Active 4G LTE vulnerability allows hackers to eavesdrop on conversations, read texts, and track your smartphone location
Zhang Wanqiao, a Chinese researcher from Qihoo 360 has demonstrated an active 4G LTE vulnerability that allows any dedicated attacker to intercept your calls and texts as well as track your location. The hack was demo’d yesterday at the Ruxcon security conference in Melbourne, Australia. This 4G vulnerability is currently exploitable on any LTE network and is based off a little-known “fail-safe” that is supposed to only be used during emergencies, such as natural disasters, when individual cell phone towers are likely to become overloaded and redirection may be necessary. However, there might be a simpler reason as to why this 4G vulnerability is still active and there are no plans to fix it… One word: “Stingray.”
Your smartphone conversations, texts, and location aren’t safe over 4G LTE
Interestingly enough, the 3GPP, the organization in charge of setting mobile data network standards and enforcing them, also acknowledged the issue in 2006 but chose to do nothing about it. Researchers brought up this vulnerability to the world in 2015 in a paper titled: Practical attacks against privacy and availability in 4G/LTE mobile communication systems. That same year, the ACLU managed to obtain documents that described the stingray surveillance device had identical functionalities. In the following year, Zhang Wanqiao of Qihoo 360 extended the practical attack described by the initial researchers and presented on it at DEFCON 24 in August of 2016. Now, at Ruxcon in October of 2016, the attack has been demonstrated and been proven to work on all LTE networks with readily available gear.
At first, Zhang only demonstrated the attack on TDD-LTE networks that operated in Britain, the United States, and Australia; however, Zhang has since confirmed with The Register that this attack is currently viable on any LTE network in the world. It is worth pointing out that this attack works by downgrading your LTE connection to a 3G connection and then finally to an un-secure 2G connection and then exploiting known vulnerabilities there. It’s worth pointing out that this vulnerability might not have been patched because it may have something to do with a surveillance technique that is actively used by law enforcement or intelligence agents in areas without active cooperation of local law enforcement: the highly controversial stingray or IMSI catcher device. While the exact specifics of how stingray tracking devices operate are still unclear, many people have started to draw similarities and differences between that revealed technology and recent research revelations.
How can you protect yourself from being tracked while using 4G?
In essence, the attack combines a “personal stingray” (works on GSM which is more commonly known as 2G) and a known vulnerability in 4G and 3G that allows fake LTE towers to force a downgrade all the way down to 2G. Using a VPN that utilizes OpenVPN and its TLS protocol will keep your conversations encrypted even in the face of such an attacker; however, older VPN connection methods such as PPTP/L2TP/SOCKS, you could still be vulnerable, though. Since the attack involves readily available hardware and open source software, any dedicated attacker could be using this against your smartphone at this moment. As the 3GPP has shown, after 10 years, there aren’t any plans to fix this 4G LTE vulnerability.
Featured image from DEFCON.
Comments are closed.
14 Comments
Can you lock your phone to 4G and 3G only. There for stopping the phone from falling back onto 2G.
Obviously this is not ideal as you might not have coverage in some areas, as sometimes phones drop back to 2g for calls. So that 3G and 4G can be saved for data.
Some ROMs have options for this (CyanogenMod in particular,) but given that this is intended primarily for emergency use (supposedly) it may be that it could still actively force it down, I’m not sure. Normally it would just simply say no signal though. There are a couple of problems though. One is that it’s easier to negotiate a signal at lower speeds/complexities, so things don’t use 4G/LTE continuously normally drop down a bit when there is no active data going and get a better signal. You could, in some areas, completely lose your signal and be unable even to receive texts (nevermind voice calls) with such a setting. Also, you should be warned that forcing it to always use the more complex, higher speed signal will impact your battery life fairly significantly. (I can’t give you exact numbers, but in idle time with a clean system where there are minimal background apps a cell signal is actually the most significant user of the battery. Though I’ll admit not many people maintain clean systems…)
When will I be able to *Force* my iPhone to use a VPN for all data?
Can this work on a 4G only network?
All of the carriers I know of in the united states maintain 3g / 2g network access for compatibility.
Reliance Jio for India is just a 4G only network, it has no fall back to 3G or 2G.
I know, I was talking about Jio, Indian network.
Typical stingray devices take control of your mobile connection temporarily by spawning a network with high signal strength. Typical way these IMSI catchers work.
So one way around this would be to send texts from Skype on your phone – it doesn’t mention intercepting data?
Use End to End Encrypted VoIP and Chat and use a VPN.
Like Skype is any more secure than a vulnerable LTE network. Microsoft controls Skype and shovels your data off to the NSA already. You’re screwed either way: probably worse off using Skype. At least with LTE, there *might* not be anybody listening in.
with skype, atleast your neightbor isnt listening in.