For $1400, A Hacker Can Access Any LTE Device

Dror Liwer Blog

Aside from being capable of streaming high-bandwidth content such as videos and music to mobile devices,  LTE networks are also popular because they are largely considered to be unhackable. But what will device owners think if they realize LTE networks aren’t impenetrable?

Researchers recently showed that LTE networks are indeed hackable – and they can be hacked with some very inexpensive equipment at that.


The Unthinkable Happened

Taking equipment that only cost around $1400, researchers were able to hack an LTE network by using the radio layer to force the device into giving away its location, thus allowing them to access apps held on the device.

Before this breach, LTE networks were pretty much thought to be unbreakable because of the way they concealed their location. They did this by assigning the device a temporary mobile subscriber identity (TMSI), and it then talked to this TMSI instead of to the device, which made it harder to locate. But the new study shows it is still possible to obtain the location with minimum effort; which means that not even LTE is safe anymore.

If this isn’t enough, users should also worry about the nature of the hack itself. Because the premise of the 4G/LTE network is based on the communication of data over IP addresses, all phones connected to these networks are vulnerable to attack. Using an open protocol allows commjackers to access passwords, location data, network addresses and cryptographic keys. With no protection between the cellular network provider and your phone, the path for commjacking becomes widely accessible.

Commjackers accomplish this with fairly price-efficient technology, typically paying around $1,400 to set up their own base station – called an eNodeB. By using the Universal Software Radio Peripheral, the eNobeB impersonates a real base station, letting commjackers run troubleshooting programs that will cause a device to send a lot of supposedly protected information and give them access to the data.

As technology advances, we like to think that security evolves with it. And of course it does. However, commjackers’ skills and the technologies they use also evolve. Recently, a host of networks that have been considered unbreakable have, in fact, turned out to be very breakable.

With LTE networks so exposed to man-in-the-middle attacks, cellular providers should take on the duty of providing IPSec VPN to protect user data and enhance authentication. And many do, but is this enough?

According to Daksha Bhasker, associate director for governance at Bell Canada, “Consideration and implementation of these security enhancing measures are discretionary to the many LTE stakeholders including mobile network operators (MNOs). Speed to market, tight budgets, profit targets, concerns with network performance, business models, network interoperability, regional regulations and business priorities lead to further inconsistencies in security implementation amongst MNOs.”


Protecting LTE Networks

VPNs, SSL, and now LTE – nothing is fully safe. [Tweet “Even on these “unhackable” technologies, your data is susceptible to commjackers.”]

In order to safeguard against vulnerabilities, there are ways you can protect a device on a 4G LTE network. Since this specific kind of attack occurs by using the radio level, the only real way to prevent it is to patch the systems on all devices.

That is why using a security platform such as CoroNet is vital. It monitors for malicious networks and then stops them from connecting. Unlike other systems, CoroNet protects on the radio level, which is the only real way to protect against threats of these nature.  It does this by setting up 375 traps on layers 1 through 3 in order to identify and circumvent malicious cell or WiFi access points, making devices resilient to commjackers without degrading the user experience in any way.