There have been lots of reasons to be concerned about how easily someone with the right tools and knowledge could do very bad things with cellular communications networks. And while none of them have necessarily been to the level of some of the fictional stunts pulled off on television (see Mr. Robot), new research shows that things are even worse than they appear—and in many cases, that’s because of how carriers have implemented cellular standards.
As ZDNet’s Zack Whittaker reports, researchers at Purdue University and the University of Iowa conducting tests of 4G LTE networks have uncovered 10 new types of attacks. They made this discovery as part of their evaluation of a proof-of-concept 4G LTE penetration testing toolset, called LTEInspector. Combined with nine previously known attack methods that Syed Hussain, Omar Chowdhury, Shagufta Mehnaz, and Elisa Bertino also identified as still being usable against many carrier networks, the collection of exploits could be used to track device owners, eavesdrop on texts and other sensitive data, and even pose as them on cellular networks and spoof location and other data. An attacker could even spoof warning messages like those used by government agencies and weather services—such as the false missile warning sent out by a Hawaii government employee.
The security of 4G LTE networks is largely based on obscurity—many of the implementations are proprietary “black boxes,” as the Purdue and Iowa researchers put it, which makes performing true security evaluations difficult. And because of the large range of sub-components that must be configured, along with the need to be able to handle devices configured primarily for another carrier, there is a lot of slush in LTE implementations and not a lot of transparency about network security. Recent IEEE-published research found that implementations of the “control plane” for various LTE networks varied widely—problems found on one network didn’t occur on others.