IMSI catcher for 4G/LTE networks are very expensive devices that allow tracking phone locations. Now a group of researchers has found a way to track devices using the latest LTE standard for mobile networks, but with a very cheap process and a hardware expense of just $1,400.
They equipment designed by the researchers runs freely available open-source software to cause all LTE-compliant phones to leak their location to within a 32- to 64-foot (about 10 to 20 meters) radius and in some cases their GPS coordinates.
The researchers have elaborated a number of attacks that causes phones to lose connections to LTE networks, then the device downgrade to the less secure 2G and 3G mobile specifications.
The 2G, or GSM, protocols are notoriously vulnerable to man-in-the-middle attacks, IMSI catcher act as a bogus station in the classic attack scenario. The 2G networks are also vulnerable to attacks that could allow to discover the location of a mobile device within about 0.6 square miles.
3G networks are not immune, and now users are aware of a similar problem for LTE networks. The experts explained that the LTE protocol attempts to conceal the user location by assigning it a dynamic TMSI rather than any other permanent identifier.
“The LTE access network security protocols promise several layers of protection techniques to prevent tracking of subscribers and ensure availability of network services at all times. We have shown that the vulnerabilities we discovered in LTE access network security protocols lead to new privacy and availability threats to LTE subscribers.” wrote the researchers in the paper titled ‘Practical attacks against privacy and availability in 4G/LTE mobile communication systems.’ “We demonstrated that our attacks can be mounted using open source LTE software stack and readily available hardware at low cost. We tested several handsets with LTE support of major baseband vendors and demonstrated that all of them are vulnerable to our attacks”.
The attacks against the 2G networks rely on invisible text messages or imperceptibly brief calls that allow the attackers to discover the location of the mobile phone.
The experts also discovered that paging requests could also be triggered by social messaging apps (i.e. Facebook and WhatsApp), in this way the attacker can link the receiver’s Facebook profile to the TMSI and in this way locate the phone.
“But messages from people who are not in the friend list may be directed to the ‘Other’ folder. Further, the user is not notified upon the reception of the message into the ‘Other’ folder. In fact, the user himself has to manually check ‘Other’ folder to even notice that there are waiting messages.” states the paper. “When an LTE subscriber has the Facebook application installed on his LTE device, all incoming Facebook messages, including those that end up in the ‘Other’ folder, trigger a paging request by the network. Other Facebook features, such as repeated friend requests or poking (depending on the user’s profile settings) also trigger paging requests”
The researchers defined the technique as “semi-passive” because it relies on passive monitoring of network traffic instead run MITM attacks on the target by using a bogus base station (eNodeB or evolved NodeB).
The experts have built the eNodeB node using a computer-controlled radio known as a Universal Software Radio Peripheral that ran an open-source implementation of the LTE specification dubbed OpenLTE. The cost of the hardware is about €1,250 (about $1,400), well below the tens of thousands of dollars of a “IMSI catcher.”
The researchers also detailed the attacks against 4G (LTE) access network protocols in this blog post.
The researchers will present findings of their study at the upcoming conferences, including the Blackhat Security conference in Amsterdam, the T2 Security conference 2015, and the Internet Society NDSS conference.
(Security Affairs – IMSI catcher, LTE)