TY - GEN
T1 - IMP4GT
T2 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
AU - Rupprecht, David
AU - Kohls, Katharina
AU - Holz, Thorsten
AU - Pöpper, Christina
N1 - Publisher Copyright:
© 2020 27th Annual Network and Distributed System Security Symposium, NDSS 2020. All Rights Reserved.
PY - 2020
Y1 - 2020
N2 - Long Term Evolution (LTE/4G) establishes mutual authentication with a provably secure Authentication and Key Agreement (AKA) protocol on layer three of the network stack. Permanent integrity protection of the control plane safeguards the traffic against manipulations. However, missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets, as recently demonstrated. In this work, we introduce a novel cross-layer attack that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three. More precisely, we take advantage of the default IP stack behavior of operating systems and show that combining it with the layer-two vulnerability allows an active attacker to impersonate a user towards the network and vice versa; we name these attacks IMP4GT (IMPersonation attacks in 4G neTworks). In contrast to a simple redirection attack as demonstrated in prior work, our attack dramatically extends the possible attack scenarios and thus emphasizes the need for user-plane integrity protection in mobile communication standards. The results of our work imply that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution. On the other hand, users are exposed to any incoming IP connection as an adversary can bypass the provider's firewall. To demonstrate the practical impact of our attack, we conduct two IMP4GT attack variants in a live, commercial network, which'for the first time'completely break the mutual authentication aim of LTE on the user plane in a real-world setting.
AB - Long Term Evolution (LTE/4G) establishes mutual authentication with a provably secure Authentication and Key Agreement (AKA) protocol on layer three of the network stack. Permanent integrity protection of the control plane safeguards the traffic against manipulations. However, missing integrity protection of the user plane still allows an adversary to manipulate and redirect IP packets, as recently demonstrated. In this work, we introduce a novel cross-layer attack that exploits the existing vulnerability on layer two and extends it with an attack mechanism on layer three. More precisely, we take advantage of the default IP stack behavior of operating systems and show that combining it with the layer-two vulnerability allows an active attacker to impersonate a user towards the network and vice versa; we name these attacks IMP4GT (IMPersonation attacks in 4G neTworks). In contrast to a simple redirection attack as demonstrated in prior work, our attack dramatically extends the possible attack scenarios and thus emphasizes the need for user-plane integrity protection in mobile communication standards. The results of our work imply that providers can no longer rely on mutual authentication for billing, access control, and legal prosecution. On the other hand, users are exposed to any incoming IP connection as an adversary can bypass the provider's firewall. To demonstrate the practical impact of our attack, we conduct two IMP4GT attack variants in a live, commercial network, which'for the first time'completely break the mutual authentication aim of LTE on the user plane in a real-world setting.
UR - http://www.scopus.com/inward/record.url?scp=85100662676&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85100662676&partnerID=8YFLogxK
U2 - 10.14722/ndss.2020.24283
DO - 10.14722/ndss.2020.24283
M3 - Conference contribution
AN - SCOPUS:85100662676
T3 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
BT - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
PB - The Internet Society
Y2 - 23 February 2020 through 26 February 2020
ER -