 during NDSS, the Network Distributed System Security Symposium (which, I guess really should be NDSSS, but perhaps they thought that was one ‘S’ too many) in San Diego, California.
There’s a website for the work: https://imp4gt-attacks.net/
And we have the pre-release of their presentation paper:
A full understanding for what they have, and have done, requires a thorough understanding of the inner workings of cell-system networking. And in this instance even the Abstract from their paper, which is normally useful, assumes too much background. But, their paper’s introduction does give us a good sense for the importance of this work
Long Term Evolution (LTE) is the latest widely deployed mobile communication standard and is used by hundreds of millions of people worldwide. The protocol offers high-speed Internet access and packet-based telephony services and has become an integral component of our daily communication.We fundamentally rely on the security of LTE for a variety of applications. The security goals of LTE include, amongst others, mutual authentication, traffic confidentiality, and location privacy; any attack vector undermining these security aims has far-reaching implications to the use of LTE as a communication medium.
In the context of mobile communication, mutual authentication is an important security aim since it ensures that both communication parties (i. e., the user equipment and the network) mutually verify their identities. As the wireless medium is accessible for everyone in the vicinity and identifiers can be easily forged, mutual authentication is essential for building trust between communication parties. Telecommunication providers rely on user authentication for accounting, authorization, and the association of data sessions to a legal person.
The latter case is of particular importance in prosecution, in which a possible offender is accused of committing a crime via a mobile Internet connection. Additionally, users rely on network authentication for the confidentiality of their communication. One important example for missing network authentication is the second mobile network generation GSM (Global Systemfor Mobile Communications): by faking the identity of a legitimate network, an attacker can impersonate the network in GSM and eavesdrop on the communication of the victim
In contrast to earlier network generations, LTE establishes mutual authentication on layer three of the network stack using a provably secure Authentication and Key Agreement (AKA) protocol. Based on this protocol, subsequent encryption ensures the confidentiality of user and control data. Permanent integrity protection, however, is only applied to the control data. A recent study has revealed that missing integrity protection of the user plane on layer two allows to manipulate user data in a deterministic way. More specifically, a layer-two attacker in a Man-in-the-Middle (MitM) position between the phone and the network can introduce undetectable bit flips due to malleable encryption and redirect traffic to another destination. While this attack demonstrates the potential consequences of traffic manipulation, it is solely limited to redirecting traffic to another destination.
In this work, we introduce a novel cross-layer attack concept that complements the known layer-two vulnerability (i. e., missing integrity protection on the user plane) with exploiting the default IP stack behavior of operating systems on layer three. More precisely, we make use of the reflection mechanism of certain IP packets, which allows us to not only redirect user-plane traffic, but also to create an encryption and decryption oracle that enables an adversary to perform a full impersonation of the phone or network on the user plane. We call this concept IMP4GT (IMPersonation in 4G neTworks, pronounced “impact”). IMP4GT completely breaks the mutual authentication property for the user plane on layer three, as an attacker can send and receive arbitrary IP packets despite any encryption.
This attack has far-reaching consequences for providers and users. Providers can no longer assume that an IP connection originates from the user. Billing mechanisms can be triggered by an adversary, causing the exhaustion of data limits, and any access control or the providers’ firewall can be bypassed. A possible impersonation also has consequences for legal prosecution, as an attacker can establish arbitrary IP connections associated with the victim’s identity.
That encryption/decryption oracle is the key to this. They establish a man-in-the-middle interception using a software defined radio (SDR). They are then able to probe the encryption by flipping bits, which results in a failure and retransmission. They actually inject ICMP Unreachable and ICMP Ping packets into the stream in order to get either endpoint to reply.
To give our listeners a better and more convincing sense of this, ihey explain the operation of their Encryption and Decryption Oracles as follows:
Encryption Oracle. The goal of an encryption oracle is to learn the keystream of a connection, which later allows [us] to encrypt and inject arbitrary packets. For encrypting a target plaintext, the oracle injects a known plaintext into the system. The system encrypts the packet by xor-ing the known-plaintext with a valid keystream for transmission, which is returned to the oracle. Now, the oracle can extract the valid keystream by xor-ing the known-plaintext on the encrypted packet. Any arbitrary payload can now be encrypted by xor-ing the target plaintext and the keystream.
Decryption Oracle. The goal of a decryption oracle isto decrypt and access the payload of an encrypted packet. T
achieve the decryption of a packet, the oracle manipulates the to-be-decrypted ciphertext and sends it to the system. The system decrypts the packet and subsequently sends it back to the oracle. In this way, we can receive the plaintext of encrypted packets
They go into far greater detail in their paper. But they have conclusively demonstrated a fundamental weakness in both 4G LTE and the forthcoming 5G, since neither of these systems provides the needed message integrity protection at the user layer. It must have been assumed — by non-cryptographers — that the encryption running at the user layer would sufficiently protect the user’s communications. But we know that XOR-based stream ciphers, while highly attractive due to their economy and ease of implementation, are also highly susceptible to interception attacks that can trivially reveal the keystream if the plaintext can be known.
They clearly state that the only way for this to be fixed is for all of our existing cell-system infrastructure hardware to be upgraded at the smartphone and cell tower level.They are hoping that there might still be time to head-off 5G, which repeats these mistakes, but they acknowledge that’s unlikely.
Services such as iMessage and Signal, which provide their own application-level encryption are secure against this. HTTPS is less certain, since we rely upon some aspects of the integrity of the underlying network, such as DNS and that we are actually connecting to the machine we think we are, that this work has demonstrated the power to subvert.
And, in any event, due to the need for physical ma- in-the-middle proximity, this would only be applicable to targeted attacks. But it does, and it should, further shake the complacency we have with the security of our smartphones.