Active 4G LTE vulnerability allows hackers to eavesdrop on conversations, read texts, and track your smartphone location

Posted on Oct 24, 2016 by Caleb Chen
Share Tweet Plus

personal 4g stingray device

Zhang Wanqiao, a Chinese researcher from Qihoo 360 has demonstrated an active 4G LTE vulnerability that allows any dedicated attacker to intercept your calls and texts as well as track your location. The hack was demo’d yesterday at the Ruxcon security conference in Melbourne, Australia. This 4G vulnerability is currently exploitable on any LTE network and is based off a little-known “fail-safe” that is supposed to only be used during emergencies, such as natural disasters, when individual cell phone towers are likely to become overloaded and redirection may be necessary. However, there might be a simpler reason as to why this 4G vulnerability is still active and there are no plans to fix it… One word: “Stingray.”

Your smartphone conversations, texts, and location aren’t safe over 4G LTE

Interestingly enough, the 3GPP, the organization in charge of setting mobile data network standards and enforcing them, also acknowledged the issue in 2006 but chose to do nothing about it. Researchers brought up this vulnerability to the world in 2015 in a paper titled: Practical attacks against privacy and availability in 4G/LTE mobile communication systems.  That same year, the ACLU managed to obtain documents that described the stingray surveillance device had identical functionalities. In the following year, Zhang Wanqiao of Qihoo 360 extended the practical attack described by the initial researchers and presented on it at DEFCON 24 in August of 2016. Now, at Ruxcon in October of 2016, the attack has been demonstrated and been proven to work on all LTE networks with readily available gear.

At first, Zhang only demonstrated the attack on TDD-LTE networks that operated in Britain, the United States, and Australia; however, Zhang has since confirmed with The Register that this attack is currently viable on any LTE network in the world. It is worth pointing out that this attack works by downgrading your LTE connection to a 3G connection and then finally to an un-secure 2G connection and then exploiting known vulnerabilities there. It’s worth pointing out that this vulnerability might not have been patched because it may have something to do with a surveillance technique that is actively used by law enforcement or intelligence agents in areas without active cooperation of local law enforcement: the highly controversial stingray or IMSI catcher device. While the exact specifics of how stingray tracking devices operate are still unclear, many people have started to draw similarities and differences between that revealed technology and recent research revelations.

How can you protect yourself from being tracked while using 4G?

In essence, the attack combines a “personal stingray” (works on GSM which is more commonly known as 2G) and a known vulnerability in 4G and 3G that allows fake LTE towers to force a downgrade all the way down to 2G. Using a VPN that utilizes OpenVPN and its TLS protocol will keep your conversations encrypted even in the face of such an attacker; however, older VPN connection methods such as PPTP/L2TP/SOCKS, you could still be vulnerable, though. Since the attack involves readily available hardware and open source software, any dedicated attacker could be using this against your smartphone at this moment. As the 3GPP has shown, after 10 years, there aren’t any plans to fix this 4G LTE vulnerability.

Featured image from DEFCON.

About Caleb Chen

Caleb Chen is a digital currency and privacy advocate who believes we must #KeepOurNetFree, preferably through decentralization. Caleb holds a Master's in Digital Currency from the University of Nicosia as well as a Bachelor's from the University of Virginia. He feels that the world is moving towards a better tomorrow, bit by bit by Bitcoin.

VPN Service

Comments are closed.


  1. Gareth Smith

    So one way around this would be to send texts from Skype on your phone – it doesn’t mention intercepting data?

    3 years ago
    1. Jim

      Use End to End Encrypted VoIP and Chat and use a VPN.

      3 years ago
    2. Keep Botting

      Like Skype is any more secure than a vulnerable LTE network. Microsoft controls Skype and shovels your data off to the NSA already. You’re screwed either way: probably worse off using Skype. At least with LTE, there *might* not be anybody listening in.

      3 years ago
      1. Nick the Rat

        with skype, atleast your neightbor isnt listening in.

        3 years ago
  2. Purnendu Ghosh

    Typical stingray devices take control of your mobile connection temporarily by spawning a network with high signal strength. Typical way these IMSI catchers work.

    3 years ago
  3. Drakenoid

    Can this work on a 4G only network?

    3 years ago
    1. Nick

      All of the carriers I know of in the united states maintain 3g / 2g network access for compatibility.

      3 years ago
      1. Mike

        Reliance Jio for India is just a 4G only network, it has no fall back to 3G or 2G.

        3 years ago
      2. Drakenoid

        I know, I was talking about Jio, Indian network.

        3 years ago
  4. Jamie

    When will I be able to *Force* my iPhone to use a VPN for all data?

    3 years ago
  5. Gavin Davies

    Can you lock your phone to 4G and 3G only. There for stopping the phone from falling back onto 2G.

    Obviously this is not ideal as you might not have coverage in some areas, as sometimes phones drop back to 2g for calls. So that 3G and 4G can be saved for data.

    3 years ago
    1. Nazo

      Some ROMs have options for this (CyanogenMod in particular,) but given that this is intended primarily for emergency use (supposedly) it may be that it could still actively force it down, I’m not sure. Normally it would just simply say no signal though. There are a couple of problems though. One is that it’s easier to negotiate a signal at lower speeds/complexities, so things don’t use 4G/LTE continuously normally drop down a bit when there is no active data going and get a better signal. You could, in some areas, completely lose your signal and be unable even to receive texts (nevermind voice calls) with such a setting. Also, you should be warned that forcing it to always use the more complex, higher speed signal will impact your battery life fairly significantly. (I can’t give you exact numbers, but in idle time with a clean system where there are minimal background apps a cell signal is actually the most significant user of the battery. Though I’ll admit not many people maintain clean systems…)

      3 years ago
  6. Nazo

    One thing I’m a bit unclear about: does anyone know if this is GSM only? The above isn’t very specific. I get the impression the vulnerability is in how the systems work in general and thus would work on CDMA as well, but I’m not really quite clear on how true this is. Although, as I say this, I’m now on a GSM network and finally free of that horrid Verizon disservice.

    3 years ago
  7. Jon Cowden

    Just write an app that uses the OpenCellID database that constantly polls off of that, whilst running real time scans on area cell towers, and what you connect to. If there is an anomaly that pops up that is not on the map, then chances are it is a fed… That’s what I did…. Cell towers do not just “pop up” overnight. There is a process… VERY LONG… To get one put up… This insures that all data is updated nationwide, and people stay safe from the 3rd world nation state police still trying to keep up the facad.

    2 years ago