IMP4GT: IMPersonation Attacks in 4G NeTworks

Abstract

Long Term Evolution (LTE/4G) establishes mutualauthentication with a provably secure Authentication and KeyAgreement (AKA) protocol on layer three of the network stack.Permanent integrity protection of the control plane safeguardsthe traffic against manipulations. However, missing integrity pro-tection of the user plane still allows an adversary to manipulateand redirect IP packets, as recently demonstrated.

In this work, we introduce a novel cross-layer attack thatexploits the existing vulnerability on layer two and extends itwith an attack mechanism on layer three. More precisely, we takeadvantage of the default IP stack behavior of operating systemsand show that combining it with the layer-two vulnerability allowsan active attacker to impersonate a user towards the networkand vice versa; we name these attacksIMP4GT(IMPersonationattacks in 4G neTworks). In contrast to a simple redirectionattack as demonstrated in prior work, our attack dramaticallyextends the possible attack scenarios and thus emphasizes theneed for user-plane integrity protection in mobile communicationstandards. The results of our work imply that providers can nolonger rely on mutual authentication for billing, access control,and legal prosecution. On the other hand, users are exposedto any incoming IP connection as an adversary can bypassthe provider’s firewall. To demonstrate the practical impact ofour attack, we conduct twoIMP4GTattack variants in a live,commercial network, which—for the first time—completely breakthe mutual authentication aim of LTE on the user plane in a real-world setting.