IT has enough to worry about with traditional data breach issues, but now researchers from Purdue University and the University of Iowa have found quite a few new security holes in the popular 4G mobile networks.
The potentially worst hole detailed in the study is an authentication synchronization failure attack. The danger? It allows bad guys to read incoming and outgoing messages from an employee, permits “stealthy denial” of selected services and “location of history poisoning,” which simply means it can manipulate location ready to give false information to systems using location for identity authentication.
This attack works, according to the report, by exploiting the phone’s “sequence number sanity check to disrupt its attach procedure. Precisely, the adversary interacts with with the [home subscriber service] through the [mobile management entity] to ensure that the sequence number of the [phone and subscriber service] are out-of-sync. As a result, the authentication challenge received through the legitimate auth request message fails the [phone’s] sanity check and consequently is discarded” by the phone.
The researchers also found a traceability hole, which leaked out geolocation information — just the kind of details that you want rivals to know about your key employees. Other holes allowed attackers to deny all cellular service (something terrorists could exploit in an attack, to delay an emergency response and allow more time for mass murder), to “read all incoming and outgoing messages,” a way to detach someone “from the network surreptitiously,” completely and quickly drain the battery to a dead state and a different hole to allow denial of service or to just downgrade their service to 3G or even 2G.
What most surprised one of the report authors, University of Iowa Assistant Professor Omar Chowdhury, was the complete lack of encryption used by one of the major carriers. “By observing the security mode command messages of all four major network providers in the U.S., we observed that at least one carrier never used encryption, i.e., uses EEA0 — no cipher,” said the report.
Chowdhury, who declined to identify that carrier, said that encryption was added shortly after the universities alerted the carrier to the problem. Why was the encryption not implemented beforehand? “We speculated that the encryption required extra overhead” and that the carrier prioritized efficiency over security, he said. Well, it prioritized it at least until it got caught.
Overall, how big a deal are these holes? “It’s pretty catastrophic. When you put [several of these holes] together, things can be really bad,” Chowdhury said in a phone interview with Computerworld.
Interestingly, several initial reports from the study focused on the least worrisome flaw, one that allows attackers to manipulate Caller ID data to make it appear that they are calling from anywhere they choose. Although such a hole could help identity thieves more convincingly appear to be calling from, for example, the company’s bank, that capability has been readily available for more than a decade from various legal call-spoofing services. In short, the discovered hole isn’t delivering any capability to thieves that they haven’t fully had for many years.
Now let’s get a bit geekier. How is that battery-draining attack done? From the report: “The idea of this attack is to make the victim [phone] perform expensive cryptographic operations. One way to achieve this is to force the [phone] to keep carrying out the expensive attach procedure over and over again, by sending a paging message with the [international mobile subscriber identity] between two successive attach procedures. In case the adversary knows the [Globally Unique Temporary Identity] of the victim, it can send a paging message with GUTI which the [phone] responds with a cryptographically involved service request message.”
The trick here is that, according to Chowdhury, learning this information is relatively easy. “If you know someone’s cell number and if you’re in the same cell area,” he said — adding that a cell area is typically about a half-mile wide — “you can identify the TMSI number. Once the you know the TMSI, you can track somebody.” That works until the carrier changes the TMSI, which often happens when it drops from 4G to 3G, he said.
The report also detailed a panic attack technique. “In this attack, the adversary wants to inject fake emergency paging messages to a large number of [phones]. The adversary thus sends a paging message with empty records but with fake emergency warnings. To ensure that such a fake paging message reaches a large number of [phones], the adversary keeps broadcasting this message for all possible paging occasions of the legitimate eNodeB. This can create an artificial emergency, which can be exploited by malicious parties for hiding their agenda.”
Mobile is not so slowly taking over an ever-increasing share of all enterprise communications. IT and security rely on carriers to keep all communications secure as they leave a corporate-owned device and go to their destination devices. Just a reminder that such a reliance may not be warranted — at least not comfortably.