Please create an account to participate in the Slashdot moderation system


Forgot your password?
Australia Cellphones Communications Networking Privacy Security

A New Attack Allows Intercepting Or Blocking Of Every LTE Phone Call And Text ( 80

All LTE networks and devices are vulnerable to a new attack demonstrated at the Ruxon security conference in Melbourne. mask.of.sanity shared this article from The Register: It exploits LTE fall-back mechanisms designed to ensure continuity of phone services in the event of emergency situations that trigger base station overloads... The attacks work through a series of messages sent between malicious base stations spun up by attackers and targeted phones. It results in attackers gaining a man-in-the-middle position from where they can listen to calls or read SMS, or force phones back to 2G GSM networks where only voice and basic data services are available...

[Researcher Wanqiao] Zhang says the attacks are possible because LTE networks allow users to be handed over to underused base stations in the event of natural disasters to ensure connectivity. "You can create a denial of service attack against cellphones by forcing phones into fake networks with no services," Zhang told the conference. "You can make malicious calls and SMS and...eavesdrop on all voice and data traffic."

This discussion has been archived. No new comments can be posted.

A New Attack Allows Intercepting Or Blocking Of Every LTE Phone Call And Text

Comments Filter:
  • by Anonymous Coward

    We need END-to-END security. Now.

    • We have the means, we even have the standards (IPSec and DNSSEC, for starters) it's just 99% of people in the field have no idea how to use them, DNS providers have been slow to address the latter, and operating systems have been reluctant to turn them on by default.

      • DNSSEC is underused because its root certificate is only 1024-bit RSA. At least that's why DANE support in Chrome is turned off.

      • by Junta ( 36770 )

        One, doing IPSec and DNSSEC does not unambiguously mean 'ok, things are secure now'. In principle, they can be helpful.

        IPSec is a big mess that in practice is redundant with using TLS.

        • Why is it a big mess? It just means another encapsulation layer that gets decapsulated at the destination point
          • by Junta ( 36770 )

            The key infrastructure as such is not suited for meaningfully secure communication. Opportunistic encryption is trivially overcome by a man in the middle.

  • by Anonymous Coward

    So often it seems that falling back to an older, less secure system or protocol is a method to circumvent newer, safer technologies (POODLE springs to mind as an example)...

    Shouldn't there be an accepted practice of NOT being backwards compatible with a system that's known to be insecure? Cuz like, what's the point otherwise? At the very least perhaps new systems like TLS or systems that rely on older hash functions could have a scheduled phase-out of backwards compatibility built-right into the spec.


  • by chromaexcursion ( 2047080 ) on Sunday October 23, 2016 @11:48PM (#53136955)
    Just because it's possible, doesn't mean it can be done.
    This attack breaks multiple laws, and regulations.
    As noted in another post. The equipment to do this is expensive.
    It's not a targeted attack. There's no way to pin an individual, they might just get lucky and get through on the real cell.

    Just alarmist ranting, for now.
    • by Anonymous Coward

      Just alarmist ranting, for now.

      All of which was said about Stingray devices in an attempt to mollify people. How did that work out?

    • Just because it's possible, doesn't mean it can be done.

      The Stingray devices already exist. Now here's a better blueprint to help amateurs build their own.

      People were apparently fine with this security flaw when only a few proprietary hardware vendors were known to be exploiting it. Now, hopefully it can be taken seriously.

    • "Just because it's possible, doesn't mean it can be done."

      Actually, that is exactly what "possible" means.

  • by Anonymous Coward on Sunday October 23, 2016 @11:49PM (#53136961)

    So T-Mobile customers shouldn't notice any interruption in service.

  • by Anonymous Coward

    I'm pretty sure I saw this exact same presentation at DEFCON a few months ago.

    • I'm pretty sure I saw this exact same presentation at DEFCON a few months ago.

      It's not like they hacked in to it, it was a gimme.

      FTA "The 3GPP telco body that oversees LTE standards has known about the security shortcomings since at least 2006 when it issued a document describing Zhang’s forced handover attack, and accepts it as a risk. "

  • Open Whisper Systems (Score:2, Informative)

    by Anonymous Coward

    This is why using Signal is critically important.

  • by Anonymous Coward

    This is not new - it was at Defcon in august.

  • by Dracos ( 107777 ) on Monday October 24, 2016 @12:10AM (#53137013)

    Isn't this pretty much what a Stingray does? Or does Stingray use weaknesses deliberately built into the networks?

    • by SumDog ( 466607 )

      We have no idea. There's very little data at all on how the Stingray actually works. That's one of the big issues with it.

    • Not really. The stingray, using law enforcement protocol, takes over for the cell.
      Turning on a stingray requires active cooperation with the cell provider. So, there is no back door there.
      • Turning on a stingray requires active cooperation with the cell provider. So, there is no back door there.

        ? [] []

        • What he said!

          At one time (design time of LTE network protocols) conceiving of a "rogue" base station was unthinkable... Tens of thousands just to start. Now, SDR allows almost any kind of radio transmitter for next to nothing and the unthinkable become thinkable.

          As the good Dr Oppenheimer had to say "Now I am become Death, the destroyer of worlds.".

          Thanks "disruptive" technologists... Another instance of "just because you can doesn't mean you should"

      • Not even remotely true. A stringray device simply emulates a base station and overpowers it. It does not require any cooperation with any cell provider.

        That said it is a different form of attack.

    • by Anonymous Coward

      Stingray uses the simple fact that at least in GSM and 3G networks, the handset needs to authenticate itself to the network (to make sure that everything is properly paid for), but there is absolutely no authentication mechanism for the network, i.e. the cellphone cannot verify that it's actually talking to the real network. In addition to that, at least with GSM, the network can request that data is trasmitted in clear text without even the weak encryption, e.g. for countries where encryption is/was illega

  • I'd guess this is how the stingray cell phone snooping devices have been working all along.

    Now, at least we understand the technical means by how they work.

  • GSM was full of holes and worthless and now its direct descendant LTE has similar holes. WHAT A SURPRISE.

    And of course the industry rubbed their hands about the GSM issues and they will do so again about LTE. Everyone has spent too much money on this shit to go back now and fix it.

    Apple had some major issues with their early iPhone security because they were of course GSM-only for a long time and any competitor who wanted to listen in on test calls or record everything only needed to setup a GSM eavesdrop

  • This isn't something that can eavesdrop on LTE calls, it just forces the phone off of LTE back onto older more insecure air interfaces. But it does make sense now why no phone I've ever owned allows me to force LTE-only mode (without resorting to rooting, jailbreaking, or other hacking), they need to make sure the TLAs can backdoor us onto their stingrays at any given moment.

Science may someday discover what faith has always known.