This is really not much of a story, despite the exciting headline.
The claim is that IPSec core networks can be subjected to a denial of service, and that this will result in a DoS for the users. That's correct but not very interesting.
The researchers then go on to note that a DoS on 4G specifically can put users into a vulnerable position by shoving them over onto 2G networks, which are very vulnerable. But at the end of the day it's still only a DoS on LTE-- what you've switched to after that is not LTE's problem.
That's not to say the LTE isn't vulnerable, of course. Breaking data plane crypto at the ENB means that limited physical penetrations convert them into very effective surveillance tools. And the data plane crypto isn't great (lacks integrity protection). I've suspected in the cold quiet of my heart that some operators run EIA0 in production. Etc.
So, yay for DoS, but I wish people would use the word "hacked" a bit more clearly, or drop it all together.
You can force an Android device to only use LTE, but it's generally hidden from users[1] because it can have side effects some users won't understand. Problem with using LTE only is networks that haven't rolled out VoLTE yet--you won't be able to send/receive phone calls until enabling 3G once again and if you happen to be in an area without LTE, you won't have a connection.
[1] Depending on the device it can be accessed by typing * #* #4636#* #* on the phone dial pad or I have an app (https://github.com/yareally/SignalInfo) that allows access to it as a secondary feature. Most devices nowadays also require root to access it, disable access from the dial pad and some Samsung and LG devices still bar access even with root if you still run stock firmware.
Could be that by default LTE is only a data carrier.
Until you can be reasonably sure that there is VoLTE support everywhere, restricting the phone to LTE service means you lose out on call capability. And that is likely to be a big nono for emergency reasons. After all, a phone without a SIM can still call the national emergency numbers around the world.
I'd like at least a switch to completely disable 2G (on iPhone as well). In Australia, the last 2G networks will all have shut down by the end of next year. So even now, unless you phone only supports 2G there's absolutely no reason to use it (the 2G is thoroughly redundant at this point so you should never need to drop down to it).
Surely there is outcry at the shutting down of 2G due to the number of senior citizens with their mobile phone from 1995, and all those industrial users of "GSM" communications for automation and alerting?
I thought technologies were in place to allow 2G to share spectrum with newer standards, so the 2G network could remain as a legacy-only network forever?
Downgrade attacks are actually very serious. The issue here being not with 4G/LTE in general, but with the strategy of downgrading to insecure networks after failing to connect with a secure one. It's like browsers falling back to insecure ciphers in HTTPS after failing to negotiate secure ones - a serious problem for the system as a whole.
I agree that a true downgrade attack would be a very serious vulnerability in 4G, particularly one like I alluded to that could take the RRC down to EIA0-- but that isn't what's being discussed here, and calling it a vulnerability in LTE is inappropriate, just as calling HTTP fallback in browsers a vulnerability in HTTPS would be inappropriate. The vulnerability, to the extent it exists at all, is on the client, in this case mobile devices and in your example the browser.
It's my perception that smart phones and their surrounding software, hardware, and protocols are very very hackable outside of the basic kernel and app-level systems.
The baseband cpu is out of your control, the encryption is legendarily bad, the protocols are MITM'able, the kernel is subject to patches from your cell phone company...
Nearly all phones use a baseband from qualcomm. It has rather poor security. I'm sure if you looked hard enough you could find a remotely accessible one
> SS7 was in the news earlier this year after a 60 Minutes exposé led to calls for a congressional investigation and a FCC review.
It was? Why didn't I hear about this? I don't remember this coming up on HN. That is interesting that the mainstream media would take an interest in that considering SS7 security was relatively an obscure subject until recently in the tech community.
>> In his letter to FCC Chairman Tom Wheeler, Lieu said the flawed SS7 system provides an open door for foreign hackers who want to intercept the private communications of U.S. government officials. https://www.wirelessweek.com/news/2016/08/congressman-urges-...
I don't think there has been enough research into the risks of these mobile networks. Not just from external attack but exploitation by domestic nation states to deploy malware onto peoples phones, mass location tracking, social network modeling, etc.
The amount power these ubiquitous towers provide any nation state with a modern security service and a penchant for secrecy is definitely underrated. Forget all of those quotes from the US founding fathers about gun ownership as a necessary affront to tyranny, controlling the communications networks makes any type of internal non-political rebellion against the state a long lost idea.
There has been plenty research into mobile networks by people who have the resources to acquire the necessary test gear and documentation, aka nation states and intelligence services.
It's just that they have decided they would rather keep us all insecure than lose the ability to deploy their little spy toolkits on journalists and such.
Cool talk from Nohl where they deploy a location tracker over the air to the SIM card:
It is facinating how complex 4G networks are, compared to SS7 powered networks. It's like Boeing 747 compared to the ww2 war planes. Obviously, you have more vulnerabilities on the larger attack surface.
They mention a good counter measure is to install lots of Firewalls, I agree with that. Oh, BTW, Nokia happens to have them available for purchase... I don't want to seem too cynical here but... sounds a little like maybe the idea is to generate some buzz for their FW product ?
The claim is that IPSec core networks can be subjected to a denial of service, and that this will result in a DoS for the users. That's correct but not very interesting.
The researchers then go on to note that a DoS on 4G specifically can put users into a vulnerable position by shoving them over onto 2G networks, which are very vulnerable. But at the end of the day it's still only a DoS on LTE-- what you've switched to after that is not LTE's problem.
That's not to say the LTE isn't vulnerable, of course. Breaking data plane crypto at the ENB means that limited physical penetrations convert them into very effective surveillance tools. And the data plane crypto isn't great (lacks integrity protection). I've suspected in the cold quiet of my heart that some operators run EIA0 in production. Etc.
So, yay for DoS, but I wish people would use the word "hacked" a bit more clearly, or drop it all together.