- The flaw exists in the 4G mobile communication standard and exploits a security vulnerability in LTE.
- There are two variants of the attack. They can be conducted in uplink and downlink direction.
A group of researchers from Ruhr-Universität Bochum has demonstrated a new type of attack on 4G networks that can allow attackers to perform activities as a user. The flaw exists in the 4G mobile communication standard and exploits a security vulnerability in LTE.
What is affected?
According to researchers, the attack termed as IMP4GT attack impacts all devices that communicate with LTE. This includes smartphones, tablets, and some IoT devices.
How does the attack happen?
There are two variants of the attack. They can be conducted in uplink and downlink direction.
With the uplink impersonation, the attacker impersonates a victim asking for a TCP/IP connection from a network. Later, it uses arbitrary IP services to generate traffic and associates them with the victim’s IP address.
The downlink impersonation allows an attacker to establish a TCP/IP connection to the phone that bypasses any firewall mechanism of the LTE network.
What is the impact?
The attack can allow attackers to make fraudulent purchases or subscribe to unwanted services. Attackers can also visit websites under someone’s identity to leak information or conduct malicious activities.
The only way to mitigate the risk of exploitation is to change the hardware. The Bochum-based team is attempting to close the security gap in the latest mobile communication standard 5G, which is currently rolled out.
Researchers note that mobile network operators would have to endure higher costs for protecting the integrity of data during transmission.
“However, mobile network operators would have to accept higher costs, as the additional protection generates more data during the transmission. In addition, all mobile phones would have to be replaced and the base station expanded. That is something that will not happen in the near future,” researcher David Rupprecht explained, ZDNet reported.