• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Mobile
  • Abusing protocols in LTE networks to knock mobile devices off networks

Abusing protocols in LTE networks to knock mobile devices off networks

Pierluigi Paganini November 08, 2016

A group of researchers from Nokia Bell Labs and Aalto University in Finland demonstrated how to hack protocols used in the LTE networks.

We discussed several times the rule of the SS7 signaling protocol in mobile communications and how to exploit its flaws to track users.

When mobile users travel between countries, their mobile devices connect to the infrastructure of a local operator that communicates with their operator back home. The SS7 protocol allows to implement roaming, but as explained it is also affected by many vulnerabilities that could be exploited for:

  • Location Tracking.
  • Eavesdropping.
  • Fraud.
  • Denial of Service user & network.
  • Credential theft.
  • Data session hijackingUnblocking stolen phoneSMS interception.
  • SMS interception.
  • Unblocking stolen phoneSMS interception.
  • SMS interception.
  • One time password theft and account takeover for Telegram, Facebook, Whatsapp.

Diameter is considered the evolution of the SS7 protocol for modern Long-Term Evolution (LTE) networks, respect its predecessor it is more secure, isn’t it?

Anyway. experts discovered that Diameter is also affected by security issues, one if them, is the lack of mandatory implementation of the Internet Protocol Security (IPsec) protocol.

According to researchers from Nokia Bell Labs and Aalto University in Finland, this means that Diameter could be hacked with the same techniques that are effective against SS7.

The team of experts made several tests to evaluate attacks against users connected to the LTE network. They simulated the attacks on a test network set up by an unnamed global mobile operator. In the tests, they powered a cyber attack against UK subscribers from Finland and discovered several methods of disrupting service to users.

The researchers were able to temporarily and permanently shut down users connections, they were also able to target entire regions.

The team presented the results of tests at the Black Hat Europe security conference in London.

In order to launch the attack against another operator’s systems or subscribers, the researchers need to access to the private interconnection network (IPX).The experts demonstrated that there are several ways to access IPX, for example, a persistent attacker like a government could oblige a local operator to gain access through it.

Attackers could act as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by an operator that is accessible from the internet. Let’s give a close look at LTE networks and their main components:

LTE NetworksThe nodes of the LTE networks are called Mobility Management Entities (MMEs  that provide session management, subscriber authentication, roaming and handovers to other networks. The signal is spread through cell towers meanwhile the home subscriber server (HSS) is the component that holds the master subscriber database.Other essential components of LTE networks are the Diameter Edge Agents (DEAs) that words as gateways to the interconnection network via IPX providers.In the attack scenario, the hacker needs the victim’s international mobile subscriber identity (IMSI), an information that is quite easy to obtain targeting the IPX network by masquerading as a Short Message service center (SMSC) that’s trying to deliver a text message to the victim phone number.This means that the knowledge of the victim’s phone number, aka Mobile Station International Subscriber Directory Number (MSISDN), and the DEA of the victim’s operator, are all you need to carry on the attack against a specific user.The attacker sends a routing information request through the DEA to the operator’s HSS, which will respond with the subscriber’s IMSI as well as the identity of the MME the subscriber is connected to.

Great now the attacker has the info to start the attack!

At this point, the attacker masquerading as a partner’s HSS sends a Cancel Location Request (CLR) message to the victim’s MME causing the disconnection of the specific subscriber.

The CLR messages are normally used inside the LTE network when subscribers switch from one MME to another because of a change in location.

The researchers also highlighted another possible to exploit this mechanism to obtain a sort of amplification factor of the request. The researchers noticed that when the subscriber re-attaches, their device will send 20 different messages to the MME.

lte-networks-attack-dos

Imagine the case the attackers force the detachment of hundreds of subscribers at the same time, the MME will be flooded by ‘re-attach’ messages causing a DoS in large areas covered by Mobility Management Entities.

There is also a second DoS attack scenario in which the attackers can impersonate an HSS and send an Insert Subscriber Data Request (IDR) to the victim’s MME with a special value that means no service. This will permanently detach the mobile user from the network because their subscription will be changed in the MME’s records.

In this case, the only way to attach the network again is contacting the mobile operator.

As you can see also LTE networks and Diameter are vulnerable to hacking attack, for this reason, the researchers highlighted the need for further security measures.

For further information give a look at the slides (“Detach me not DoS attacks against 4G cellular users worldwide from your desk“) presented at the BlackHatEurope 2016.

[adrotate banner=”9”]

Pierluigi Paganini

(Security Affairs – LTE Network, Hacking)

[adrotate banner=”13″]


facebook linkedin twitter

BlackHat EUROPE DOS Hacking LTE Network mobile SS7

you might also like

Pierluigi Paganini July 08, 2025
U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 08, 2025
IT Worker arrested for selling access in $100M PIX cyber heist
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

    Hacking / July 08, 2025

    IT Worker arrested for selling access in $100M PIX cyber heist

    Cyber Crime / July 08, 2025

    New Batavia spyware targets Russian industrial enterprises

    Malware / July 07, 2025

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT