IMP4GT: IMPersonation Attacks in 4G NeTworks

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper

Ruhr-Universität Bochum & New York University Abu Dhabi

Introduction

In mobile networks, mutual authentication ensures that the smartphone and the network can verify their identities. In LTE , mutual authentication is established on the control plane with a provably secure authentication and key agreement protocol. However, missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets .

The IMP4GT (IMPersonation Attacks in 4G NeTworks) (/ˈɪmˌpæk(t)/) attacks exploit the missing integrity protection, and extend it with an attack mechanism on layer three which allows an attacker to impersonate a user towards the network and vice versa. We conduct two IMP4GT variants in a LTE commercial network and demonstrate how this completely breaks the mutual authentication of the user plane LTE and early 5G networks.

In the following, we provide an overview of the IMP4GT attacks and their implications. Our work will appear at the NDSS Symposium 2020 and all details are available in a pre-print version of the paper .

IMP4GT Attacks

What does IMP4GT exploit?

The IMP4GT attacks exploit the missing integrity protection for user data, and a reflection mechanism of the IP stack mobile operating system. We can make use of the reflection mechanism to build an encryption and decryption oracle. Along with the lack of integrity protection, this allows to inject arbitrary packets and to decrypt packets (see paper for details).

Attack Variants

The impersonation can be conducted in uplink or in downlink direction:

With the uplink impersonation , the attacker impersonates a victim towards the network and can use arbitrary IP services (websites) with the identity of the victim. All traffic generated by the attacker is associated with the victim's IP address.
The downlink impersonation allows an attacker to establish a TCP/IP connection to the phone that bypasses any firewall mechanism of the LTE network. The attacker is not able to break any security mechanism above the IP layer.

Results

Preliminary Experiments

We conduct several experiments to verify the assumed behavior of Android and iOS. In particular, we test if an unreachable reflection and a ping reflection is triggered for IPv4 and IPv6. The results indicate that those reflections are triggered for IPv4 only for Android and for IPv6 for Android and iOS.

Vulnerable	iOS	Android
IPv4	no	yes
IPv6	yes	yes

Commercial Network

To demonstrate the practical feasibility of the IMP4GT attacks, we have implemented a full end-to-end version of the attack within a commercial network and commercial phone within our lab environment. For the LTE relay, we use the open source LTE Software Stack srsLTE by Software Radio System . A shielding box stabilizes the radio layer and prevents interferences with the real network. We provide traces for the interested parties, e.g., researchers or providers.

Demonstration in a Commercial Network

Uplink IMP4GT Attack

The aim of the uplink IMP4GT attack is to impersonate a victim towards the LTE network on the IP layer. Consequently, the attacker can use his/her identity for accessing websites or other kinds of IP-based services. In this example, we demonstrate how an attacker can access a service site that should only be accessible for the victim. The service site authenticates a user only based on his/her IP address (header enrichment). Eventually, we access the service site without user interaction and fully impersonate the victim against the network. Accessing the service site can be a stepping stone for further attacks. For example, an attacker can book data plans (fraud attacks), use the data volume, or retrieve personal information, e.g., phone number.

Downlink IMP4GT Attack

The aim of the downlink IMP4GT attack is to impersonate the network towards the phone on the IP layer. The attacker can send and receive arbitrary IP traffic to and from the phone, respectively. As a result, the attacker bypasses the provider's firewall. In this example, we demonstrate how an attacker built up a functional TCP connection to an App and, thus, avoids any firewall mechanism.

Am I affected?

Attack Probability

Probably not! The attacker needs to be highly skilled and in close proximity to the victim. Besides the specialized hardware and a customized implementation of the LTE protocol stack, conducting the attack outside a controlled lab environment and withouth a shielding box would also require more engineering effort. However, for single targets of high interest it might be worth to meet the constraints above

Consequences

The attacker can impersonate the victim or the network on the IP layer, which means that it is possible to send and receive IP packets with the stolen identity. However, the attacker cannot access your private mail account or messengers, place phone calls, or break the TLS encryption. We list the consequences for operators, law enforcement, and users as follows.

Operators

Operators rely on mutual authentication for billing or authorization, for example, certain service websites are only accessible with network-layer identifier. IMP4GT allows allows an adversary to use the victim's identity on such service sites if no additional authorization is required, e.g., to buy a data pass. In case you work for a provider and need more information, please contact the GSMA security group .

Law enforcement

With IMP4GT, an attacker can forge any traffic to the Internet, e.g., to use the identity of a victim for uploading critical material. In cases where law enforcement agencies request the identity of a user for a particular public IP address (lawful disclosure request), the activities of an IMP4GT influence the results of an investigation.

Users

Users must deal with the consequences of impersonations targeting operators, and impersonations that interfere with law enforcement. For example, the provider charges the user's bank account when additional packages are bought, or a law enforcement agency initiates an investigation based on the false assumption of mutual authentication. Besides these uplink attacks, the downlink impersonation can be a stepping stone for follow-up attacks that exploit vulnerabilities in network applications.

Is 5G also vulnerable?

The attack exploits missing integrity protection and the reflection mechanism of the operating system. Only the first attack vector is specific for mobile networks, the latter is defined by the operating system of a mobile phone. We discuss the vulnerability of 5G regarding its two deployment phases:

Non-standalone (NSA)

Non-standalone (NSA) with dual connectivity is the first phase, in which the phone connects via 4G for all control data, but uses 5G for user data. The 3GPP 5G Security working group stated: ``Although integrity protection for UP (user plane) data is supported in 5G networks, it will not be used in dual connectivity case''. Thus, the early 5G deployments is vulnerable to IMP4GT attacks.

Standalone (SA)

The second phase will be the standalone (SA) phase, in which the phone has a control connection to the 5G core network along with the 5G radio layer. Its current state is as follows: User-data integrity protection is optional with either a full rate or limited to 64 kbit/s. As 5G promises connections of up to 20Gbit/s , the attack vector remains exploitable in 5G [TS38.300, TS33.501]

We emphasize the need for a mandatory full-rate integrity protection for 5G.

Update: 5G release-16 mandates the phone to support full-rate integrity protection, but not to use it. Click here to read more about it!

Technical Paper

Our work will appear at the NDSS Symposium 2020 . A pre-print of the paper that contains all details is already available ( PDF file ).

Abstract

Long Term Evolution (LTE/4G) establishes mutual authentication with a provably secure AKA (Authentication and Key Agreement) protocol on layer three of the network stack. Permanent integrity protection of the control plane safeguards the traffic against manipulations. However, missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets, as recently demonstrated.
In this work, we introduce a novel cross-layer attack that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three. More precisely, we take advantage of the default IP stack behavior of operating systems and show that this combination allows an active attacker to impersonate a user towards the network and vice versa; we name these attacks IMP4GT (IMPersonation attacks in 4G neTworks). In contrast to a simple redirection attack as demonstrated in prior work, our attack dramatically extends the possible attack scenarios and thus emphasizes the need for user plane integrity protection in mobile communication standards. The results of our work imply that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution. On the other side, users are exposed to any incoming IP connection as an adversary can bypass the provider's firewall. To demonstrate the practical impact of our attack, we conduct two IMP4GT attack variants in a commercial network, which---for the first time---completely break the mutual authentication aim of LTE on the user plane in a real-world setting.

Frequently Asked Questions

What does close proximity mean?

In our test setup, we conducted the attacks with minimal distance between the victim's phone and our LTE relay. This is not possible in a realistic scenario, where the attacker needs to deploy the LTE relay without revealing herself. We can assume that our attacks are comparable to so-called IMSI catchers / Stingrays that are successful in ranges of up to approximately 2km.

What is the difference to IMSI catchers ?

The technical characteristics of the attack are comparable to IMSI catchers , as in both cases the attacker simulates a malicious network towards the victim. Nevertheless, we find two general differences. First, the relay actively sends data to the mobile network and acts as a Man-in-the-Middle attacker that modifies packet contents. Second, classical IMSI-catching attacks try to identify and localize the victim. In the IMP4GT attack, the attacker impersonates a victim or network.

What is the difference to the aLTEr attack ?

The aLTEr attack aims to redirect a user to a malicious website, while the IMP4GT impersonates a victim towards the network or vice versa. Similar to the aLTEr attack, the IMP4GT exploits missing integrity protection of the user plane. The IMP4GT attack goes further and exploits additionally operating system's reflection mechanism to establish an encryption and decryption oracle that allows to inject arbitrary packets and access the payload of existing packets.

Did you responsibly disclose the attacks?

Yes, we have contacted the GSMA on 16.05.19 about the issues with the Coordinated Vulnerability Disclosure Programme . The GSMA informed the network providers and issued a liaison statement to inform the 3GPP specification body. The 3GPP ran group evaluated possible actions for LTE and the upcoming 5G specification and composed a statement regarding the attacks.

Is this attack specific to a particular network vendor?

No, the attack builds upon a specification flaw which means that all network vendors are equally vulnerable.

Press Coverage

Mobile Networks Vulnerable to IMP4GT Impersonation Attacks [1]
IMPersonation Attacks in 4G neTworks - IMP4GT [2]
IMP4GT: IMPersonation Attacks in 4G NeTworks [3]
IMP4GT - A New IMPersonation Attacks in 4G NeTworks Let Hackers To Inject Arbitrary Packets & Break LTE Network Security ; [4]