Top

Widespread Security Vulnerabilities in Cellular Networks

Cellular networks are vulnerable to various threats targeting both radio and core elements. The most prevalent security issues are discussed by researcher Dr. Ing. Altaf Shaik, who is currently conducting research in the area of 5G radio access and core network security. 

Dr. -Ing. Altaf Shaik is a researcher at the Technical University of Berlin and a known speaker and trainer in many top tier conferences. Currently, he’s working as a senior researcher at the Technical University of Berlin in Germany, conducting research in telecommunications, especially, 4G and 5G radio access and core network security. This also includes security issues in IoT related devices and automotive sector as well. He combines a professional background in programming, wireless communications and offensive and defensive network security.

The research Shaik conducts at the TU Berlin is related to the contemporary mobile networks and devices that are used on day-to-day basis and therefore have an impact on the real world. Thus, it is necessary to communicate his research to the industry, scientific community and also to the general public. Moreover the research Shaik conducts is highly practically-oriented rather than mere theoretical claims which makes it very interesting and clearly understand the security implications and mitigate them.

Shaik has presented at various security conferences such as Blackhat USA & Europe, Troopers, T2, Nullcon, Hardware.io and HITB Singapore & Dubai and many others over the last Five years. The talks have addressed various security issues in 4G and 5G networks. Precisely, they exposed various design and implementation vulnerabilities in the networks that compromise user’s privacy and service availability.

Dr. -Ing. Altaf Shaik

Protocol design of the baseband inside mobile phones

Cellular networks are vulnerable to various threats targeting both radio and core elements, says Shaik. “For instance, the IMSI catcher is a special kind of cellular equipment, whose main goal is tracking and identifying the cellular phones mainly by collecting permanent identities (IMSI, IMEI) from the phones. They impersonate legitimate networks and mimic the characteristics of real base stations. As a thumb rule, they transmit with a higher power than surrounding base station to attract the phones. They operate using distinct administrative area identification deviating from any nearby cells to trigger the update procedure from the phone and steal their identities. Sophisticated and highly capable IMSI catchers can also perform a Man-in-the-Middle attack to intercept the cellular traffic including voice calls and data”.

Shaik explains that the fundamental issue lies in the protocol design of the baseband: “unlike the traditional Internet world where the server authenticity is verified by the client before actually exchanging any information; mobile phones do not behave in the same fashion. A set of protocols can be exchanged between the baseband/mobile device and the network, prior to authenticating the base station (or the core network). These protocols are essential for providing better network availability and performance to the mobile devices. Importantly, they may contain private information such as user’s precise location.

Along these lines, several design vulnerabilities in the cellular network protocols allowed IMSI catchers to successfully operate in 4G networks as expose in the research conducted by Dr. Shaik. Besides, the cellular networks and devices are black boxes that do not receive much scrutiny thereby it is possible to find numerous software flaws and backdoors that are exploited by hackers today. Although the amount of information leak over 5G network is significantly reduced compared to its predecessors; thanks to the security enhancements made to the last releases of 4G specification and the 5G networks as well”.

2G/3G network availability

Another issue relating to the success of the notorious IMSI catchers is that the availability of 2G/3G networks and being operational across several countries. Typically, IMSI catchers that fail to obtain sufficient data will aim to downgrade the mobile device to a 2G network where obtaining information and performing an attack has higher chances of success.

Shaik and his colleagues have exposed several security issues in the 4G LTE protocol design and implementation over the last years. These vulnerabilities are present in the real world operational devices and networks and have been communicated to both the standards body and the operators alliance GSMA. Shaik adds: “the exposed research highlights security issues that affect the subscriber privacy and also the denial-of-service of the network.  All of the reported issues have been fixed in the specifications and also several basebands and networks are updated their software”.

Learn more about Shaik’s research:

https://www.ndss-symposium.org/wp-content/uploads/2017/09/practical-attacks-against-privacy-availability-4g-lte-mobile-communication-systems.pdf

https://dl.acm.org/doi/10.1145/3317549.3319728

https://dl.acm.org/doi/10.1145/3212480.3212497

https://dl.acm.org/doi/10.1145/2994459.2994465

https://eprint.iacr.org/2018/1175.pdf