Perimeter

10/9/2017
12:00 PM
50%
50%

New 4G, 5G Network Flaw 'Worrisome'

Weaknesses in the voice and data convergence technology can be exploited to allow cybercriminals to launch DoS attacks and hijack mobile data.

4G and 5G wireless networks' Evolved Packet Core (EPC) architecture can be exploited to intercept and collect mobile data as well as launch denial-of-service (DoS) attacks, according to new research. 

Positive Technologies recently discovered a key flaw in EPC's GTPv2 protocol: EPC's special interfaces used to exchange information between its components and based on its GTPv2 protocols lack built-in data encryption mechanisms.

The findings represent the latest in a string of vulnerabilities discovered in 4G networks. Researchers have spotted flaws that can be exploited to make IMSI-catchers more adept at snooping, as well as to allow the Diameter protocol to play a role in launching DoS attacks on 4G and 5G devices.

EPC converges voice and data on the network, a step up from processing voice and data separately. But EPC also has shortcomings, says Dmitry Kurbatov, head of Positive Technologies' telecommunications security department.

When a user is on a 4G network with his or her mobile phone, the EPC nodes use a number of protocols, including the General packet radio service Tunneling Protocol (GTP). This protocol is a group of IP-based communications protocols that carry general packet radio service within mobile networks. It allows mobile users to remain connected to the Internet when traveling or moving about, Kurbatov explains.

However, DoS attackers using brute force on Tunnel Endpoint Identifiers (TEIDs) can simultaneously disconnect a number of users at once, because multiple phone connections run through the same GTP tunnel, he adds.

"The potential risks are large enough to be worrisome," says Silke Holtmanns, a security expert at Nokia Bell Labs, who has conducted research on the 4G Diameter protocol.

Attackers looking to exploit these types of vulnerabilities in 4G networks do not need hard-to-obtain tools or considerable skill, says Kurbatov.

"Before 4G LTE, voice-call interception required that attackers have special equipment and in-depth knowledge of all the specific protocols used for voice calls," explains Kurbatov. "But since 4G networks are built on the principle of an all-IP network, the attacker can use all currently available hacking tools, which are largely automated and do not require a deep understanding of the nature of the attack."

Other risks include EPC nodes found exposed on the Internet that then can be hacked and, of course, there is always the potential of an insider gaining access to the infrastructure to launch attacks, says Pavel Novikov, head of Positive Technologies' research group for telecom security.

Security researchers like Andrew Blaich at Lookout say 4G and 5G attackers are likely to be groups with an interest in conducting surveillance on others, such as nation-states, or cybercriminals seeking to commit bank fraud and other crimes.

Risks to Smart Cities, Businesses, and Users

The 4G and 5G EPC attack scenarios largely fall into three categories: interception of data, such as text messages and unencrypted email messages; a collection of data, such as the location of the device; and disruption of services like DoS attacks.

"Just like with any DoS attack, IoT devices used in the infrastructure of smart cities can be almost permanently disconnected from the network, which means cities lose control over their operation," says Kurbatov.

Enterprises should assume that when they send something over a 4G or 5G network, it has the potential to be intercepted, says Blaich. As a result, organizations should safeguard their apps, devices, and services with their own security layer, rather than relying on the security of the network.

He also advises enterprises to use apps and services that have the latest version of TLS, or HTTPS, to ensure data cannot be easily decrypted when connected to a website. He adds that man-in-the-middle security technology should be deployed to catch improperly signed certificates that pretend to vouch for bogus services.

"These protections need to be enabled at the device and app layer as well as checks back on the services and server side to ensure proper end-to-end protection for sensitive data," Blaich advises.

For users, the risk on a 4G or 5G network is similar to other mobile networks as well as on Wi-Fi, warns Blaich. Users need to use apps that transmit data securely using secure transport channels and protocols, rather than relying on SMS/MMS for sensitive information, he adds.

Positive Technologies has not contacted mobile operators regarding its findings in its report, but instead has contacted industry trade groups, such as Groupe Speciale Mobile Association (GSMA), to notify them of its research and potential ways to address the architecture security issues, says Kurbatov. Ultimately, he notes, the responsibility mainly falls on mobile operators to resolve the issue.

Holtmanns holds a similar view. "There are huge differences between operators. Not all networks are equal," she warns, adding that some operators will push security improvements through, while others do not.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Researchers Offer a 'VirusTotal for ICS'
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/16/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.