IMPersonation Attacks in 4G NeTworks (IMP4GT): How bad missing intergrity protection can be
In this talk, we present the novel IMP4GT attack (IMPersonation attacks in 4G neTworks), which allows an active attacker to impersonate a user towards the network and vice versa. IMP4GT is a cross-layer attack against LTE/4G networks that exploit missing integrity protection on layer two and extend it with a reflection mechanism of the IP stack. We demonstrate the feasibility of two IMP4GT variants in a commercial network and thereby completely break the mutual authentication aim of LTE on the user plane in a real-world setting. Our work implies that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution.
Long Term Evolution (LTE/4G) establishes mutual authentication with a provably secure AKA protocol on layer three of the network stack. Permanent integrity protection of the control plane safeguards the traffic against manipulations. However, the aLTER attack recently demonstrated that missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets.
We present a novel cross-layer attack that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three. More precisely, we take advantage of the default IP stack behavior of operating systems and show that this combination allows an active attacker to impersonate a user towards the network and vice versa; we name these attacks IMP4GT (IMPersonation attacks in 4G neTworks). Our attack dramatically extends the possible attack scenarios and thus emphasizes the need for user plane integrity protection in mobile communication standards. The results of our work imply that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution. On the other side, users are exposed to any incoming IP connection as an adversary can bypass the provider’s firewall. To demonstrate the practical impact of our attack, we conduct two IMP4GT attack variants in a commercial network, which-for the first time-completely break the mutual authentication aim of LTE on the user plane in a real-world setting.