Researcher shows method to redirect and eavesdrop on 4G traffic

Chinese researcher Wanqiao Zhang of the security company Qihoo 360 has demonstrated a method that allows her to redirect and eavesdrop on 4G traffic. The attack works by transferring a target to an insecure network.

The researcher presented the attack at the Ruxcon security conference in Melbourne, The Register writes. The method works on both fdd networks and networks that use tdd. The first type is mainly in use in the Benelux. The method makes use of the fact that 4G networks can switch to less secure techniques, for example in the event of overload. In this way it is possible, for example, to connect a user to a 2G network. An attacker in control of the network can then intercept conversations and data traffic. It is also possible to have a target connect to a fake network, so that this person cannot use services.

The method works by establishing the target’s network identity with an imsi catcher. After that, the attacker, who has a fake network using a femtocell, can send various denial-of-service messages to the victim. This could put the attacker, for example, in a man-in-the-middle position, making conversations and data eavesdropping. The researcher was able to create his own network using the OpenLTE project.

In her presentation, Wanqiao Zhang states that such an attack is not new and that it was already described in 2006 by the 3GPP. At the time, this was accepted as a risk, according to The Register. According to the researcher, the attack can be warded off by ignoring the diversion signals from base stations and automatically searching for alternative networks. In addition, it is possible to show users a warning when they connect to a less secure network. A 3GPP working group made proposals in May to prevent a network from switching to weaker encryption.