Mobile carriers and standards organizations will now need to wrestle with a newly-discovered device impersonation vulnerability found in both LTE and 5G networks. That’s according to a recently reported joint research study between Germany’s Ruhr Universität Bochum and New York University Abu Dhabi.
The vulnerability allowed researchers to impersonate a mobile device. That, in turn, allowed them to register for a variety of services in somebody else’s name.
The implications of the discovery, which applies foremost to 4G LTE services, are wide-ranging. Not only does the network weakness allow bad actors to sign up for new services, both free and paid, in a victim’s name. It also allows that spoofing to be carried over for more nefarious purposes. Namely, a malicious entity could conduct illegal activities under the guise of being somebody else.
Because of how the vulnerability can be exploited, that could easily also apply to current generations of incoming 5G networking. But the implication is that users’ identities could be spoofed, diminishing the viability of billing, access control, and legal prosecution. Specifically, that would diminish those things where mutual authentication occurs.
How does this device impersonation vulnerability work in 4G and 5G?
The device impersonation vulnerability takes advantage of the fact that LTE networks, and to an extent 5G networks that are built on those, utilize integrity protection. Namely, it takes advantage of the fact that integrity protection only applies to the data used to set up connections but not always to user data.
That can be exploited to change the data and content sent between the phone and the base station. Communication is redirected to another destination via DNS spoofing.
That all happens in the data link layer of a network — layer two. But the vulnerability also can be utilized in layer three. That’s the layer responsible for taking care of user authentication, device tracking, and IP traffic. Summarily, that means that new data packets can be inserted that grant a bad actor control over a given mobile session.
In effect, that equates to a man-in-the-middle attack. Both the base station and mobile device are impersonated. The former when the device receives data and the latter when the operator’s base station receives data.
Here’s why it isn’t likely to be as high-impact for the average user
Now, the newly-discovered device impersonation vulnerability applies solely to the interchange of data on 4G LTE and 5G networks.
So it isn’t likely that attackers would be able to easily get into previously-attained accounts. For example, bad actors aren’t necessarily going to be able to hack into an email account or bank account using this method. And that’s especially true where strong passwords and multi-factor authentication are involved. But it will allow for a similar level of malicious activity as might be found with a SIM swap.
Researchers say that the attacks would also need to be highly sophisticated. The attacks require a high level of skill, close access to the victim, and specialized hardware. Beyond the hardware requirements, comparable to devices utilized by law enforcement, a significant amount of added effort is needed. That includes a customized implementation of the LTE protocol stack.
A controlled lab environment and a shielding box would also be required to alleviate the need for further “engineering effort.”
That all means that the average user likely has nothing to worry about from the vulnerability. Researchers indicate that “high-value” individuals and organizations are most likely to fall victim to attacks using the vulnerability.