logo
allArticlesConferencesPresentations

IMP4GT: IMPersonation Attacks in 4G NeTworks

Conference:  BlackHat USA 2020

2020-08-06

Summary

The presentation discusses the uplink and downlink impersonation attack vectors in commercial networks and the need for mandatory integrity protection on the user plane to mitigate the problem.
  • Uplink and downlink impersonation attacks are real threats in commercial networks
  • Specialized hardware and customized LTE stack are required for conducting these attacks outside of shielding boxes
  • Mandatory integrity protection on the user plane is necessary to mitigate the problem
  • LTE is not capable of performing mandatory integrity protection, but 5G supports it in full rate for all devices
  • Consequences of these attacks include privacy threats, overbilling, and wrong victim blaming in police investigations
  • Providers and law enforcement agencies rely on mutual authentication, which is compromised by these attacks
  • Users, especially industrial users, are at risk of having their devices accessed by attackers
The presenter performed an experiment where they were able to access the server side of a victim's account without any interaction from the victim. They also uploaded a file to a server with the victim's IP address. This demonstrates the severity of the uplink impersonation attack.

Abstract

Long Term Evolution (LTE/4G) establishes mutual authentication with a provably secure AKA protocol on protocol layer three. But missing integrity protection of user traffic still allows an adversary to manipulate IP packets. In this talk, we present the IMP4GT attack (IMPersonation attacks in 4G neTworks), which allows an attacker to impersonate a user towards the network and vice versa. IMP4GT is a cross-layer attack against LTE/4G networks that exploit missing integrity protection on layer two and extend it with a reflection mechanism of the IP stack. We demonstrate the feasibility of two IMP4GT variants in a commercial network and thereby completely break the mutual authentication aim of LTE on the user plane in a real-world setting. Our work implies that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution. Also, the current 5G specification does not mandate integrity protection, which makes it vulnerable to IMP4GT attacks.
Materials:
Tags:

Post a comment

Related work

ALPACA: Application Layer Protocol Confusion - Analyzing and Mitigating Cracks in TLS Authentication

Conference:  BlackHat USA 2021
Authors:
2021-08-04

mTLS: when certificate authentication done wrong

Conference:  Defcon 31
Authors: Michael Stepankin Security Researcher at GitHub
2023-08-01

Zerologon: From Zero to Domain Admin by Exploiting a Crypto Bug

Conference:  BlackHat USA 2021
Authors:
2021-08-04

Side Channel Attacks in 4G and 5G Cellular Networks

Conference:  BlackHat EU 2019
Authors:
2019-12-05

SPARROW: A Novel Covert Communication Scheme Exploiting Broadcast Signals in LTE, 5G & Beyond

Conference:  Defcon 29
Authors:
2021-08-01

The Subtle Art of Chaining Headers - IKEv2 Attack Surface Case Study

Conference:  BlackHat EU 2020
Authors:
2020-12-09