• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Mobile
  • Abusing protocols in LTE networks to knock mobile devices off networks

Abusing protocols in LTE networks to knock mobile devices off networks

Pierluigi Paganini November 08, 2016

A group of researchers from Nokia Bell Labs and Aalto University in Finland demonstrated how to hack protocols used in the LTE networks.

We discussed several times the rule of the SS7 signaling protocol in mobile communications and how to exploit its flaws to track users.

When mobile users travel between countries, their mobile devices connect to the infrastructure of a local operator that communicates with their operator back home. The SS7 protocol allows to implement roaming, but as explained it is also affected by many vulnerabilities that could be exploited for:

  • Location Tracking.
  • Eavesdropping.
  • Fraud.
  • Denial of Service user & network.
  • Credential theft.
  • Data session hijackingUnblocking stolen phoneSMS interception.
  • SMS interception.
  • Unblocking stolen phoneSMS interception.
  • SMS interception.
  • One time password theft and account takeover for Telegram, Facebook, Whatsapp.

Diameter is considered the evolution of the SS7 protocol for modern Long-Term Evolution (LTE) networks, respect its predecessor it is more secure, isn’t it?

Anyway. experts discovered that Diameter is also affected by security issues, one if them, is the lack of mandatory implementation of the Internet Protocol Security (IPsec) protocol.

According to researchers from Nokia Bell Labs and Aalto University in Finland, this means that Diameter could be hacked with the same techniques that are effective against SS7.

The team of experts made several tests to evaluate attacks against users connected to the LTE network. They simulated the attacks on a test network set up by an unnamed global mobile operator. In the tests, they powered a cyber attack against UK subscribers from Finland and discovered several methods of disrupting service to users.

The researchers were able to temporarily and permanently shut down users connections, they were also able to target entire regions.

The team presented the results of tests at the Black Hat Europe security conference in London.

In order to launch the attack against another operator’s systems or subscribers, the researchers need to access to the private interconnection network (IPX).The experts demonstrated that there are several ways to access IPX, for example, a persistent attacker like a government could oblige a local operator to gain access through it.

Attackers could act as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by an operator that is accessible from the internet. Let’s give a close look at LTE networks and their main components:

LTE NetworksThe nodes of the LTE networks are called Mobility Management Entities (MMEs  that provide session management, subscriber authentication, roaming and handovers to other networks. The signal is spread through cell towers meanwhile the home subscriber server (HSS) is the component that holds the master subscriber database.Other essential components of LTE networks are the Diameter Edge Agents (DEAs) that words as gateways to the interconnection network via IPX providers.In the attack scenario, the hacker needs the victim’s international mobile subscriber identity (IMSI), an information that is quite easy to obtain targeting the IPX network by masquerading as a Short Message service center (SMSC) that’s trying to deliver a text message to the victim phone number.This means that the knowledge of the victim’s phone number, aka Mobile Station International Subscriber Directory Number (MSISDN), and the DEA of the victim’s operator, are all you need to carry on the attack against a specific user.The attacker sends a routing information request through the DEA to the operator’s HSS, which will respond with the subscriber’s IMSI as well as the identity of the MME the subscriber is connected to.

Great now the attacker has the info to start the attack!

At this point, the attacker masquerading as a partner’s HSS sends a Cancel Location Request (CLR) message to the victim’s MME causing the disconnection of the specific subscriber.

The CLR messages are normally used inside the LTE network when subscribers switch from one MME to another because of a change in location.

The researchers also highlighted another possible to exploit this mechanism to obtain a sort of amplification factor of the request. The researchers noticed that when the subscriber re-attaches, their device will send 20 different messages to the MME.

lte-networks-attack-dos

Imagine the case the attackers force the detachment of hundreds of subscribers at the same time, the MME will be flooded by ‘re-attach’ messages causing a DoS in large areas covered by Mobility Management Entities.

There is also a second DoS attack scenario in which the attackers can impersonate an HSS and send an Insert Subscriber Data Request (IDR) to the victim’s MME with a special value that means no service. This will permanently detach the mobile user from the network because their subscription will be changed in the MME’s records.

In this case, the only way to attach the network again is contacting the mobile operator.

As you can see also LTE networks and Diameter are vulnerable to hacking attack, for this reason, the researchers highlighted the need for further security measures.

For further information give a look at the slides (“Detach me not DoS attacks against 4G cellular users worldwide from your desk“) presented at the BlackHatEurope 2016.

[adrotate banner=”9”]

Pierluigi Paganini

(Security Affairs – LTE Network, Hacking)

[adrotate banner=”13″]


facebook linkedin twitter

BlackHat EUROPE DOS Hacking LTE Network mobile SS7

you might also like

Pierluigi Paganini July 26, 2025
Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
Read more
Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT