Exploitation of a vulnerability in the mobile communication standard LTE, researchers from Ruhr-Universität Bochum can introduce themselves as mobile phone users. Therefore, they can book fee-based services in their name, which are paid for through a mobile phone bill – for example, a subscription to streaming services.
David Rupprecht and Dr. Katarina Koles of the Department of System Security have developed attacks to exploit security vulnerabilities in the LTE standard for mobile phones
“The attacker can book services, such as streaming, but the owner of the attacked phone will have to pay for them,” said Professor Thorsten Holz of Horst Hertz Institute for IT Security, who discovered the vulnerability along with David Rupprecht, Dr. Katarina Koles and Professor Christina Popper.
According to the researcher, the vulnerability could also affect law enforcement investigations, because attackers can not only make purchases in the name of the victim, but also have access to websites using the victim’s identity.
For example, an attacker could upload secret company documents and network operators or law enforcement would look as if the victim was the perpetrator.
Almost all mobile phones and tablets are at risk
The vulnerability affects all devices that communicate with LTE, ie. practically all mobile phones, tablets and some connected household appliances. Only a change in hardware design would mitigate the threat.
The team is trying to bridge the security gap in the latest standard for mobile communication 5Gwhich is currently rolled. “From a technical point of view, this is possible,” explains David Rupprecht.
“However, mobile network operators will have to accept higher costs, as additional protection generates more data during transmission. In addition, all mobile phones will need to be replaced and the base station expanded. This is something that will not happen in the near future. “
The attacker must be nearby
The problem is the lack of integrity protection: data packets are transmitted encrypted between the mobile phone and the base station, which protects the data from eavesdropping. However, it is possible to modify the exchanged data packets.
“We don’t know what’s in the data package, but we can trigger errors by changing bits from 0 to 1 or from 1 to 0,” explains David Rupprecht. By provoking such errors in encrypted data packets, researchers can make a cell phone and base station decrypt or encrypt messages.
Not only can they convert encrypted data traffic between a mobile phone and the base station into plain text, they can also send commands to a mobile phone, which are then encrypted and forwarded to the provider – such as a subscription purchase command.
Researchers use so-called software-defined radios for attacks. These devices allow them to transmit communication between the mobile phone and the base station. In this way, they mislead the mobile phone into assuming that the software-defined radio is the good-quality base station; for the real network, on the other hand, software-defined radio seems to be a mobile phone.
For a successful attack, the attacker must be close to the victim’s mobile phone.