In the LTE protocol, researchers find 36 new security flaws

Protocol

South Korean researchers apply the LTE protocol to flushing techniques and identify 51 vulnerabilities, 36 of which are new.

A group of South Korean academics identified the LTE standard of 36 new vulnerabilities used by tens of thousands of mobile networks and hundreds of millions of users worldwide.

The vulnerabilities allow attackers to disrupt mobile base stations; block incoming appeals; disconnect users from a mobile network; send spoofed SMS messages; and eavesdrop. They were discovered and documented in a research paper at the IEEE Symposium on Privacy and Security by the end of May 2019 by a team of four from the Korea Advanced Institute of Science and Technology (KAIST).

The research team’s discoveries are not exactly new. Similar vulnerabilities have been identified in several LTE academic groups on a number of occasions over the past years-July 2018, June 2018, June 2017, July 2016 and October 2015 (paper by other KAIST teams).

These vulnerabilities were the driving force behind efforts to create the new and improved 5 G standard, which is unfortunately not safe either, with some researchers already pitching holes in it. But the main feature of the previous work is the number of vulnerabilities discovered by the KAIST team and how they do so.

Korean scientists identified 51 LTE vulnerabilities, 36 new and 15 of which were first identified by other research groups in the past, using a “fuzzing” technique, which in turn allows developers to use a code testing procedure that incorporates large amounts of random data into an application and analyzes the output for abnormalities. Fuzzing has been used for years, but mostly with desktop and server software, and very rarely.

Researchers developed a semi-automated testing tool called LTEFuzz, which they used to establish malicious connections with a mobile network before analyzing the response of the network according to the KAIST paper before IEEE presentation. The resulting vulnerabilities have been detected by various carriers and device suppliers in both the design and implementation of the LTE Standard; see image below or this Google Docs sheet.

The KAIST team reported notifying both the 3GPP, the industry body behind LTE standards, the GSMA, and the corresponding suppliers of baseband chipsets and network equipment on whose hardware the LTEFuzz tests had been performed. Since the flaws are both in the protocol itself and in the use of LTE by certain vendors, researchers believe there are many other flaws in the real world.

In addition, their fuzz testing procedures worked in their initial state with LTE connections before any cryptographic key exchange, meaning that more security flaws may await discovery in future trials, which researcher’s say they plan to undertake. Additional details can be found in the KAIST team paper entitled “Touching untouchable: LTE control plane dynamic security analysis.”

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.