back to article Every LTE call, text, can be intercepted, blacked out, hacker finds

Hacker Wanqiao Zhang of Chinese security house Qihoo 360 has blown holes in 4G LTE networks by detailing how to intercept and make calls, send text messages and even force phones offline. The still-live vulnerabilities were documented and discussed at the Ruxcon hacking confab in Melbourne, Australia, this weekend, including a …

  1. SeanC4S

    Before hacking there was Phreaking. https://en.wikipedia.org/wiki/Phreaking

  2. Destroy All Monsters Silver badge
    Windows

    I'm near retirement age and what is this

    I'm starting to be not amused by the industry's shenanigans.

    Still can't into security after 20 years.

    Too many management mouths to feed and expensive super-conferences to attend??

    1. a_yank_lurker

      Re: I'm near retirement age and what is this

      The conferences seem to be useful because well done research is presented to the public. And some of the more interesting bits are widely reported. The problems are partly design related, implementation related, and user related. Combined with a tendency of beancounters to undervalue solid security it tends to get done in spasms.

      1. Roland6 Silver badge

        Re: I'm near retirement age and what is this

        The conferences seem to be useful because well done research is presented to the public.

        the conference is probably doubly useful as it is outside the of the US and so experts can attend without worries about visa's or getting detained ...

    2. Mage Silver badge
      Windows

      Re: I'm near retirement age and what is this

      More like 30 years... of Mobile.

      The entire history of Internet.

      It seems designed in security is rare and working is rarer.

  3. Anonymous Coward
    Anonymous Coward

    ISMI catchers such as Stingray are already being widely used by police departments to eavesdrop and track location without a warrant. This system is so much worse.

    Given that potentially _anyone_ can now send texts and make calls on behalf of others without even requiring physical device access, SMS messages and call logs should no longer be admissible in court.

  4. Terry Cloth

    Warnings' effectiveness?

    A warning message about security risks could suffice as a cheaper and less effective fix.
    How can a general warning help if the reroute happens in the background and the user never sees what's happening? Quit using a cellphone?

    Or are you suggesting that a warning be generated only when a reroute actually occurs? False positives much?

  5. Adam Foxton

    There is an upside!

    We can expect 4G coverage in the UK to increase to 100% at the behest of GCHQ within a few months :P

    1. Khaptain Silver badge

      Re: There is an upside!

      The GCHQ has already pwned the UK network so it won't really change anything for them !!

  6. Anonymous Coward
    Anonymous Coward

    If you want security, don't use cellular standards

    Make your call using Facetime or other VOIP applications that offer end to end encryption (not Skype, unfortunately Microsoft introduced a backdoor for law enforcement after they purchased it)

    There is so much not publicly known about how the cellular network functions within carrier networks that using SMS or cellular calling means you can't be assured of security. Heck, you can't be assured of security even with end to end encryption, as you can't guarantee your device or the other party's haven't been compromised, that there isn't a bug in the implementation, or that there aren't undisclosed attacks on the encryption being used. But with end to end you at least have a fighting chance.

    Using GSM/LTE or SMS you should assume anything you say has been recorded for posterity and act accordingly.

    1. Khaptain Silver badge

      Re: If you want security, don't use cellular standards

      The big problem is not knowing which encryption keys are being used...

      If there are only two keys being used and they are both created dynamically for the session, then we have a fighting chance, if however there is a third unknown key involved then the encryption becomes null and void...

    2. dave 93

      Re: If you want security, don't use cellular standards

      FaceTime was how Erdogan got his message out during the Turkish Coup attempt. Just sayin'

      1. Anonymous Coward
        Anonymous Coward

        Re: If you want security, don't use cellular standards

        Erdogan didn't use Facetime because he cared about spying on his message. In fact it was the opposite, he wanted people to see it. The rebels followed the standard coup playbook of controlling government communication networks and radio and TV stations, but apparently forgot at least one independent TV station. He was able to Facetime with one of the reporters there and they basically held a camera up to the phone's screen to allow him to speak to the people, and got them to rise up in the streets and prevent the coup.

        Any sort of video calling would have worked equally well, whether or not it was secure. Heck, he could have recorded himself on VHS if he had a way of getting the tape to the TV station.

  7. ulbdd

    Clarification on LTE call/SMS interception (not!)

    When they say the attack allows intercepting calls and SMS: this is only happening when the device is on 2G, not on LTE. It is still NOT possible to do the interception on LTE itself, so the attack switch the device to 2G, which is insecure.

    To give the history here: 2G has no mutual authentication. So a rogue 2G base station can do MITM and intercept call and traffic. 2G has deployed often has weak crypto too (there's a fix, but not always deployed). So 2G has poor security, and tends not to be upgraded for cost reasons. But several operators are going to (or already have in SK and Japan) turned 2G off. Getting rid of 2G is the best solution here. But in Europe we'll have to be patient...

    About LTE now. The initial messages between a device (UE) and base station (eNB) are not encrypted. Pretty normal there, one need to establish a context. The redirection the attack is using happens in this non-encrypted phase, so can redirect the UE to a fake (no service) or 2G (MITM) base station. There's a trade-off here: for overload management, a fast redirection is better. For security, waiting after authentication will be better (but would load the chosen cell). Pick your poison...

    In practice, with pure LTE, the redirection attack is a form of DoS. And anybody who knows radio knows that jamming is easy anyway. Instead of faking an eNB, just jam the channel and kill all LTE on the given frequency. So preferring load robustness in this context is a reasonable trade-off. It's just a poor fit with network still using legacy 2G with crappy security unfortunately.

    So let's get rid of 2G fast, please.

    1. Paul Smith

      Re: Clarification on LTE call/SMS interception (not!)

      "So let's get rid of 2G fast, please." Why? It is simple, it is cheap and it works.

      Why not get rid if the idiotic thinking that says a phone (wireless or otherwise) can be used securely. Must people would agree that a phone is fine for telling people you are on the train when you don't give a damn about being overheard, but is probably not ideal when trying to explain the results of your nearest and dearest's STD exam.

    2. Daniel B.
      Boffin

      Re: Clarification on LTE call/SMS interception (not!)

      One of the features I really liked from the BlackBerry OS was that it had the ability to choose 2G/3G, 2G only or 3G only. Both Android and iOS lack this ability ... you either choose to limit yourself to 2G, 2G/3G or 2G/3G/4G. There's no way to disable the older protocols and thus are susceptible to these kind of attacks.

  8. oneeye

    Has Everyone Forgot SS7 Hacks ???

    The SS7 protocols have been a problem for just as long as this "NOT NEW" hacking of cell phones thru vulnerabilities in Radio's. Here is one article about the hack of a Congressman's IPHONE but is just as easy on Android or any other devices using wireless.

    http://www.digitaltrends.com/mobile/60-minutes-smartphone-hack-ss7-flaw/

    And another article: https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-snooping-texts-calls

    Quote :

    " A vulnerability means hackers can read texts, listen to calls and track mobile phone users. What are the implications and how can you protect yourself from snooping?"

    Plus, the multitude of Wi-Fi vulnerabilities, makes ya want to just go out back and take a sledgehammer to your devices. You know, just like Hillary Clinton did to several of her devices.

    And our Governments have the nerve to complain that encryption or not having access to backdoors is holding them back??? WTF!!! Are they kidding me?

    1. Anonymous Coward
      Anonymous Coward

      Re: Has Everyone Forgot SS7 Hacks ???

      "Plus, the multitude of Wi-Fi vulnerabilities, makes ya want to just go out back and take a sledgehammer to your devices."

      Ah, so what was happening with the Note 7 was just an overly aggressive security system.

    2. Anonymous Coward
      Anonymous Coward

      Re: Has Everyone Forgot SS7 Hacks ???

      There's nothing you can do about those SS7 hackers, they don't involve the device at all but the telco networks, and the vulnerabilities aren't even vulnerabilities as they are built into the protocol by design.

      These will only get fixed if we get an SS8 to replace it. Maybe something is in the works, but given how much of this is proprietary it is unlikely we would even know if the replacement was secure or not. Hence my post above about not trusting cellular or SMS, and using VOIP or messaging software that provides end to end encryption if you are saying something you want a reasonable level of assurance is actually going to be private.

      1. silnarm

        Re: Has Everyone Forgot SS7 Hacks ???

        "There's nothing you can do about those SS7 hackers, they don't involve the device at all but the telco networks, and the vulnerabilities aren't even vulnerabilities as they are built into the protocol by design."

        There's plenty you can do: e.g. use VoIP, with end to end encryption.

        1. Anonymous Coward
          Anonymous Coward

          Re: Has Everyone Forgot SS7 Hacks ???

          Which I already said above. But what if you want to place a call to someone on a landline, or using a feature phone?

  9. jms222

    I thought LTE didn't do calls at the moment.

    1. Ilgaz

      It does

      It really seems huge in India. I know since they go crazy when hardware supports it and vendor didn't install driver etc. On Android forums that is.

    2. Anonymous Coward
      Anonymous Coward

      LTE doesn't do calls in the same way as 2G/3G, since it uses the data network for calling instead of a separate channel. You need VoLTE, which newer devices support and carriers are starting to support in more and more areas.

      If your carrier's coverage map shows HD Voice (at least in the US, elsewhere it may have a different marketingspeak name) in your area it will use VoLTE for calling between two supporting devices.

    3. Anonymous Coward
      Anonymous Coward

      Three defiantly do voice calls on 4G. There's a pub near here that only has 4G coverage (the lower frequency seems to get into the building better) and calls work fine over it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like