A group of academics from South Korea have identified 36 new vulnerabilities in the Long-Term Evolution (LTE) standard used by thousands of mobile networks and hundreds of millions of users across the world.
The vulnerabilities allow attackers to disrupt mobile base stations, block incoming calls to a device, disconnect users from a mobile network, send spoofed SMS messages, and eavesdrop and manipulate user data traffic.
They were discovered by a four-person research team from the Korea Advanced Institute of Science and Technology Constitution (KAIST), and documented in a research paper they intend to present at the IEEE Symposium on Security and Privacy in late May 2019.
Vulnerabilities found using fuzzing
The research team’s discoveries aren’t exactly new. Several academic groups have identified similar vulnerabilities in LTE over the past years on numerous occasions —July 2018, June 2018, March 2018, June 2017, July 2016, October 2015 (paper authored by another KAIST team).
These vulnerabilities have been the driving force behind efforts to create the new and improved 5G standard –which, unfortunately, isn’t that secure either, with some researchers already poking holes in it as well.
But what stands out from previous work is the sheer number of vulnerabilities the KAIST team discovered, and the way they did it.
The Korean researchers said they found 51 LTE vulnerabilities, of which 36 are new, and 15 have been first identified by other research groups in the past.
They discovered this sheer number of flaws by using a technique known as fuzzing –a code testing method that inputs a large quantity of random data into an application and analyzes the output for abnormalities, which, in turn, give developers a hint about the presence of possible bugs.
Fuzzing has been used for years, but mainly with desktop and server software, and very rarely for everything else.
KAIST built its own LTE fuzzer
According to the KAIST paper, seen by ZDNet prior to the IEEE presentation, researchers built a semi-automated testing tool named LTEFuzz, which they used to craft malicious connections to a mobile network, and then analyze the network’s response.
The resulting vulnerabilities, see image below or this Google Docs sheet, were located in both the design and implementation of the LTE standard among the different carriers and device vendors.
The KAIST team said it notified both the 3GPP (industry body behind LTE standard) and the GSMA (industry body that represents mobile operators), but also the corresponding baseband chipset vendors and network equipment vendors on whose hardware they performed the LTEFuzz tests.
Because the flaws reside in both the protocol itself and how some vendors have implemented LTE in their devices, researchers believe many other flaws still exist in the real world.
Furthermore, their fuzz testing procedures worked with LTE connections in their initial states, before any exchange of cryptographic keys, meaning more security flaws may be waiting to be discovered in future tests, which researchers said they plan to undertake.
Additional details can be found in the KAIST team’s paper, entitled “Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane.”