A fake base station for $ 1,400 allows you to accurately locate the phone in a 4G / LTE network

Researchers have developed an inexpensive way to locate the exact location of a smartphone running on an LTE / 4G cellular network. This development makes it clear that new generation mobile networks are just as vulnerable to some types of attacks as networks operating according to old, outdated communication standards and specifications.

New attack exploits vulnerability in LTE protocol . By the end of the year, this standard will provide communications for 1.37 billion subscribers. To carry out an attack, you need to build a systemof items whose total value is about $ 1,400. As software, Open Source software is used. The system, the NodeB node, allows you to determine the location of phones compatible with the LTE standard, with an accuracy of 10-20 meters. In some cases, this equipment also allows you to find out the GPS coordinates of devices, although an attack of this type can be detected by the smartphone user. Another method for determining the coordinates of smartphones has been developed, while the attack is almost impossible to detect. This method allows you to determine the location of a given device within a couple of square kilometers.

The same group of experts developed a new type of attack that allows disconnecting phones from the LTE network, which provokes the transition of devices to work with 2G and 3G, that is, more vulnerable protocols. And here, the attackers have their hands untied. So, in a 2G network, you can find out the location of the phone within 1 km2 , in a 3G network the situation is approximately the same. According to experts, the discovered hacking methods refute the axiom of invulnerability of new generation networks.

“The LTE standard provides for the use of a multi-layer security system, which allows preventing localization of subscribers and making sure that network services are always available. We showed that new vulnerabilities endanger the security of LTE network subscribers, ”the researchers noted in their report.

As with previous generation networks, the LTE network prevents the localization of the subscriber (his terminal) by assigning a temporary mobile subscriber number (TMSI). This identifier exists for a short time. When a network interacts with a device, it usually uses TMSI, not a phone number or some other permanent identifier, which helps prevent malicious users from monitoring network traffic, with further localization of a specific user. In a 2G network, such security measures are bypassed by sending a hidden message to the user, or by calling a subscriber to the telephone, which ensures the location of the device by the mobile network.

The team of information security experts, which discovered the indicated vulnerabilities, determined that a series of requests could be initiated by applications of social networks and instant messengers, such as Facebook, WatsApp, Viber, and the owner of the device could not detect tracking. An attacker, using this feature of instant messengers, can identify a user by linking a Facebook profile to TMSI. And already TMSI, in turn, can be used to determine the coordinates of the phone.



It is also possible to conduct much more accurate attacks using fake base stations, eNodeB communication nodes. To create such a station, researchers used Universal Software Radio Peripheral with OpenLTE. The total cost of the equipment was about $ 1,400.

In active mode, this communication node identifies itself as the base station of the operator, which ensures the connection of LTE phones to this communication node. After that, attackers can get a certain kind of information transmitted by smartphones that connected to the station. This, for example, a list of nearby base stations and signal strength for each of them. After this, the attacker, using triangulation, can easily determine the coordinates of the device (as mentioned above, in some cases it is possible to determine the GPS coordinates).

At the same time, an attack in semi-passive mode allows you to go unnoticed, although the data obtained during such an attack on the location of the smartphone will be less accurate than in the case of an active attack.

As for the research team, its members are doctoral student at the Berlin Technical University Altaf Schaik (Altaf Schaik), N. Asokan from the University of Helsinki, Valtteri Niemi from the University of Helsinki, and Jean-Pierre Seifert (Jean- Pierre Seifert), professor from Berlin Technical University.

In order to help telecom operators avoid attackers from attacking their networks, experts provided telecommunications companies with ideas on how to improve network security.